[don77]

Log looks clean now,
SP2 = windows updates,

[Advertisements]

The trojan file keeps coming back, and the wininet.dll keeps getting infected again.

[yesiammanu]

The trojan file keeps coming back, and the wininet.dll keeps getting infected again.

[don77]

Post a fresh HJT log please

[yesiammanu]

Logfile of HijackThis v1.99.1
Scan saved at 6:54:52 PM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/t.../webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O21 - SSODL: Adobe Photoshop 6.0 - {0625DC5B-856B-260F-0648-9E57CE5D8012} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe What is this file? Ive never seen it before.
I did my own hijackthis clean and it fixed some stuff (It was a new program that ran on start up once with a /k that was obviously something hazardous ><)

Edited by yesiammanu, 05 October 2005 - 07:57 PM.

[don77]

Read Here for a description of ezShieldProtector for Px

Your log looks clean still having problems ?

[yesiammanu]

Kernel%Fault%Check /k keeps coming back and my wininet.dll got infected again. There is definately still the trojan on my computer ><

[yesiammanu]

bump

[don77]

Do me a favor please don't bump your topic, I know when you have replied. and I m sorry to say I m not here evry waking minute of the day

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[yesiammanu]

I stated before that smitrem will not work becuase it cannot find a "clean" version of wininet.dll even if I download one. I'll try it anyways and get back to you in a second.

[yesiammanu]

Incident Status Location

Virus:Bck/Dragonbot.E Disinfected C:\Documents and Settings\Admin\Desktop\DragonbotWC\DragonBot.exe
Virus:Bck/Dragonbot.E No disinfected C:\Documents and Settings\Admin\Desktop\DragonbotWC\Dragonbot2.rar[Dumped_.exe]
Virus:Bck/Dragonbot.E Disinfected C:\Documents and Settings\Admin\Desktop\DragonbotWC\Dumped_.exe
Virus:Bck/Dragonbot.E Disinfected C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\DragonbotWC\DragonBot.exe
Virus:Bck/Dragonbot.E No disinfected C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\DragonbotWC\Dragonbot2.rar[Dumped_.exe]
Virus:Bck/Dragonbot.E Disinfected C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\DragonbotWC\Dumped_.exe
Adware:adware/securityerror No disinfected C:\Documents and Settings\All Users\Start Menu\Online Security Center.url
Adware:adware/azesearch No disinfected C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.url
Adware:adware/cws.searchmeup No disinfected C:\Documents and Settings\All Users\Start Menu\Spyware Remover.url
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
Adware:Adware/Adtomi No disinfected C:\Documents and Settings\Paul\Local Settings\Temp\r6dw.sys
Adware:Adware/Adtomi No disinfected C:\WINDOWS\r6dw.sys
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\a2q9fp6.exe
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\mirindaspi.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\r6dw.sys
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.dll
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\infoAtPrinter\Links\LinksApproved\Re: Application\your_details.zip[details.pif]
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\infoAtPrinter\Links\LinksApproved\Re: Movie\your_details.zip[details.pif]
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\info@Toner\Links\LinksApproved\Re: Application\your_details.zip[details.pif]
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\info@Toner\Links\LinksApproved\Re: Movie\your_details.zip[details.pif]
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\info@Toner\Links\LinksApproved\Returned mail: User unknown\Re: Movie\your_details.zip[details.pif]
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\USBX\LinkApproved\Re: Movie\your_details.zip[details.pif]
It doesnt remove spyware!!!!!!!!!!!!!!!!!!!!!!!!!!! Oh no!

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, October 09, 2005 6:50:34 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R69 05.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.Psguard(TAC index:7):5 total references
MRU List(TAC index:0):15 total references
Tracking Cookie(TAC index:3):27 total references
Win32.Trojan.Puper.d(TAC index:6):12 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


10-9-2005 6:50:34 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 244
ThreadCreationTime : 10-10-2005 1:39:46 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 360
ThreadCreationTime : 10-10-2005 1:39:51 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 384
ThreadCreationTime : 10-10-2005 1:39:53 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 428
ThreadCreationTime : 10-10-2005 1:39:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 440
ThreadCreationTime : 10-10-2005 1:39:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 608
ThreadCreationTime : 10-10-2005 1:39:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 676
ThreadCreationTime : 10-10-2005 1:39:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 756
ThreadCreationTime : 10-10-2005 1:39:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 816
ThreadCreationTime : 10-10-2005 1:39:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 856
ThreadCreationTime : 10-10-2005 1:44:11 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 496
ThreadCreationTime : 10-10-2005 1:48:46 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Admin\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\new from existing document\file name mru
Description : list of "new from existing document" files used by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : admin@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Admin\Cookies\admin@live365[1].txt

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 16



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@247realmedia[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@2o7[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@apmebf[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@bluestreak[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@bluestreak[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@casalemedia[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@centrport[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@centrport[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@cgi-bin[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@maxserving[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@maxserving[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@qksrv[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@qksrv[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@qsrch[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@qsrch[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@questionmarket[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@realmedia[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@revenue[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@revenue[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@statcounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@statcounter[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@trafficmp[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@trafficmp[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@tribalfusion[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@tripod[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@tripod[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Paul\Cookies\paul@zedo[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rishi@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Rishi\Cookies\rishi@2o7[1].txt

Malware.Psguard Object Recognized!
Type : File
Data : A0067487.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0067490.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0067523.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0067698.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068698.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068727.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068747.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068790.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Malware.Psguard Object Recognized!
Type : File
Data : A0068804.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068808.exe
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068810.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Win32.Trojan.Puper.d Object Recognized!
Type : File
Data : A0068813.exe
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Malware.Psguard Object Recognized!
Type : File
Data : A0068823.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Malware.Psguard Object Recognized!
Type : File
Data : A0069830.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP51\



Malware.Psguard Object Recognized!
Type : File
Data : A0069845.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP52\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 57


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 57




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.Puper.d Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

Win32.Trojan.Puper.d Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Local Page

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 59

6:55:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:00.547
Objects scanned:126138
Objects identified:44
Objects ignored:0
New critical objects:44

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:13:07 PM, 10/9/2005
+ Report-Checksum: CA3D622D

+ Scan result:

C:\Documents and Settings\Admin\Desktop\GPS_Dragonbot V11[1].0.zip/Dragonbot V11.0.exe -> Backdoor.Dragonbot.j : Ignored
C:\Documents and Settings\Paul\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Local Settings\Temp\atiupdate.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\WINDOWS\system32\4czjoy.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\WINDOWS\system32\652.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\system32\dwidj9.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\WINDOWS\system32\msshed32.exe -> TrojanDownloader.Delf.go : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 8:01:48 PM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_46363] C:\WINDOWS\System32\ActiveScan\pavdr.exe 46363
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/t.../webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O21 - SSODL: Adobe Photoshop 6.0 - {0625DC5B-856B-260F-0648-9E57CE5D8012} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe


smitRem log file
version 2.3

by noahdfear

The current date is: Sun 10/09/2005
The current time is: 18:43:56.01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~


~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~


~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~


~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll not present! ~~~~

~~~ A good copy of wininet.dll was not found. Look for more locations. ~~~



Oh and i thought youd be interested in the things Ewido cleaned when i was getting rid of spysherrif/psgaurd/security2k(EVIL!!!!!)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:15:08 PM, 9/9/2005
+ Report-Checksum: B870CC6B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-4253786913-2071758419-1731425918-1005\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-4253786913-2071758419-1731425918-1005_Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
[616] C:\WINDOWS\system32\14r14.dll -> TrojanDownloader.Small.acw : Cleaned with backup
[1636] C:\WINDOWS\System32\thn32.dll -> TrojanProxy.Small.bk : Cleaned with backup
[1756] C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\Documents and Settings\Admin\Desktop\Bypass\d33\fu.exe -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\Admin\Desktop\Bypass\d33\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\Admin\Desktop\Bypass.zip/Bypass/d33/fu.exe -> Trojan.Rootkit.h : Error during cleaning
C:\Documents and Settings\Admin\Desktop\Bypass.zip/Bypass/d33/msdirectx.sys -> Trojan.Rootkit.h : Error during cleaning
C:\Documents and Settings\Admin\Desktop\Dragonbot V11.0.exe -> Backdoor.Dragonbot.j : Cleaned with backup
C:\Documents and Settings\Admin\Desktop\GPS_Dragonbot V11[1].0.zip/Dragonbot V11.0.exe -> Backdoor.Dragonbot.j : Error during cleaning
C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\Bypass\d33\fu.exe -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\Bypass\d33\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\Manu\Local Settings\Temp\1907ej2.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][10].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][11].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][12].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][13].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][14].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][15].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][3].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][4].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][5].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][6].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][7].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][8].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][9].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@trafficmp[3].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Paul\Cookies\paul@trafficmp[4].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Paul\Local Settings\Temp\1907ej2.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Rishi\Cookies\rishi@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Rishi\Local Settings\Temp\1907ej2.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Program Files\Microsoft Games\Age of Empires II\wmeayl32.dll -> Trojan.Agent.hh : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur003.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\WINDOWS\1907ej2.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\open.exe -> TrojanDownloader.Small.acw : Cleaned with backup
C:\WINDOWS\flag.bla -> Trojan.Smitfraud : Cleaned with backup
C:\WINDOWS\ssmc.dll -> TrojanDropper.Small.aev : Cleaned with backup
C:\WINDOWS\sys1224.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys1227.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys1230.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys1233.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys1235.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys1237.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\14r14.dll -> TrojanDownloader.Small.acw : Cleaned with backup
C:\WINDOWS\system32\1907ej2.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\49ak0v.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\system32\6frio82.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq1.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.m : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq5.exe -> TrojanDownloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq6.exe -> TrojanDownloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq7.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\cvxh8jkdq8.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msshed32.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\WINDOWS\system32\sysvcs.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk : Cleaned with backup
C:\WINDOWS\system32\vxgamet1.exe -> TrojanDropper.Small.wv : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\WINDOWS\system32\zlbw.dll -> Trojan.Smitfraud : Cleaned with backup
C:\WINDOWS\system32\zolker010.dll -> Spyware.Zbar : Cleaned with backup
C:\WINDOWS\system32\ztoolb010.dll -> Spyware.Zbar : Cleaned with backup
C:\WINDOWS\system32\ztoolbar.bmp -> Spyware.TNS-Search : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.l : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.m : Cleaned with backup
D:\Program Files\Adobe\winmmphh32.dll -> TrojanDownloader.Murlo.ar : Cleaned with backup


::Report End

[don77]

Lets get this cleaned up a bit more,
the active scan showed that it disinfected
"Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.dll "

Couple things,
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Admin\Desktop\DragonbotWC\Dragonbot2.rar[Dumped_.exe] 
 C:\Documents and Settings\Admin\My Documents\filelib\yesiammanu\DragonbotWC\Dragonbot2.rar[Dumped_.exe] 
 C:\Documents and Settings\All Users\Start Menu\Online Security Center.url 
 C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.url 
C:\Documents and Settings\All Users\Start Menu\Spyware Remover.url 
 C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt 
 C:\Documents and Settings\Paul\Local Settings\Temp\r6dw.sys 
C:\WINDOWS\r6dw.sys 
 C:\WINDOWS\system32\a2q9fp6.exe 
 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt 
 C:\WINDOWS\system32\mirindaspi.exe 
C:\WINDOWS\system32\r6dw.sys 

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should restart automatically if not reboot manually

Next,
Check Ad-aware for updates again please Run a full system scan, when it had finished have it fix all it finds "Critical Objects" tab
It will tell you it will have some objects it couldn't remove and ask to run on next start up of windows. Click yes and allow it to run, It will likely find just the files located in system restore which it can't fix.

Now save a copyof C:\WINDOWS\system32\wininet.dll to your desk top

Run another scan with Active scan,
When done save the log again please,

Next check Ewido for updates, Run another scan with it again save the log from it,

Copy back for me the Active scan log, Ewido log and the Ad-aware log please

[yesiammanu]

The dragonbots aren't exactly trojans. They backodoor into my system and hide files for 'Certain' things.

[yesiammanu]

I'm almost absolutely sure I fixed the virus. I just downloaded a fresh copy and pasted it where smitrem usually looked. Unusually, it showed that wininet.dll was not infected due to me pasting it into the wrong file thinking it was the dllchache and replaced it. ^^. It's wierd, because it wouldn't replace the stupid file before.

I also installed Norton Internet Securty 2005 AntiSpyware Edition and it doesn't allow me to access the internet when it is enabled. I looked at the help site, but it didn't work. I dont want to spend $29.95 for technical support for a product that I JUST bought so any ideas?

Edited by yesiammanu, 10 October 2005 - 05:58 PM.

[don77]

I'm almost absolutely sure I fixed the virus

Smitrem coming back clean now ?

I dont want to spend $29.95 for technical support for a product that I JUST bought so any ideas?

I don't blame you, I just uninstalled Norton's off my sons machine,

You will have to check the settings, probably a good idea to post a new topic in the Applications forum

[yesiammanu]

Smitrem coming back clean now ?
I don't blame you, I just uninstalled Norton's off my sons machine,

You will have to check the settings, probably a good idea to post a new topic in the Applications forum

smitRem log file
version 2.3

by noahdfear

The current date is: Mon 10/10/2005
The current time is: 17:38:32.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Thanks for replying back so fast ^^,