Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

bestwebslinks [RESOLVED]


  • This topic is locked This topic is locked

#1
vongolavorace

vongolavorace

    New Member

  • Member
  • Pip
  • 4 posts
As in the forum entry to be found here,

http://forums.spywar...=0

my homepage keeps getting changed to www.bestwebslinks.com where rogue spyware tools are advertised. When I try to access my hotmail or yahoomail I get redirected to the same page. I also get frequent popups and a system tray icon telling me that my system is infected by spyware, which in fact it is, namely by the very same people who warn me!
House Call, AdAware, SpyBot Search & Distroy and ewido have been run, to no use.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4.33.27, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\internat.exe
C:\Programmi\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\shnlog.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\dw15.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.bestwebsl...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastweb.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

http://www.bestwebslinks.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

fornito da FastWeb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -

C:\WINDOWS\system32\hp1D7.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OpenOffice.lnk = C:\Programmi\OpenOffice.org1.1.4\program\quickstart.exe
O8 - Extra context menu item: &Google Search -

res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -

res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages -

res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -

res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fastweb.it
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://download.ewid...oOnlineScan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...call/xscan53.ca

b
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -

C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany -

C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software

Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security

suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Can you help? Should I corrrect the first lines down to O3?

Thanks!
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi pgb and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"


3. I need you to post your log single spaced. It is currently in double space mode.

To remove the double spacing in your log, please do the following:
  • Please go to Start >> Run... and type notepad.exe
  • Hit OK.
  • Now go to Format and uncheck WordWrap.
  • Close Notepad.

Regards,

Trevuren

  • 0

#3
vongolavorace

vongolavorace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you a gazillion

Here it is

Logfile of HijackThis v1.99.1
Scan saved at 4.33.27, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\AVPersonal\AVGNT.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\internat.exe
C:\Programmi\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\shnlog.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\dw15.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastweb.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp1D7.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OpenOffice.lnk = C:\Programmi\OpenOffice.org1.1.4\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fastweb.it
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programmi\AVPersonal\AVWUPSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Thanks again

vongolavorace
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
    • Double click the Smitrem.exe icon on your Desktop.
    • Then click Run>Start and a Smitrem folder will apear on your desktop also.
  • Place a shortcut to Panda ActiveScan on your desktop.

  • Download the trial version of Ewido Security Suite

  • Please read Ewido Setup Instructions
    • Install the program
    • Update the definitions to the newest files.
    • DO NOT RUN IT YET
  • Install Ad-Aware SE 1.06, follow these download and setup instructions.
  • REBOOT your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
  • Now open HJT, click SCAN and place a checkmark next to each of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastweb.it
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp1D7.tmp
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.fastweb.it
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab




  • Click the Fix Checked box and EXIT HJT

  • Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

    c:\windows\SYSTEM\blank.htm
    C:\WINDOWS\system32\hp1D7.tmp
    internat.exe<===You will have to Search for this one
    c:\windows\Java\classes\win32ie4.cab

  • Open the smitRem folder
    • Double click the RunThis.bat file to start the tool.
    • Follow the prompts on screen.
    • Wait for the tool to complete and disk cleanup to finish.

    NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

  • Open Ad-aware and do a full scan. Remove all it finds.

  • Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    • Close Ewido
  • Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

  • REBOOT back into Normal Mode

  • Click the Panda ActiveScan shortcut
    • Do a full system scan.
    • Make sure the autoclean box is checked!
  • Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let me know if any problems persist.

Regards,

Trevuren

  • 0

#5
vongolavorace

vongolavorace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you so much Trevuren, two quick doubts to solve before I get going:
1) Re: Panda ActiveScan
Do I have to remove my existing antivirus (H+Bedv AV Personal) before I install the Panda ActiveScan? And in fact, should I install it or run it from the web? Can you recommend Panda over the other (I am not sure whether your position allows you to endorse a product over another)?
2) Re: Safe mode
It may sound weird, but my Windows 2000 is not in English and it does not have a mode that translates as "safe". The first options translate as "provisional mode" and "provisional mode with network", then further down there is an option that translates as "last configuration that was known to be stable". Should I boot in the "provisional mode"?

Thanks again

V V
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Run PandaScan from the Web

2. I cannot really endorse 1 product over another. I can however say what are bad programs.

3. It appears that "provisional mode" is the equivalent.

Regards,

Trevuren

  • 0

#7
vongolavorace

vongolavorace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I think I am done, it seems to have worked. The web is a powerful tool that can be used for good or evil, thank God there are people like you to compensate for the hijackers!


Active scan report from Panda:

Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Programmi\hijackthis\backups\backup-20050822-061846-533.dll

ADAWARE LOG


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :lunedì 22 agosto 2005 6.35.56
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


22-08-2005 6.35.56 - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 22-08-2005 4.31.02
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.13
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.15
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Applicazione Servizi e Controller
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Sistema operativo Microsoft® Windows ® 2000
Created on : 19/06/2003 10.05.04
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 10.05.04

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.15
BasePriority : Normal
FileSize : 37 KB
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : DLL eseguibile e server LSA
InternalName : lsasrv.dll e lsass.exe
OriginalFilename : lsasrv.dll e lsass.exe
ProductName : Sistema operativo Microsoft® Windows ® 2000
Created on : 19/06/2003 10.05.04
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 10.05.04

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.21
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 23/12/1999 11.00.00
Last accessed : 21/08/2005 22.00.00
Last modified : 23/12/1999 11.00.00

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.22
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 23/12/1999 11.00.00
Last accessed : 21/08/2005 22.00.00
Last modified : 23/12/1999 11.00.00

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.22
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 14/04/2005 22.10.04
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 11.05.04

#:8 [ewidoctrl.exe]
FilePath : C:\Programmi\ewido\security suite\
ThreadCreationTime : 22-08-2005 4.31.23
BasePriority : Normal
FileSize : 16 KB
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
Copyright : Copyright
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
OriginalFilename : ewidoctrl.exe
ProductName : ewido control
Created on : 11/11/2004 23.53.03
Last accessed : 21/08/2005 22.00.00
Last modified : 11/11/2004 23.53.04

#:9 [mstask.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.30
BasePriority : Normal
FileSize : 118 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Modulo di gestione dell'Utilit
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Utilit
Created on : 14/04/2005 22.23.01
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 12.05.04

#:10 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM32\ZONELABS\
ThreadCreationTime : 22-08-2005 4.31.35
BasePriority : Normal
FileSize : 1189 KB
FileVersion : 5.5.062.011
ProductVersion : 5.5.062.011
Copyright : Copyright
CompanyName : Zone Labs LLC
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 19/04/2005 19.08.47
Last accessed : 21/08/2005 22.00.00
Last modified : 26/01/2005 2.22.32

#:11 [winmgmt.exe]
FilePath : C:\WINDOWS\System32\WBEM\
ThreadCreationTime : 22-08-2005 4.31.37
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Strumentazione gestione Windows
InternalName : WINMGMT
ProductName : Strumentazione gestione Windows
Created on : 19/06/2003 10.05.04
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 10.05.04

#:12 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.31.38
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 23/12/1999 11.00.00
Last accessed : 21/08/2005 22.00.00
Last modified : 23/12/1999 11.00.00

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 22-08-2005 4.31.56
BasePriority : Normal
FileSize : 238 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 19/06/2003 10.05.04
Last accessed : 21/08/2005 22.00.00
Last modified : 19/06/2003 10.05.04

#:14 [jusched.exe]
FilePath : C:\Programmi\Java\jre1.5.0_01\bin\
ThreadCreationTime : 22-08-2005 4.32.12
BasePriority : Normal
FileSize : 36 KB
FileVersion : 1.5.0.10
ProductVersion : 1.5.0.10
Copyright : Copyright
CompanyName : Sun Microsystems, Inc.
FileDescription : Java™ 2 Platform Standard Edition binary
InternalName : Java™ Update Scheduler
OriginalFilename : jusched.exe
ProductName : Java™ 2 Platform Standard Edition 5.0 Update 1
Created on : 14/04/2005 23.12.56
Last accessed : 21/08/2005 22.00.00
Last modified : 06/12/2004 19.31.50

#:15 [realsched.exe]
FilePath : C:\Programmi\File comuni\Real\Update_OB\
ThreadCreationTime : 22-08-2005 4.32.12
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 15/04/2005 0.44.10
Last accessed : 21/08/2005 22.00.00
Last modified : 15/04/2005 0.44.12

#:16 [zlclient.exe]
FilePath : C:\Programmi\Zone Labs\ZoneAlarm\
ThreadCreationTime : 22-08-2005 4.32.13
BasePriority : Normal
FileSize : 881 KB
FileVersion : 5.5.062.011
ProductVersion : 5.5.062.011
Copyright : Copyright
CompanyName : Zone Labs LLC
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 19/04/2005 19.08.55
Last accessed : 21/08/2005 22.00.00
Last modified : 26/01/2005 2.23.20

#:17 [soffice.exe]
FilePath : C:\Programmi\OpenOffice.org1.1.4\program\
ThreadCreationTime : 22-08-2005 4.32.15
BasePriority : Normal
FileSize : 420 KB
FileVersion : 6.00.8779
ProductVersion : 6.00.8779
Copyright : Copyright
CompanyName : OpenOffice.org
FileDescription : OpenOffice.org 1.1.4
InternalName : SOFFICE
OriginalFilename : SOFFICE.EXE
Created on : 27/10/2004 23.10.00
Last accessed : 21/08/2005 22.00.00
Last modified : 27/10/2004 23.10.00

#:18 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 22-08-2005 4.32.46
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.00.2140.1
ProductVersion : 5.00.2140.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Blocco note
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Sistema operativo Microsoft® Windows 2000®
Created on : 23/12/1999 11.00.00
Last accessed : 21/08/2005 22.00.00
Last modified : 23/12/1999 11.00.00

#:19 [iexplore.exe]
FilePath : C:\Programmi\Internet Explorer\
ThreadCreationTime : 22-08-2005 4.34.09
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Sistema operativo Microsoft
Created on : 30/08/2002 17.28.48
Last accessed : 21/08/2005 22.00.00
Last modified : 30/08/2002 17.28.48

#:20 [ad-aware.exe]
FilePath : C:\Programmi\Lavasoft\Ad-aware 6\
ThreadCreationTime : 22-08-2005 4.35.39
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 14/04/2005 23.55.31
Last accessed : 21/08/2005 22.00.00
Last modified : 12/07/2003 20.00.20

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 1


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 1


6.39.31 Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00.03.34.48
Objects scanned :40347
Objects identified :1
Objects ignored :0
New objects :1


Smit remover has found a malware, repaired the file, and now reports it clean

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:




HJT reports clean:
Logfile of HijackThis v1.99.1
Scan saved at 10.00.12, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\OpenOffice.org1.1.4\program\soffice.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: OpenOffice.lnk = C:\Programmi\OpenOffice.org1.1.4\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


Ewido seems also rather clean, bar for the backup of hijackthis

---------------------------------------------------------
ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 7.31.19, 22/08/2005
+ Report-Checksum: 616BF6E2

+ Risultati scansione:

C:\Programmi\hijackthis\backups\backup-20050822-061846-533.dll -> Trojan.Puper.g : Ignorato
:mozilla.49:C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\2e2hzow1.default\cookies.txt -> Spyware.Cookie.Doubleclick : Pulito con Backup


::Fine Rapporto


It seems that I am alright, am I not? Thank you thank you I was so scared! What a night! :)
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


2. Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#9
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP