[lucient]

Dear Geeks

Your faithful dummy got infected with several malware while visiting some ehem... entertaiment websites (i.e. [bleep] ). Did a lot of scaning (spybot, adware, ewido) but the insidious Mr. Smit-fraud keeps poping (47 entries no less!)in the Spybot scan. I even tried some of the tips included in other treads ( just to read afterwards that this behaviour is not recomended at all! ) like using the smit.rem in safe mode, but my comp wont reboot, gettin a memory-dumping-blue-screen instead. I´d be very grateful to any help - and if you guys are able to take me out of this mess i promise i wont visit "those" sites never again! Chastity is my new name!

Thanks in advance
Lucient

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 18:11:21, on 01/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\kdx\KHost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
C:\Archivos de programa\a2\a2guard.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\olvjr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC143F1D-AC5E-2BFB-3800-4506564697DB} - C:\WINDOWS\addgk32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\Run: [d3ai32.exe] C:\WINDOWS\d3ai32.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [a-squared] "C:\Archivos de programa\a2\a2guard.exe"
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Archivos de programa\J River\Media Center\DMDownload.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Advertisements]

Please download Intermute's CWShredder from here:
http://cwshredder.ne.../CWShredder.exe
Save it to the desktop and run it, and click "Fix" to remove the CWS infection.

Then please download About:Buster from here:
http://www.malwareby...boutBuster5.zip
Unzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe. Read the instructions then click OK to proceed. Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version. Then click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\olvjr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC143F1D-AC5E-2BFB-3800-4506564697DB} - C:\WINDOWS\addgk32.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\Run: [d3ai32.exe] C:\WINDOWS\d3ai32.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\olvjr.dll <= this file
C:\WINDOWS\System32\P2P Networking <= this folder

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log, the About:Buster log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[didom]

Please download Intermute's CWShredder from here:
http://cwshredder.ne.../CWShredder.exe
Save it to the desktop and run it, and click "Fix" to remove the CWS infection.

Then please download About:Buster from here:
http://www.malwareby...boutBuster5.zip
Unzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe. Read the instructions then click OK to proceed. Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version. Then click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\olvjr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC143F1D-AC5E-2BFB-3800-4506564697DB} - C:\WINDOWS\addgk32.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\Run: [d3ai32.exe] C:\WINDOWS\d3ai32.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\olvjr.dll <= this file
C:\WINDOWS\System32\P2P Networking <= this folder

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log, the About:Buster log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[lucient]

Hi didom

Thanks for the quick response. I started to do the whole "ritual" but got stopped at running into safe mode. My comp wont reboot, instead it keeps hanging on the black screen with the blinking -, and then when i tap "enter" it gives a dumping-memory-blue-screen saying it can´t reboot due to the lacking of "winsrv".

Should i do the whole thing on normal mode?


your faithful dummy

[didom]

You have to run smitrem twice!

Please download Intermute's CWShredder from here:
http://cwshredder.ne.../CWShredder.exe
Save it to the desktop and run it, and click "Fix" to remove the CWS infection.

Then please download About:Buster from here:
http://www.malwareby...boutBuster5.zip
Unzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe. Read the instructions then click OK to proceed. Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version. Then click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Make sure all hidden files and folders are visible (Instructions )

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\olvjr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC143F1D-AC5E-2BFB-3800-4506564697DB} - C:\WINDOWS\addgk32.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [javarq32.exe] C:\WINDOWS\javarq32.exe
O4 - HKLM\..\Run: [d3ai32.exe] C:\WINDOWS\d3ai32.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\olvjr.dll <= this file
C:\WINDOWS\System32\P2P Networking <= this folder

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.

Then reboot your computer.

Open (again!!) the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot your computer again and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log, the About:Buster log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[lucient]

Hi Didom


Followed the instructions, all gone well except

a) In the Hijackthis scan this item was absent

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\olvjr.dll/sp.html#55135

b) Panda scan hanged on... [bleep] , lost the copy and paste, it was something like

...ie5/ups....

here are the rest of the logs
cheers



Logfile of HijackThis v1.99.1
Scan saved at 03:02:15, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
C:\WINDOWS\htpatch.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\kdx\KHost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [a-squared] "C:\Archivos de programa\a2\a2guard.exe"
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Archivos de programa\J River\Media Center\DMDownload.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 01:09:45, 07/08/2005
+ Report-Checksum: 1AC7A1AA

+ Scan result:

C:\WINDOWS\ncewgf.dat -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\pfxstl.dat -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\tvwswe.dat -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\pumfgu.dat -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\rfxbbb.dat -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\bijquh.dat -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\ogsyum.dat -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\hvpzqc.log -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\snrvis.dat -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\wsdbpm.dat -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\xcrvsp.dat -> Trojan.Agent.bi : Limpio con backup


::Fin Report


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!


AboutBuster 5.0 reference file 31
Scan started on [07/08/2005] at [00:17:05]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 00:17:38

[didom]

Please run Ewido again and also try Panda ActiveScan again....

Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Reboot your computer again and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log, the About:Buster log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[lucient]

Hi Didom


Ewido was fine

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 17:49:05, 07/08/2005
+ Report-Checksum: 27C970E5

+ Scan result:

No se han encontrado archivos infectados!


::Fin Report

But the panda scan keeps hanging at the same point (this time i wrote it down)

C:\FILES\OSP\3082\IE5\ES\USP10.CAB

and it hangs the comp too

cheers
lucient

[didom]

Never mind. If Ewido says that you are clean, you are!

Please post the final HijackThis log to be sure.

[lucient]

Hi Didom

Here is my last Hijackthis log (btw, i did a spybot scan afterwards and it keeps showing the 47 smitfraudc entries, plus the coolwebsearch.homesearch plus an Avenue a inc. one; no matter wot i do these three appear everytime)

cheers!
your faithful dummy. lucient

Logfile of HijackThis v1.99.1
Scan saved at 20:57:57, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
C:\WINDOWS\htpatch.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\kdx\KHost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\a2\a2guard.exe
C:\Archivos de programa\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Acer\Escritorio\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [o2cd] C:\Archivos de programa\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Archivos de programa\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Archivos de programa\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MediaScheduler] C:\Archivos de programa\J River\Media Center\Media Scheduler.exe
O4 - HKCU\..\Run: [a-squared] "C:\Archivos de programa\a2\a2guard.exe"
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Archivos de programa\J River\Media Center\DMDownload.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Archivos de programa\ATI Multimedia\tv\EXPLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam....WebMonProj1.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://80.38.190.62/XNC600NetCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {685BD16B-509F-4521-B4D3-E0CFB75CCC9B} (Dxviewer Control) - http://80.34.10.43:8...nload/dxv25.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FD153A9-3D29-4458-97CD-2F625F38633C}: NameServer = 194.224.52.4,194.224.52.6
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[didom]

First, please REBOOT!

Open SpyBot, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach that report.
(No Rich Text Format (RTF) ie; Wordpad, please. They can contain malicious scripting and I have to download them in order to view them.)

If you have any problems attaching the Spybot log please go ahead and copy paste the log.

[lucient]

There it goes!

Attached Files

•  SpybotSD.Report.txt   38.56KB   159 downloads

[didom]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot back into normal mode.

• Download: DelDomains.inf
• Locate DelDomains.inf
• Right-click and select "Install"

Reboot again and check if the problems are solved.

[lucient]

Hi Didom


Did the smit.rem think in safe mode ( which, surprisingly enough, i was able to run into) but then, on rebooting, i met again the everpresent memory-dumpin-bluescreen (so i have to switch off the comp. etc).

Besides that, everything seems pretty ok and the spybot scan didnt find a thing.
It was kinda cool to finally see the "no spyware found" screen!

I wanna thank you again for your time
You guys are "simply the best"


In amiticia
Lucient

[didom]

That's great!

• Don't forget to re-hide all files and folders. To re-hide all files and folders:
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
• This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
  
  Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.
  
  Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.
  
  This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. You are running Windows XP so get updated to SP-2
  
  Please post back if you are still having any problems....

[didom]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.