[Imu]

Hii. Last time my problem was resolved by geekstogo. Thanks alot. I think i am infected again with the smitfraud virus. My homepage is hijacked. My screen had turned red nad it said that my pc was infected but then i unselected "security" and "warning homepage" in the web tab. Please help. Below is my hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 6:22:02 PM, on 11/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\system32\shdochp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mr\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochp.dll/defAPI.htm#privacy;x32;
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [FHPage] C:\WINDOWS\system32\shdochp.exe home
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: OSA.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 193.220.82.2 196.45.144.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 193.220.82.2 196.45.144.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

[Advertisements]

Hi Imu and welcome to Geeks to Go .

My name is infaddict and I will be helping you with your problem. I will post a fix as soon as I have analysed your log.

Thank you for your patience .

[infaddict]

Hi Imu and welcome to Geeks to Go .

My name is infaddict and I will be helping you with your problem. I will post a fix as soon as I have analysed your log.

Thank you for your patience .

[infaddict]

Hi Imu

You have the smitfraud infection and also the SDBOT-ACK worm. Don't worry though, we should be able to clean you up pretty quick

Firstly, your log tells me that your internet connection is being routed through somewhere called 'Dar es Salaam' in Tanzania, Africa. If this does not sound correct (e.g. you do not live in Africa or your ISP is not in Africa), please let me know so we can deal with that problem.

Preparation

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

To enable the viewing of Hidden files follow these steps:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and shutdown My Computer.

The Fix

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochp.dll/defAPI.htm#privacy;x32;
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [FHPage] C:\WINDOWS\system32\shdochp.exe home
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)


Close HiJackThis.

Using Windows Explorer or My Computer, delete the following files, if they exist :

C:\WINDOWS\system32\shdochp.dll
C:\WINDOWS\system32\shdochp.exe
C:\WINDOWS\System32\libsys32.exe
syslog32.exe <=== search for this file using Start -> Search (ensure you search all subfolders and for hidden/system files)


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Let us know if any problems persist.

[Imu]

Hey! Thanks for your reply. I'll post my log as soon as i get over with the fix. It will take some time. Thanks for your patience.

[Imu]

Hey! i have gone through all the steps. Panda scan did not work on my pc as it always has problems running on my pc. my Internet explorer homepage is still hijacked. Once i open it, after a few minutes, a page opens saying: Attention! Your system is under control of remote computer with IP address 227.4.167.118. The remote computer has access to the following folders on your PC:
- \WINDOWS\System32
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files

There is also a message on the taskbar which keeps on coming which says that "you are infected with trojarn worm attack". There is also another message which keeps on coming which says "you are infected with the popup manager spyware. Popups keep on coming. There are also various other messages that keep on coming which say i am infected with spyware. Please help.

Below are the logs for hijack this, smitrem and ewido.

Logfile of HijackThis v1.99.1
Scan saved at 3:25:02 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mr\My Documents\Hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\System32\hpA170.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.6.92 193.219.193.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.6.92 193.219.193.191
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)



smitRem log file
version 2.3

by noahdfear

The current date is: 11/30/2005
The current time is: 14:10:29.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!


---------------------------------------------------------

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:37:22 PM, 11/30/2005
+ Report-Checksum: A62419EF

+ Scan result:

HKLM\SOFTWARE\AKSoft -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\AKSoft\X-Tractor -> Spyware.AkSoft : Cleaned with backup
:mozilla.18:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.29:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.31:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.34:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\mr\Application Data\Mozilla\Firefox\Profiles\tmubgicf.Imu\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup


::Report End

[Imu]

Hey. The two messages which i told u come up on the taskbar everytime are: "You are infected with iworm_attck_v122.02a" and "You are infected with Spyware managing pop-up advertisements (OHPE ver 4.12_23)." My PC has become relatively slow. My homepage is hijacked. I get popups all the time. My PC is infected with viruses and spywares. PLEASE HELP

[infaddict]

Hi Imu,

Firstly, apologies for the delay in replying to you. I have been very busy with Real Life issues lately .

Ok, as you may have guessed, you are still infected. In my original post I asked you about your ISP and if it sounded correct that your internet traffic was being routed through Tanzania, Africa. You did not answer this question. Your new log is showing your internet traffic being routed through a company called AIDE Hostmaster in Norway. Please let me know if this sounds correct

Also, when you followed my instructions, can you confirm that you run the smitrem tool in Safe Mode?

I'm real busy at the moment, but will post back later tonight with further instructions. Thanks for your patience

Edited by infaddict, 01 December 2005 - 11:25 AM.

[Imu]

Hey. Well my internet connectection is routed through Dar es Salaam in Tanzania, Africa. It is not routed through AIDE Hostmaster in Norway. So i guess this must be a problem.

Well concerning the smitrem, i think i had run smitrem in safe mode but to be more sure, i ran it again and the log is posted below.

smitRem log file
version 2.3

by noahdfear

The current date is: 12/01/2005
The current time is: 21:34:05.96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

[infaddict]

Hi Imu

Thanks for the response and for answering my question about your internet access.

Looks like smitrem did pick up a file on the 2nd attempt.

Please post back with a fresh HijackThis log taken from Normal Mode and we can get right on with the fix

[Imu]

Below is my hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 11:07:16 PM, on 12/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rsvp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\mr\My Documents\Hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\System32\hp8368.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.6.89 193.219.193.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.6.89 193.219.193.191
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

[Imu]

Hii. I have not recieved any reply from you. Please help me as the spywares and viruses are disturbing. There are so many popups which come. I get so many messages about spywares and viruses. Please help.

[infaddict]

Don't worry, I haven't forgotten about you! You only posted your latest log last night .

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Edited by infaddict, 02 December 2005 - 03:03 PM.

[Imu]

Hey! Thanks for your reply. Below is the contents of the session log.


********
12:53 AM: | Start of Session, Saturday, December 03, 2005 |
12:53 AM: Spy Sweeper started
12:53 AM: Sweep initiated using definitions version 577
12:53 AM: Starting Memory Sweep
12:53 AM: Found Adware: popuper
12:53 AM: Detected running threat: C:\WINDOWS\System32\hp48C7.tmp (ID = 190)
12:58 AM: Memory Sweep Complete, Elapsed Time: 00:04:56
12:58 AM: Starting Registry Sweep
12:58 AM: Found Adware: cws_analyzeie
12:58 AM: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116873)
12:58 AM: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 116895)
12:58 AM: Found Adware: cws_hotoffers_desktophijacker
12:58 AM: HKLM\software\microsoft\windows\currentversion\uninstall\bluescreen w@rning\ (2 subtraces) (ID = 117245)
12:58 AM: Found Adware: hotbar
12:58 AM: HKCR\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (17 subtraces) (ID = 127246)
12:58 AM: HKCR\hbthostie.bho.1\ (3 subtraces) (ID = 127295)
12:58 AM: HKCR\hbtools.hbtcommband.1\ (3 subtraces) (ID = 127306)
12:58 AM: HKCR\hbtools.hbttravelcomparebar.1\ (3 subtraces) (ID = 127308)
12:58 AM: HKCR\hbttools.hbmain.1\ (3 subtraces) (ID = 127316)
12:58 AM: HKCR\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127362)
12:58 AM: HKCR\shprrprts.hbax.1\ (3 subtraces) (ID = 127365)
12:58 AM: HKCR\shprrprts.hbcommband.1\ (3 subtraces) (ID = 127367)
12:58 AM: HKCR\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127369)
12:58 AM: HKCR\shprrprts.iebutton.1\ (3 subtraces) (ID = 127371)
12:58 AM: HKCR\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127373)
12:58 AM: HKCR\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127375)
12:58 AM: HKLM\software\classes\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (17 subtraces) (ID = 127409)
12:58 AM: HKLM\software\classes\clsid\{ed8525ea-2bfc-4440-bd8a-20efb9d5e541}\ (11 subtraces) (ID = 127436)
12:58 AM: HKLM\software\classes\hbthostie.bho.1\ (3 subtraces) (ID = 127461)
12:58 AM: HKLM\software\classes\hbtools.hbtcommband.1\ (3 subtraces) (ID = 127472)
12:58 AM: HKLM\software\classes\hbtools.hbttravelcomparebar.1\ (3 subtraces) (ID = 127474)
12:58 AM: HKLM\software\classes\hbttools.hbmain.1\ (3 subtraces) (ID = 127482)
12:58 AM: HKLM\software\classes\rprtspsclient.psexecuter.1\ (3 subtraces) (ID = 127521)
12:58 AM: HKLM\software\classes\shprrprts.hbax.1\ (3 subtraces) (ID = 127524)
12:58 AM: HKLM\software\classes\shprrprts.hbcommband.1\ (3 subtraces) (ID = 127526)
12:58 AM: HKLM\software\classes\shprrprts.hbinfoband.1\ (3 subtraces) (ID = 127528)
12:58 AM: HKLM\software\classes\shprrprts.iebutton.1\ (3 subtraces) (ID = 127530)
12:58 AM: HKLM\software\classes\shprrprts.iebuttona.1\ (3 subtraces) (ID = 127532)
12:58 AM: HKLM\software\classes\shprrprts.smrtshprctl.1\ (3 subtraces) (ID = 127534)
12:58 AM: HKLM\software\microsoft\windows\currentversion\internet settings\5.0\user agent\post platform\ || hbtools 4.6.2 (ID = 127596)
12:59 AM: Found Adware: powerscan
12:59 AM: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
12:59 AM: Found Adware: virtualmaid toolbar
12:59 AM: HKCR\clsid\{8b0b6f79-c50d-4ea6-8f65-bdf18005de20}\ (11 subtraces) (ID = 145585)
12:59 AM: HKCR\govm.contextitem.1\ (3 subtraces) (ID = 145589)
12:59 AM: HKCR\govm.contextitem\ (5 subtraces) (ID = 145590)
12:59 AM: HKLM\software\classes\clsid\{8b0b6f79-c50d-4ea6-8f65-bdf18005de20}\ (11 subtraces) (ID = 145592)
12:59 AM: HKLM\software\classes\govm.contextitem.1\ (3 subtraces) (ID = 145596)
12:59 AM: HKLM\software\classes\govm.contextitem\ (5 subtraces) (ID = 145597)
12:59 AM: HKLM\software\classes\vm.vmobj.1\ (3 subtraces) (ID = 145599)
12:59 AM: HKLM\software\classes\vm.vmobj\ (5 subtraces) (ID = 145600)
12:59 AM: HKCR\vm.vmobj.1\ (3 subtraces) (ID = 145614)
12:59 AM: HKCR\vm.vmobj\ (5 subtraces) (ID = 145615)
12:59 AM: Found Adware: winad
12:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
12:59 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
12:59 AM: Found Adware: ist yoursitebar
12:59 AM: HKCR\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 147829)
12:59 AM: Found Adware: ist software
12:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
12:59 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
12:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/hbinstie.dll\ (2 subtraces) (ID = 484423)
12:59 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\hbinstie.dll (ID = 655022)
12:59 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (4 subtraces) (ID = 735573)
12:59 AM: HKCR\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (8 subtraces) (ID = 774223)
12:59 AM: HKCR\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (8 subtraces) (ID = 774286)
12:59 AM: HKCR\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (8 subtraces) (ID = 774331)
12:59 AM: HKCR\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (8 subtraces) (ID = 774349)
12:59 AM: HKCR\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (8 subtraces) (ID = 774358)
12:59 AM: HKCR\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (8 subtraces) (ID = 774394)
12:59 AM: HKCR\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (8 subtraces) (ID = 774412)
12:59 AM: HKCR\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (8 subtraces) (ID = 774439)
12:59 AM: HKCR\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (8 subtraces) (ID = 774457)
12:59 AM: HKLM\software\classes\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (8 subtraces) (ID = 774499)
12:59 AM: HKLM\software\classes\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (8 subtraces) (ID = 774562)
12:59 AM: HKLM\software\classes\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (8 subtraces) (ID = 774607)
12:59 AM: HKLM\software\classes\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (8 subtraces) (ID = 774625)
12:59 AM: HKLM\software\classes\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (8 subtraces) (ID = 774634)
12:59 AM: HKLM\software\classes\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (8 subtraces) (ID = 774670)
12:59 AM: HKLM\software\classes\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (8 subtraces) (ID = 774688)
12:59 AM: HKLM\software\classes\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (8 subtraces) (ID = 774715)
12:59 AM: HKLM\software\classes\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (8 subtraces) (ID = 774733)
12:59 AM: Found Adware: security2k hijacker
12:59 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
12:59 AM: Found Trojan Horse: trojan-downloader-zlob
12:59 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
12:59 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
12:59 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || nvctrl.exe (ID = 813700)
12:59 AM: HKLM\software\classes\clsid\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 920458)
12:59 AM: HKCR\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026307)
12:59 AM: HKLM\software\classes\clsid\{7caf96a2-c556-460a-988e-76fc7895d284}\ (4 subtraces) (ID = 1026331)
12:59 AM: HKU\S-1-5-21-343818398-1214440339-725345543-1003\software\microsoft\internet explorer\explorer bars\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (2 subtraces) (ID = 127570)
12:59 AM: HKU\S-1-5-21-343818398-1214440339-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe14} (ID = 127575)
12:59 AM: HKU\S-1-5-21-343818398-1214440339-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {e77eda01-3c56-4a96-8d08-02b42891c169} (ID = 127576)
12:59 AM: HKU\S-1-5-21-343818398-1214440339-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {74cc49f7-eb32-4a08-b204-948962a6e3db} (ID = 127586)
12:59 AM: Found Adware: ist sidefind
12:59 AM: HKU\S-1-5-21-343818398-1214440339-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
12:59 AM: Registry Sweep Complete, Elapsed Time:00:00:38
12:59 AM: Starting Cookie Sweep
12:59 AM: Found Spy Cookie: belnk cookie
12:59 AM: mr@belnk[1].txt (ID = 2292)
12:59 AM: Found Spy Cookie: zedo cookie
12:59 AM: [email protected][1].txt (ID = 3763)
12:59 AM: [email protected][2].txt (ID = 2293)
12:59 AM: mr@zedo[2].txt (ID = 3762)
12:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:59 AM: Starting File Sweep
12:59 AM: Found Adware: psguard
12:59 AM: c:\documents and settings\mr\application data\shudder global limited (11 subtraces) (ID = -2147473536)
12:59 AM: c:\documents and settings\mr\application data\shudder global limited\psguard (10 subtraces) (ID = -2147475035)
1:00 AM: Found Adware: azsearch toolbar
1:00 AM: ztoolbar.bmp (ID = 107200)
1:01 AM: Found Adware: sicro dialer
1:01 AM: switchagreement.txt (ID = 76024)
1:02 AM: ztoolbar.xml (ID = 50365)
1:08 AM: warnhp.html (ID = 182686)
1:08 AM: today's specials.url (ID = 131129)
1:08 AM: hbtools.inf (ID = 62333)
1:08 AM: Found Adware: security iguard
1:08 AM: temp.ini (ID = 75272)
1:08 AM: Warning: Unhandled Archive Type
1:09 AM: Warning: Unhandled Archive Type
1:09 AM: File Sweep Complete, Elapsed Time: 00:10:10
1:09 AM: Full Sweep has completed. Elapsed time 00:15:50
1:09 AM: Traces Found: 462
1:10 AM: Removal process initiated
1:11 AM: Quarantining All Traces: cws_analyzeie
1:11 AM: Quarantining All Traces: popuper
1:11 AM: popuper is in use. It will be removed on reboot.
1:11 AM: C:\WINDOWS\System32\hp48C7.tmp is in use. It will be removed on reboot.
1:11 AM: Quarantining All Traces: psguard
1:11 AM: Quarantining All Traces: security2k hijacker
1:11 AM: Quarantining All Traces: trojan-downloader-zlob
1:11 AM: Quarantining All Traces: virtualmaid toolbar
1:11 AM: Quarantining All Traces: azsearch toolbar
1:11 AM: Quarantining All Traces: hotbar
1:11 AM: Quarantining All Traces: cws_hotoffers_desktophijacker
1:11 AM: Quarantining All Traces: ist sidefind
1:11 AM: Quarantining All Traces: ist software
1:11 AM: Quarantining All Traces: ist yoursitebar
1:11 AM: Quarantining All Traces: powerscan
1:11 AM: Quarantining All Traces: security iguard
1:11 AM: Quarantining All Traces: sicro dialer
1:11 AM: Quarantining All Traces: winad
1:11 AM: Quarantining All Traces: belnk cookie
1:11 AM: Quarantining All Traces: zedo cookie
1:11 AM: Removal process completed. Elapsed time 00:01:02
********
12:46 AM: | Start of Session, Saturday, December 03, 2005 |
12:46 AM: Spy Sweeper started
12:50 AM: Your spyware definitions have been updated.
12:53 AM: | End of Session, Saturday, December 03, 2005 |

[infaddict]

Hi Imu, wow Spy Sweeper found lots of things hiding in your computer

Please reboot your computer and post back with a fresh HijackThis log. Also let me know how your system is running?

[Imu]

Hey. Thanks alot for your help. Spy sweeper is the best software ever. My system is running fine. No popups, no messages of viruses, adawares or spyeares. My homepage is back to normal. Thanks alot. Below is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:48:25 PM, on 12/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\mr\My Documents\Hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\System32\hp48C7.tmp (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.5.255 193.219.193.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.5.255 193.219.193.191
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe