Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound.w32.ep, w32.desktophijack, & more (?) [RESOLVED]


  • This topic is locked This topic is locked

#16
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Very good ibiginjapan! You did it very well. Scans are looking good now, please wait while I make a new fix.
  • 0

Advertisements


#17
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
==========================================

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Do NOT run it yet.

Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)
===================================================
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R3 - URLSearchHook: (no name) - _{39C763CA-7420-2A12-3515-F5A456076FF8} - (no file)

Make sure to double check the items you have selected,then click Fix Checked.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
  • Click Uninstall
  • Confirm with OK
Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
=================================================
Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\Kazaa Lite
  • C:\Program Files\LimeWire
Finally, Empty Recycle Bin
=================================================

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#18
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
HIJACK THIS LOG ::



Logfile of HijackThis v1.99.1
Scan saved at 7:29:44 PM, on 7/18/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101097927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\2005710164158_mcappins.exe /v=3 /cleanup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://www.content-l...ad/ccaccess.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#19
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
SMITFILES.TXT ::



Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

wp.bmp


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
  • 0

#20
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
PANDASCAN REPORT ::


Incident Status Location

Spyware:spyware/iehelp No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\ipreg32.inf

Adware:adware/sahagent No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\setup4002b.ini

Adware:adware/portalscan No disinfected C:\WINNT\SYSTEM32\stcloader.exe

Adware:adware/superspider No disinfected C:\WINNT\SYSTEM32\system32.dll

Adware:adware/cws.searchmeup No disinfected C:\WINNT\mstasks1.exe

Adware:adware/sidesearch No disinfected C:\WINNT\sepsd.bin

Adware:adware/delfinmedia No disinfected C:\keys.ini

Adware:adware/sbsoft No disinfected HKEY_CURRENT_USER\SOFTWARE\SEARCHTOOLBAR

Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\MEDIAGATEWAYX.INSTALLER

Adware:adware/navhelper No disinfected HKEY_CLASSES_ROOT\CLSID\{BDF3E430-B101-42AD-A544-FADC6B084872}

Adware:adware/memorywatcher No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\MEMORYWATCHER

Adware:adware/iedriver No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{120E090D-9136-4B78-8258-F0B44B4BD2AC}

Spyware:spyware/wareout No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}

Spyware:spyware/istbar No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{faa356e4-d317-42a6-ab41-a3021c6e7d52}

Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}

Spyware:Spyware/Iehelp No disinfected C:\WINNT\Downloaded Program Files\ipreg32.inf

Adware:Adware/SAHAgent No disinfected C:\WINNT\Downloaded Program Files\setup4002b.ini

Adware:Adware/SBSoft No disinfected C:\WINNT\webdlg32.inf

Adware:Adware/Popup.pop No disinfected C:\WINNT\winsx.inf

Edited by imbiginjapan, 18 July 2005 - 06:45 PM.

  • 0

#21
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
EWIDO REPORT ::

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:02:17 PM, 7/18/2005
+ Report-Checksum: DB32FB7E

+ Scan result:

:mozilla.12:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Jeremy Williamson\Application Data\Mozilla\Profiles\Default User\8z4w0y9x.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End
  • 0

#22
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
as for the ADAWARE scan, it only came up with negligable items. i also uninstalled my kazaa and limewire programs.

i couldn't find the "uncheck security info" you mentioned. in fact there was no "desktop" on the tabs for 'display' in the control panel. there was a 'customize desktop' option on my actual desktop, but it didn't have a 'website section.'

thanks again for all your help.
  • 0

#23
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Good job, how is your Norton AV responding now? Does it still detect the wininet.dll?
Do you love to play games at pogo.com?


Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This line pertains to the restrictions on certain areas of your computer in which you cannot have full access to it. This is usually set by an Administrator for security reasons.

This is just optional: If you personally set this or your Administrator did it on purpose then we should leave this alone. Do NOT fix it then. Otherwise, if you have nothing to do with it, then we shall remove it.


Make sure to double check the items you have selected, then click Fix Checked.

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Now run the CleanUp program!

Post a new HiJackThis log along.
  • 0

#24
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hi there. i'm not going to have access to that comp for another couple of days. please don't close my post as i will post the results by friday.

thanks for your patience.
  • 0

#25
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
okay I will wait for your reply. Goodluck to your work. :tazz:
  • 0

Advertisements


#26
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
hi there. i successfully downloaded and merged smitfraud.reg.

afterwards i ran hijack this and removed what you requested .

as for the uncheck "security info" move:
again, there is no desktop option in the display panel of control options. there is a web, though but no security info option there.

i also right-clicked on my deskop, and went to customize desktop but it just directed me to control panel> display> web.

i ran cleanup and hijackthis again. here's the log ::

Logfile of HijackThis v1.99.1
Scan saved at 10:40:16 PM, on 7/23/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110109~1\EE\AOLServiceHost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101097927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\2005710164158_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX
O9 - Extra button: Microsoft® JavaScript® Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {FDC11D31-DBBE-450D-8E06-78A1061E312F} - C:\WINNT\system32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://www.content-l...ad/ccaccess.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

i ran my norton antivirus and the virus appears to be again. and yes, i do love those games at pogo! they keep me entertained for hours.

thanks again for your patience. i've been working on my boyfriend's comp and don't have access to it everyday.
  • 0

#27
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Are you from japan? O genki desuka, o namaewa nan desuka?
  • 0

#28
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

That is really very weird, it must be a false positive... Let me verify it again.

We will do this once again. This time with an updated SmitRem ver. 2.2

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Do NOT run it yet.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)
===================================================
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\2005710164158_mcappins.exe /v=3 /cleanup
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://www.content-l...ad/ccaccess.cab

Make sure to double check the items you have selected,then click Fix Checked.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Run CLEANUP! This will reboot back to NORMAL MODE Windows.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#29
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
i'm actually not from japan; my username is a song by tom waits. i'm in newyorkcity.

THE SMITREM RESULTS ::


smitRem log file
version 2.2

by noahdfear

The current date is: Sun 07/24/2005
The current time is: 15:24:21.74

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!
  • 0

#30
imbiginjapan

imbiginjapan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
AD-AWARE RESULTS ::



Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, July 24, 2005 3:27:03 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R54 14.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):10 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R54 14.07.2005
Internal build : 63
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 496849 Bytes
Total size : 1499538 Bytes
Signature data size : 1467043 Bytes
Reference data size : 31983 Bytes
Signatures total : 41785
CSI Fingerprints total : 962
CSI data size : 33758 Bytes
Target categories : 15
Target families : 715


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:62 %
Total physical memory:261200 kb
Available physical memory:161908 kb
Total page file size:629836 kb
Available on page file:560776 kb
Total virtual memory:2097024 kb
Available virtual memory:2045740 kb
OS:Microsoft Windows 2000 Professional Service Pack 2 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-24-2005 3:27:03 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 108
ThreadCreationTime : 7-24-2005 10:19:19 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 156
ThreadCreationTime : 7-24-2005 10:19:36 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 184
ThreadCreationTime : 7-24-2005 10:19:39 PM
BasePriority : Normal
FileVersion : 5.00.2195.2780
ProductVersion : 5.00.2195.2780
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 7-24-2005 10:19:39 PM
BasePriority : Normal
FileVersion : 5.00.2195.2964
ProductVersion : 5.00.2195.2964
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 328
ThreadCreationTime : 7-24-2005 10:19:43 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:6 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 360
ThreadCreationTime : 7-24-2005 10:19:45 PM
BasePriority : Normal
FileVersion : 1.50.1085.0029
ProductVersion : 1.50.1085.0029
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:7 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 376
ThreadCreationTime : 7-24-2005 10:21:46 PM
BasePriority : Normal
FileVersion : 5.00.3315.2846
ProductVersion : 5.00.3315.2846
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:8 [devldr32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 388
ThreadCreationTime : 7-24-2005 10:22:40 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © 1998 - 2000 Creative Technology Ltd.
OriginalFilename : DevLdr32.exe

#:9 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 316
ThreadCreationTime : 7-24-2005 10:26:56 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jeremy williamson@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:jeremy williamson@2o7.net/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jeremy williamson@servedby.advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jeremy williamson@servedby.advertising.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jeremy williamson@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:jeremy williamson@advertising.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jeremy williamson@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:jeremy williamson@atdmt.com/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 14



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 14




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14

3:32:23 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:19.520
Objects scanned:72713
Objects identified:4
Objects ignored:0
New critical objects:4
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP