Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGaurd/Trojan-spy.html.smitfraud.com-resolved


  • Please log in to reply

#1
shazzlicker

shazzlicker

    New Member

  • Member
  • Pip
  • 9 posts
I have run a number of programs only to discover a whole range of other viruses that have now been taken care of :tazz:

Unable to get rid of smitfraud and Ceres adware.

Pls help!!

Attached Files


Edited by coachwife6, 13 July 2005 - 08:30 PM.

  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I copied and pasted your log. When you post back, please do it that way. It's easier to work with. :tazz:

ogfile of HijackThis v1.99.1
Scan saved at 11:45:21 AM, on 08-Jul-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [qhzsnlif] c:\windows\system\qhzsnlif.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tpgi.com.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.12.160.35,203.12.160.36
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Are you running McAfee antiviral and AVG? Please uninstall one if that is the case. Having two antivirals is not good for your machine. :tazz:

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

O4 - HKLM\..\Run: [qhzsnlif] c:\windows\system\qhzsnlif.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#4
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Just a small problem..... Ewido does not run with 98SE, is there a way around this?
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Just skip running ewido. Thanks for checking.
  • 0

#6
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Panda ActiveScan Log
HijackThis Log
Smitfiles.txt Log

Logs attached:

Cheers


Incident Status Location

Adware:Adware/WUpd No disinfected C:\Program Files\WindUpdates
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\Pynix.inf
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\ACCOUNTS (Do Not Remove Folder!)[~000003.@x@]
Virus:W32/Mydoom.A.worm Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\David-El Marketing.sbd\2003 Mail.sbd\QLD Undeliverable[document.exe]
Virus:W32/Mydoom.A.worm Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\David-El Marketing.sbd\2003 Mail.sbd\QLD Undeliverable[document.pif]
Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\David-El Marketing.sbd\2004 Bar Mail.sbd\NSW Not Read[~000902.@x@]
Virus:W32/Bagle.CC.worm Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Inbox[Price_43254.zip][Result.exe]
Virus:Trj/Mole.B Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Inbox[Violet.zip][getaccess.exe]
Virus:Trj/Mitglieder.DC Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Inbox[7.zip][20_04_2005.exe]
Virus:Trj/Mitglieder.DC Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Inbox[1.zip][20_04_2005.exe]
Virus:Trj/Mitglieder.DQ Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Inbox[Legs.zip][ds-rwe.exe]
Virus:W32/Mydoom.A.worm Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Intl Pins.sbd\Iimagine Marketing.sbd\2003 Mail.sbd\QLD Undeliverable[document.exe]
Virus:W32/Mydoom.A.worm Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Intl Pins.sbd\Iimagine Marketing.sbd\2003 Mail.sbd\QLD Undeliverable[document.pif]
Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\Intl Pins.sbd\Iimagine Marketing.sbd\2004 Bar Mail.sbd\NSW Not Read[~000902.@x@]
Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\l7a3rvkl.default\Mail\Local Folders\ACCOUNTS[~000003.@x@]
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Virus:Trj/Citifraud.A Disinfected Personal Folders\ACCOUNTS (Do Not Remove Folder!)\SunTrust Bank Alert: Unauthorized Login Attempts [Thu, 07 Oct 2004 10:07:49 +0300]
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\David-El Marketing\2003 Mail\QLD Undeliverable\Delivery Status Notification (Failure)\Status\document.exe
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\David-El Marketing\2003 Mail\QLD Undeliverable\Delivery Status Notification (Failure)\hi\document.pif
Virus:Trj/Citifraud.A Disinfected Personal Folders\David-El Marketing\2004 Bar Mail\NSW Not Read\Urgent security notice\MSG_HTML.TXT
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Virus:W32/Mydoom.A.worm Disinfected Local Folders\David-El Marketing\2003 Mail\QLD Undeliverable\Delivery Status Notification (Failure)\[document.exe]
Virus:W32/Mydoom.A.worm Disinfected Local Folders\David-El Marketing\2003 Mail\QLD Undeliverable\Delivery Status Notification (Failure)\[document.pif]





Logfile of HijackThis v1.99.1
Scan saved at 2:34:55 PM, on 11-Jul-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tpgi.com.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.12.160.35,203.12.160.36



Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system ~~~

wp.bmp


~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Sorry about not getting back to you sooner. I'm on vacation and I only have short pockets of time to check in. ;)

Did you write what was in bold? ;)

Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\ACCOUNTS (Do Not Remove Folder!)[~000003.@x@]

It appears that you have many personal folders that have some malware in them. Can you delete them? You can follow their paths in the Panda scan in safe mode (reboot and lightly tap F8 when it reboots).

You can also reboot into safe mode and find these folders through explorer and delete them.

C:\Program Files\WindUpdates<<this folder
C:\WINDOWS\inf\Pynix.inf


If you are no longer using PCTools Site Guard you can uninstall it, unless you just disabled it for the fix.

How is it running? If it's still not running well, rerun panda and hijack this and post them here. YOu're doing a great job. :tazz:
  • 0

#8
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you so very much for your time and expertise, I think w'ere finally getting on top of it. :tazz:

Panda Log......


Incident Status Location

Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf


HijackThis Log......

Logfile of HijackThis v1.99.1
Scan saved at 1:57:44 PM, on 13-Jul-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tpgi.com.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.12.160.35,203.12.160.36


I Have rebooted the system a number of times after scanning with all my loaded checkers but the system still freezes for 20 sec then continues.

Cheers
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Find these in windows explorer in safe mode and delete them.

C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf

Have you run CleanUp! yet?

Find it here.

http://www.stevengou...ftware/cleanup/
  • 0

#10
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I have been using Cleanup for a while and found that its fantastic.

The Popcap Loader is for online games at Popcap.com and is no threator responsible for system downgrades.

System still freezes momentarily all the time, how can I fix this and the Exact Search is Uncleanable and I can not find traces of it, is this a problem?

Cheers :tazz:
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You never did answer this question.

Did you write what was in bold? confused1.gif

Virus:Trj/Citifraud.A Disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\2dcjzy34.slt\Mail\pop3.its-aust-3.com\Outlook Express Mail.sbd\ACCOUNTS (Do Not Remove Folder!)[~000003.@x@]

It appears that you have many personal folders that have some malware in them. Can you delete them? You can follow their paths in the Panda scan in safe mode (reboot and lightly tap F8 when it reboots).


You can run silent runners.

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
  • 0

#12
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry about the Personal folders questions....

When I upgraded to Thunderbird I imported the information from outlook express and left it running just in case thunderbird fell over.

I have now deleted the Outlook Express files and folders and do not recieve mail via OE.

I will try silent runner and get back to you...

Cheers
  • 0

#13
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"PicasaNet" = ""C:\Program Files\Hello\Hello.exe" -b" [file not found]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"CriticalUpdate" = "C:\WINDOWS\SYSTEM\wucrtupd.exe -startup" [MS]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["Networks Associates Technology, Inc"]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check 06142005082303" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee Scan for Viruses (2)" -> launches: "C:\WINDOWS\Desktop\McAfee Scan for Viruses (2).lnk" [file not found]
"Windows Critical Update Notification" -> launches: "C:\WINDOWS\SYSTEM\WUCRTUPD.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{22D003CE-6952-46C5-80B9-D19B479620AB}" = "Stumble&Upon" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\S1927.DLL" ["StumbleUpon.com"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["Networks Associates Technology, Inc"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 4 seconds.
---------- (total run time: 54 seconds)
  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Don't see anything out of the ordinary.

Run Hijack This and put check marks next to these:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)


You have some critical updates pending.

Also, you could try this registry cleaner.

Download and install EasyCleaner:
http://personal.inet...rts/ecleane.htm

After installing it check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click OK and click Registry
Then click Search. When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Reboot when you are done and let us know how it goes.
  • 0

#15
shazzlicker

shazzlicker

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The boat is now full steam ahead.

Thank you very much for your help! :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP