Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

help - required

Started by lavellej , Jun 25 2005 07:34 AM

This topic is locked

#1
lavellej

Posted 25 June 2005 - 07:34 AM

Member

Member
29 posts

help required please

I continue to have a security warning (blue screen) on my desk top (smitfraud trojan) and also upon opening my internet homepage i get a 'privacy vulnerability notice'

And in the tool bar at the bottom of my screen I have a white cross in a red circle saying my computer is infected.
I have run spyboy/adaware and virus scans to no avail. Here is my hijack log - please help!
Logfile of HijackThis v1.99.1
Scan saved at 14:28:38, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\svcnut32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\YumgoHomepageProtector.exe
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\James Lavelle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yumgo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yumgo.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpv.dll/security.htm#subID=PSFV;6384
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yumgo.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: CIEExtension Object - {B51DC573-E998-4834-9B45-BAB7C2AE0A75} - C:\Program Files\Ad-Protect\ADPIEmonitor.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113938938859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#2
g2i2r4

Posted 26 June 2005 - 07:38 AM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome lavellej to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

***

You are using both AVG and Norton. I advise you to remove one of them and make sure the other one is up to date and fully functional.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and/or Uncheck Resident.
Click Allow Change box.

***

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:
C:\WINDOWS\YumgoHomepageProtector.exe
Click "Open", then click the "Submit" button. Copy the results and paste them here.

***

Download about:buster by RubbeRDuckY.
Download CWShredder.
Download and install CleanUp!
Save all of these files somewhere you will remember like to the Desktop.

***

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

***

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

***

Run the CleanUp! installer. You dont need to do anything with it right now.

***

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

***

Please run About:Buster:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

***

Run the CleanUp! installer.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it’s done, press Close.
Reboot your computer into normal windows.

***

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Please download the Killbox.
Unzip it to the desktop. Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\svcnut32.exe
C:\WINDOWS\YumgoHomepageProtector.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Use Windows Explorer to remove this folder:
C:\Program Files\Ad-Protect\
Close Windows Explorer.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpv.dll/security.htm#subID=PSFV;6384

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm

O2 - BHO: CIEExtension Object - {B51DC573-E998-4834-9B45-BAB7C2AE0A75} - C:\Program Files\Ad-Protect\ADPIEmonitor.dll

O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home

O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save Report
Save the report to your desktop

Close Ewido

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let me know if any problems persist.

#3
lavellej

Posted 29 June 2005 - 08:51 PM

Member

Topic Starter
Member
29 posts

many thanks for previous - most problems appear fixed however my desktop is now black with a "warning your in danger
" spyware add - please see attached logs;
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 03:06:26, 30/06/2005
+ Report-Checksum: 60DC0B5B

+ Date of database: 29/06/2005
+ Version of scan engine: v3.0

+ Duration: 219 min
+ Scanned Files: 68138
+ Speed: 5.17 Files/Second
+ Infected files: 31
+ Removed files: 31
+ Files put in quarantine: 31
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0008317.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010878.exe -> Trojan.Small.ei -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0010961.exe -> TrojanDownloader.Small.ayl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0010962.exe -> Worm.Delf.i -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0010965.exe -> Trojan.Small.ei -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0010995.exe -> Trojan.Small.ei -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0010998.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0010999.exe -> Worm.Delf.i -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0011000.exe -> TrojanDownloader.Small.ayl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0011119.dll -> TrojanDownLoader.Drexinit -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0011148.dll -> Spyware.Ihbo -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0011794.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0012108.dll -> TrojanDownLoader.Drexinit -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012147.exe -> Trojan.Small.ei -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012150.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012151.exe -> Worm.Delf.i -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012152.exe -> TrojanDownloader.Small.ayl -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012292.dll -> Spyware.Ihbo -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0012937.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0013076.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\A0014328.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\A0014397.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0015997.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0016053.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017628.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0017682.exe -> Spyware.Qhost.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0020676.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000531.dll -> TrojanDownLoader.Drexinit -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000563.exe -> Trojan.Small.ei -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000574.dll -> Spyware.Ihbo -> Cleaned with backup

::Report End

Incident Status Location

Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\inet?00??
Adware:Adware/Tubby No disinfected C:\WINDOWS\System32\MTC.ini
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\System32\srpcsrv32.dll
Adware:Adware/Perfect-Search No disinfected C:\WINDOWS\System32\netmgr.dat
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\James Lavelle\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM32\MTC.ini
Adware:Adware/Perfect-Search No disinfected C:\WINDOWS\SYSTEM32\netmgr.dat
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\txfdb32.dll

Logfile of HijackThis v1.99.1
Scan saved at 03:46:04, on 30/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\James Lavelle\Desktop\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\James Lavelle\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yumgo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yumgo.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113938938859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\James Lavelle\Desktop\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4
g2i2r4

Posted 30 June 2005 - 12:48 AM

retired HiJack Helper

Retired Staff
5,080 posts

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

***

Reboot the computer. See if you can drag the screen down to see if there is an X at the right hand corner to close the window.

***

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

***

Than please rerun Panda to see if anything changed and we will clean them up.

I only need to see the Panda log.

#5
lavellej

Posted 30 June 2005 - 03:12 PM

Member

Topic Starter
Member
29 posts

many thanks - see below;
Incident Status Location

Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\inet?00??
Adware:Adware/Tubby No disinfected C:\WINDOWS\System32\MTC.ini
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\System32\srpcsrv32.dll
Adware:Adware/Perfect-Search No disinfected C:\WINDOWS\System32\netmgr.dat
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\James Lavelle\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM32\MTC.ini
Adware:Adware/Perfect-Search No disinfected C:\WINDOWS\SYSTEM32\netmgr.dat
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\srpcsrv32.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\txfdb32.dll

#6
g2i2r4

Posted 01 July 2005 - 10:02 AM

retired HiJack Helper

Retired Staff
5,080 posts

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\MTC.ini

C:\WINDOWS\System32\srpcsrv32.dll

C:\WINDOWS\System32\netmgr.dat

C:\Documents and Settings\James Lavelle\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk

Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM32\txfdb32.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Please update and run Spybot. Let it remove all items it finds.

***

Also do this please:
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.

#7
lavellej

Posted 01 July 2005 - 12:35 PM

Member

Topic Starter
Member
29 posts

many thanks again - as instructed;

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0
AntivirusGold 2.0
AVG Free Edition
Championship Manager 01-02
Classic PhoneTools
CleanUp!
Command & Conquer Red Alert 2
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
C-Privacy Free
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Diablo II
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
ewido security suite
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Internet Update
Ladbrokes Poker
Lexmark Supplies Monitor
Lexmark Z25-Z35
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Halo
Microsoft Works 7.0
Might and Magic® VI
Modem Helper
MSN Messenger 7.0
MSXML 4.0 SP2 Parser and SDK
My Web Search (Outlook, Outlook Express, and IncrediMail)
NetWaiting
NVIDIA Windows 2000/XP Display Drivers
Paddy Power Poker
Paint Shop Pro 7
PowerDVD
RealPlayer
Risk II
Spybot - Search & Destroy 1.3
Spyware Doctor 3.2
TrojanHunter 4.2
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB842773
Yumgo's Homepage Protector V2

#8
g2i2r4

Posted 01 July 2005 - 04:01 PM

retired HiJack Helper

Retired Staff
5,080 posts

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
My Web Search (Outlook, Outlook Express, and IncrediMail)
Press ‘delete this entry’.
Close HijackThis.

***

Open a Command Prompt window (from Start->Programs->Accessories; called ‘DOS Prompt’ on Windows 95/98/Me) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ADV.dll

***

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

C:\WINDOWS\System32\ADV.dll

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Download CWShredder, update it. Then open the program and click ‘fix’.
When it's done, reboot the computer.

***

How are things now?

EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 18 July 2005 - 02:42 PM.