Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

various Malware files; lost control of Desktop [RESOLVED]


  • This topic is locked This topic is locked

#1
jmarcus

jmarcus

    Member

  • Member
  • PipPip
  • 14 posts
Hi there,

I just recently (a couple of hours ago actually) got various Malware downloaded onto my computer which originally kept forcing a pop-up on me, as well as a IE bluescreen error which said my computer was infected by a Trojan file (which I found to belong to the Smitfraud group).

This was very very terrifying for that I kept panicking and shaking. My pulse was also racing quite fast and thought I had hyper-tension... anyways...

In the Processes menu in the Taskbar, there were numerous processes which I never saw before and I tried to End them but could not since they kept coming back.

I first used Ad-Aware to see if it could remove the problems but it did not. I then used a program call XoftSpy and it provided me the location of these .exe processes and applications. I deleted them and IE bluescreen stopped appearing.

However, afterwards, I kept getting a Windows Explorer error and everytime I pressed on Don't Send, a new one would come up. Also during this time, I was able to access various applications such as Internet Explorer since it would freeze on me and close while the WIndows Explorer error box was present.

I then changed the date on the clock which was actually wrong and the Windows Explorer error stopped.

I thought I fixed the problems but not entirely I think. I have lost control of my Desktop and my icons do not appear. I have kept the Desktop option of hinding the icons but now when I right click and go to "Arrange Icons by", none of the options come up for me.

Moreover, there are only two tabs when I right-click to go to Display Properties.


I've downloaded, installed and ran almost all the programs as per the instructions here: http://www.geekstogo..._Log-t2852.html

I ran Spybot, CWShredder, evidio security suite and TDS-3, Ad-Aware. But none were successful in fixing the problem.

Apparently, as I'm told there is a registry problem which I agree with.

Running XoftSpy again, it showed Malware Registry Keys and Values. But I cannot delete these files since I don't how to.

The files XoftSpy located were various SmitFraud (Trojan-Spy.HTML.Smitfraud.c ), CWS.Homepage, W32/Goabot.CG types. And they were located in various Softwar/Microsoft folders.

Some of the locations matched up with what HijackThis found but the others were found. Here are where they basically are if it helps:

W32/Goabot.CG
-Software\Microsoft\Code Store Database\Distribution Units\

SmitFraud
-CLSID\VMHOMEPAGE
-VMHOMEPAGE
-Software\Microsoft\Internet Explorer\
-Software\Microsoft\Windows\Current Version

CWHomepage
-found on HijackThis Log




So I am asking for your great help in helping fix and end this problem :tazz:

Here is my Hijack This log which is followed by the ewido security suite log:


Logfile of HijackThis v1.99.1
Scan saved at 11:53:36 AM, on 09/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3F38.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe



And here is the ewido log, I didn't know whether to delete the files ewido found...
:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:02:06 AM, 09/06/2005
+ Report-Checksum: 4626C5B

+ Date of database: 09/06/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 72569
+ Speed: 30.82 Files/Second
+ Infected files: 41
+ Removed files: 41
+ Files put in quarantine: 41
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS.bak -> Trojan.Qhost.av -> Cleaned with backup
C:\WINDOWS\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\WINDOWS\q4188362_disk.dll -> TrojanDownloader.Delf.pa -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\open.exe -> Backdoor.Haxdoor -> Cleaned with backup
C:\Documents and Settings\jhess\Cookies\jhess@www2.flowgo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jhess\Cookies\jhess@ads.thestar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\All Users.WINDOWS\Application Data\Pribi\Pribi.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mark\Cookies\mark@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022447.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022435.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022495.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022498.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022500.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022504.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022511.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022512.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022545.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022548.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022556.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022560.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022561.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022572.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022606.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022609.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022617.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022621.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022622.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022633.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022667.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022670.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022678.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022682.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022683.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022694.exe -> Spyware.OnFlow -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022744.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022747.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022755.exe -> Trojan.Puper.m -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022759.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022760.exe -> Trojan.Puper.l -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022771.exe -> Spyware.OnFlow -> Cleaned with backup


::Report End



Thanks in advance for any and all help. I'll be checking in daily and report my status ;)
  • 0

Advertisements


#2
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
An update: Using a program called Adware-Away, I was able to fix the problems with not being able to access my Desktop; the Display Properties is fixed again, and there are options under Arrange Icons when I right-click.

I guess this is a success!! :tazz: But....

However, the Malware files are still in my computer I believe, and ewidio has caught new (?) files which I thought it had deleted. I went ahead and deleted the files ewido found by clicking Remove Finally for each file.

Also ran the other programs (Spybot, AdAware etc.) they didn't catch anything. Spybot said I was clean... AdAware caught 1 registry key and I deleted it afterwards.

Running XoftSpy again, the Malware registry keys/values are still there.

Here is my new HijackThis Log and ewidio log:

Logfile of HijackThis v1.99.1
Scan saved at 5:42:02 PM, on 10/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe



ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:32:41 PM, 10/06/2005
+ Report-Checksum: 90FEEA1

+ Date of database: 10/06/2005
+ Version of scan engine: v3.0

+ Duration: 34 min
+ Scanned Files: 72703
+ Speed: 35.05 Files/Second
+ Infected files: 37
+ Removed files: 37
+ Files put in quarantine: 37
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\SYSTEM32\__delete_on_reboot__winstyle2.dll -> TrojanDownloader.Delf.lh -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__OLEADM.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__adsldpbc.dll -> TrojanDownloader.Delf.lh -> Cleaned with backup
C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022487.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022488.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022489.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022494.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022497.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022501.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022502.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022503.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022510.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP56\A0022513.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022546.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022549.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022553.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022554.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP57\A0022555.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022607.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022610.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022614.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022615.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP58\A0022616.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022668.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022671.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022675.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022676.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP59\A0022677.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022725.dll -> TrojanDownloader.Delf.lh -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022745.exe -> Trojan.Favadd.ab -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022748.exe -> TrojanDownloader.Zlob.G -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022752.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022753.exe -> Trojan.Zapchast.a -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022754.exe -> Trojan.Puper.n -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022792.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{6DE50F52-6668-40A5-8740-D16EABE75734}\RP60\A0022793.dll -> TrojanDownloader.Delf.pa -> Cleaned with backup


::Report End


Thanks again for any help ;)

Edited by jmarcus, 10 June 2005 - 04:10 PM.

  • 0

#3
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jmarcus,

Welcome to Geeks to Go !!!

We are sorry that we inadvertently missed your log due to heavy traffic at the site.

I will help you clean your PC :tazz:

Since the HJT log posted is dated June 10, I would need a fresh HJT log to clean up your PC. Please post a fresh HJT log.
  • 0

#4
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
No problem tampabelle, I completely understand! :tazz:

Anyways, here's the new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:03:33 PM, on 17/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
  • 0

#5
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jmarcus,

This is the first part of the fix. We will clean up the rest later :tazz:

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.



Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]


*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Doubleclick the AVGoldfix.reg we made earlier.
And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Delete the entire folder C:\Program Files\AntiVirusGold

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then boot back to normal, run HijackThis again and post a new log.
  • 0

#6
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry, I have a question. Do I copy and paste each file manually because nothing shows up when I do as you say concerning copying (Control + C) and then going into Killbox and click under File; Paste from Clipboard.

Nothing shows up in the "Full Path of File to Delete" space. Is this what's suppose to happen?

Sorry, I am computer illiterate.

Thanks :tazz:


EDIT: I can copy and paste into the blank space but the first file name is only one that shows up. The others do not...

Edited by jmarcus, 17 June 2005 - 05:46 PM.

  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\Windows\System32\hookdump.exe
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "No" at the "Reboot now" prompt.
  • Repeat steps above for these files:
    • C:\Windows\System32\winnook.exe
    • C:\Windows\desktop.html
  • Click "Delete on Reboot" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\Windows\screen.html
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Reboot now prompt to restart your computer.

Edited by tampabelle, 17 June 2005 - 05:56 PM.

  • 0

#8
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok I will do what you just said.

Just wanted to point out that while waiting I looked to see if I had C:\Program Files\AntiVirusGold and I don't. Also went to see this line In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

and I don't have the 'Website' tab... I have a Web tab but there's no Security Info box.

Might be getting ahead of myself but I thought you should know.

:tazz:
  • 0

#9
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok, did as you said but when the final prompt window came up asking if I wanted to go ahead and reboot. Click on yes but I got a "Pending Operations" (error?)window which said: "PendingFileRename Operations Registry Date has been removed by External process".

Should I go ahead and reboot anyways and continue with your instructions?

Edited by jmarcus, 17 June 2005 - 06:06 PM.

  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Click "Yes" at the Pending Operations prompt to restart your computer.


Also remember

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.
  • 0

Advertisements


#11
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry tampabelle but there is no "Yes" or "No" options in the Pending Operations promt. It's just a window that has the "Ok" option and the message which I mentioned in my last post:

"PendingFileRename Operations Registry Date has been removed by External process".
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Click OK and proceed
  • 0

#13
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Alrighty then. Did as you said.

Clicked on "OK" and restarted/rebooted manually.

Went into Safe Mode, double-clicked on AVGoldfix.reg and it asked me:
"Are you sure you want to add the information in C:/...AVGold.reg to registry?"

I clicked on "Yes" and it told me I was successful. I hope that was what I was suppose to do when I double-clicked on the file cause if it wasn't... sorry :tazz:

I then used DiskClean Up and it cleaned up whatever it was it was suppose to clean.

Then went into Windows Explorer to find and delete C:\Program Files\AntiVirusGold and like I said earlier, it was not there. Nadda.

Likewise, went into Control Panel to the Display>Desktop>Customize Desktop>Website>uncheck Security Info but the last two tabs were not there.

Anyways, here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:50 PM, on 17/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe



Thanks again for the help ;)

Edited by jmarcus, 17 June 2005 - 07:48 PM.

  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jmarcus,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop

DelDomains.inf
CWShredder

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: C:\WINDOWS\system32\adsldpbc.dll - {405132A4-5DD1-4BA8-A181-95C8D435093A} - C:\WINDOWS\system32\adsldpbc.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll (file missing)
O4 - HKLM\..\Run: [lsi] C:\WINDOWS\System32\lsi.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Mark\My Documents\CWShredder.exe


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

In Hijack This, click on config ---> Misc Tools. Click on "Delete an NT Service". Type CWShredder Service and hit enter.

4. Delete Rogue files

Open Windows explorer (right click on start and then click on explore). Locate and delete the following files, if found -

C:\WINDOWS\System32\lsi.exe
C:\WINDOWS\uninstIU.exe
C:\WINDOWS\q4188362_disk.dll
C:\WINDOWS\Downloaded Program Files\open.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Pribi\Pribi.dll


Reboot the PC in Normal Mode.

Right-click on DelDomains.inf and select: Install.

Please visit Panda and do an online scan.

Run Hijack This and post a fresh HJT log along with Panda scan report. Also let me know if you have any current issues with your PC

Edited by tampabelle, 18 June 2005 - 05:38 AM.

  • 0

#15
jmarcus

jmarcus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi tampabelle,

Followed all your instructions in your last post.

Ran CWShredder and it did not detect anything. (Yay!)

Run HijackThis and fixed everything you told me to.

And looked for those 5 files in Windows Explorer but none of them were there.

Went over to Panda and did a online scan and it found some files and ran HijackThis afterwards. Here is the Panda scan report and the new Hijack This log:



Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/Popuper No disinfected Windows Registry
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\WININET.DLL
Adware:Adware/FastFind No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Pribi\v29.exe






Logfile of HijackThis v1.99.1
Scan saved at 4:37:02 PM, on 18/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Play - {34F16BC0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\play.lnk
O9 - Extra button: Stop - {3D5A6FA0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\stop.lnk
O9 - Extra button: Previous - {49C350E0-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\prev.lnk
O9 - Extra button: Next - {59611E60-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\next.lnk
O9 - Extra button: Minimize/Restore Winamp - {86227B80-FF8F-11D4-B08F-90A456C10100} - C:\PROGRA~1\WINAMP~1\Links\minmax.lnk
O9 - Extra button: Pause - {8D2B7B00-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\pause.lnk
O9 - Extra button: Open/Close Winamp - {A144BE80-FF5F-11D4-B08F-909356C10100} - C:\PROGRA~1\WINAMP~1\Links\start.lnk
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP