This topic is locked
I have followed those instructions to the letter and some of the products used did pick up small amounts of Malware which were removed. I have now re-run all the tests again and a summary of results is shown below :
McAfee scan : clean
MS AntiSpware scan : clean
AdAware scan : Clean now
Spybot S&D scan : (trys to clean but unable on restart as memory in use)
LOG:
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net\*!=W=4
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-682003330-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-29 Includes\Dialer.sbi (*)
2005-08-04 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2005-08-04 Includes\Malware.sbi (*)
2005-08-04 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-08-02 Includes\Security.sbi (*)
2005-08-04 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-08-04 Includes\Trojans.sbi (*)
CWShredder scan : clean now
TrojanHunter scan : clean now
Trend online scan : clean
Any help you can give me for the problems below is much appreciated!
My current symptoms are as follows :
1) System Tray : Yellow Triangle with Exclamation Mark
When clicked, yellow bubble appears :
Title : System Alert : Popups
Your PC is infected with popups adware (OHPE ver 4.12_23).
Click the icon to get all available anti popup software.
Clicking icon opens browswer windows at : www.psguard.com
Sometimes a PSGuard window appears (and psguard.exe is in the task manager)
2) System Tray : Yellow Triangle with Exclamation Mark
When clicked, yellow bubble appears :
Title : Security Alert
System encountered spyware that gathers your private information without your consent. This information includes passwords, credit card details and other private data.
Clicking icon opens browswer windows at : www.adwaredelete.com
3) Popup up with Window Title : System Warning
Critical System Error!
Please read this message carefully.
Your PC is infected by spyware.
You must improve your PC's security and system performance by deleting Spyware from your operating system.
Attention! Failure to delete spyware from your PC can result in damage of system resources and your personal files corruption.
Use special software to remove spyware and adware from your comptuer.
Click "OK" to get all available Anti Spyware Software
Buttons : OK Cancel
(when OK is clicked a web page is loaded briefly then disappears and then tries to download Install.exe which I of course cancel)
4) Pop up with Window Title : System Warning
System Warning! 4 Errors found :
-Your computer has slowed down
-Your internet connection speed has decreased
-You get popups and annoying ads when you're online or sometimes even offline
-Your sefault home page has been changed to the one you didn't ask for
Click "OK" to download spware scan and delete infected files.
Buttons : OK Cancel
I enclose my HijackThis log below, I would be very apreciative if someone could give me some pointers on removel of this Shitfraud.
Logfile of HijackThis v1.99.1
Scan saved at 18:53:52, on 17/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Windows Media Connect\mswmcls.exe
c:\program files\windows media connect\mswmccds.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Media Connect\mswmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ipms32.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Phil Bromley\My Documents\setups\CWShredder.exe
C:\Documents and Settings\Phil Bromley\My Documents\setups\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ipms32.exe] C:\WINDOWS\ipms32.exe
O4 - HKLM\..\RunServices: [nethe32.exe] C:\WINDOWS\system\nethe32.exe /s
O4 - HKLM\..\RunOnce: [appif.exe] C:\WINDOWS\system32\appif.exe
O4 - HKLM\..\RunOnce: [apifv32.exe] C:\WINDOWS\system32\apifv32.exe
O4 - HKLM\..\RunOnce: [msfd.exe] C:\WINDOWS\msfd.exe
O4 - HKLM\..\RunOnce: [ntkf32.exe] C:\WINDOWS\ntkf32.exe
O4 - HKLM\..\RunOnce: [crxk32.exe] C:\WINDOWS\system32\crxk32.exe
O4 - HKLM\..\RunOnce: [apice.exe] C:\WINDOWS\apice.exe
O4 - HKLM\..\RunOnce: [netds.exe] C:\WINDOWS\netds.exe
O4 - HKLM\..\RunOnce: [addqm32.exe] C:\WINDOWS\addqm32.exe
O4 - HKLM\..\RunOnce: [winpa.exe] C:\WINDOWS\system32\winpa.exe
O4 - HKLM\..\RunOnce: [ipmy32.exe] C:\WINDOWS\system32\ipmy32.exe
O4 - HKLM\..\RunOnce: [ievc32.exe] C:\WINDOWS\system32\ievc32.exe
O4 - HKLM\..\RunOnce: [sdkje32.exe] C:\WINDOWS\system32\sdkje32.exe
O4 - HKLM\..\RunOnce: [nthf.exe] C:\WINDOWS\system32\nthf.exe
O4 - HKLM\..\RunOnce: [addvz.exe] C:\WINDOWS\addvz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1305.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5806077E-CFEA-477B-AEF7-780977B4FEA3}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Many thanks peeps, I look forward to your assistence.
Sign In
Create Account
