Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

YOUR SYSTEM IS INFECTED

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

YOUR SYSTEM IS INFECTED

Unread postby Tommie » September 22nd, 2005, 6:47 am

I have cleared some of the viruses using Active Scan from Trend Micro. But the message " YOUR SYSTEM IS INFECTED!" still remains on my desktop. The virus deactivate my desktop settings so I couldn't change it away. What should I do next?
I think the virus comes from a file name called mssearchnet. But I have deleted it using Killbox.
Please guide me someone. Thanks a lot.!
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am
Advertisement
Register to Remove

Another Scan

Unread postby Tommie » September 22nd, 2005, 7:08 am

I just did another scan using Trend Micro. And I found a new virus cookie. It says, " centrport.net " then its sub folder is "Internet Explorer Cache\centrport.net . I have been trying to clear this but to no avail. I really need some help please. Thanks!
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Log File

Unread postby Tommie » September 22nd, 2005, 7:22 am

Logfile of HijackThis v1.99.1
Scan saved at 7:20:41 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: 82A44D22-9452-49FB-00FB-CEC7DCAF7E23 - {2850FF81-7735-BB94-313C-3299CC34F5DA} - c:\program files\ea sports\ea sports online\winoqkle32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 22nd, 2005, 10:34 am

Hello Tommie and welcome.

I'm looking up your log now and I'll post back soon with a fix.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » September 22nd, 2005, 1:00 pm

Although I don't see any signs in your HijackThis log, we will go through the fix since you did mention mssearchnet.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

I would like you to download a few tools, don't use them until you are instructed to do so.
  1. Download Hoster to your Desktop or to your usual Download Folder.
    http://www.funkytoad.com/download/hoster.zip
    Unzip it to your Desktop.
  2. Please download SmitRem.exe to your Desktop.
    http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
    Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________

Please start and update Ewido to the latest definitions:
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Disable Microsoft AntiSpyware
  1. Open Microsoft AntiSpyware.
  2. Click on Tools, Settings.
  3. In the left pane, click on Real-time Protection.
  4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
  7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

In the next step we are going to stop a and remove the following Service:

Click Start then Run
Type in services.msc
Click Ok

Scroll down and double click on the service called Loading Outpost Connections
Click Stop and then set the Startup Type to Disabled.

Now we will remove the Service from the Registry. Maybe all of the following entries wont be present. If you don't find a key, proceed to the next key.

Click Start then Run
Type in regedit
Click Ok.

In left pane of registry editor, Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KDE
If KDE exists , right click on it and choose Delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ KDE
If LEGACY_KDE exists then right click on it and choose Delete from the menu.

If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.

Repeat the above procedure for ControlSet001, 002 although you might not find the service listed in those keys.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked.

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\System\svchost.exe <--- Watch out, there is a legitimate file called svchost.exe in your C:\WINDOWS\System32 Folder, don't delete that one
C:\WINDOWS\System32\cmdtel.exe


If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Open the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido
______________________________

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Reboot your computer in Normal Mode.

Locate Hoster.exe and double-click on it.
Click on Restore Original Hosts.
Close the program.
______________________________

Run this online virus scan: ActiveScan. Save the results from the scan!
______________________________

Go here to run the Kaspersky Online Scanner
http://www.kaspersky.com/service?chapter=161739400

Hit Online Scanner
You will need to allow ActiveX install.

Once the scanner is installed...
Hit Online Scanner again
Click Start
Click Scan options
Check extended databases
Leave the other 2 checked.

Disable your own AV before starting scan to prevent conflicts.

On the online scanner choose to scan My Computer

Let the scan run. It will take a while. (couple hours)
Don't be browsing unknown sites or fiddling with email...you have no resident protection right now.

Once scan is done...click the save as test button
That creates log of scan results.
Remember where you saved it.

Turn your Trend back on.
______________________________

Post a new HijackThis log along with the results from ActiveScan, the Kaspersky Scan, the Ewido log and the smitfiles.txt.
You might need several replies to post the logs, otherwise they could get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Scans Results HijackThis

Unread postby Tommie » September 22nd, 2005, 11:27 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:14:44 AM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: 82A44D22-9452-49FB-00FB-CEC7DCAF7E23 - {2850FF81-7735-BB94-313C-3299CC34F5DA} - c:\program files\ea sports\ea sports online\winoqkle32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Scan Results Ewido

Unread postby Tommie » September 22nd, 2005, 11:27 pm

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:12:15 AM, 9/23/2005
+ Report-Checksum: 4C816B50

+ Scan result:

:mozilla.13:C:\Documents and Settings\Chan Liwei\Application Data\Mozilla\Firefox\Profiles\ld31mfxy.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned without backup
:mozilla.19:C:\Documents and Settings\Chan Liwei\Application Data\Mozilla\Firefox\Profiles\ld31mfxy.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.20:C:\Documents and Settings\Chan Liwei\Application Data\Mozilla\Firefox\Profiles\ld31mfxy.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.22:C:\Documents and Settings\Chan Liwei\Application Data\Mozilla\Firefox\Profiles\ld31mfxy.default\cookies.txt -> Spyware.Cookie.Com : Cleaned without backup
:mozilla.23:C:\Documents and Settings\Chan Liwei\Application Data\Mozilla\Firefox\Profiles\ld31mfxy.default\cookies.txt -> Spyware.Cookie.Com : Cleaned without backup


::Report End
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Scan Results Smitfiles

Unread postby Tommie » September 22nd, 2005, 11:28 pm

smitRem log file
version 2.4

by noahdfear

The current date is: Fri 09/23/2005
The current time is: 9:19:16.65

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

ncompat.tlb
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Scan Results Kaspersky

Unread postby Tommie » September 22nd, 2005, 11:29 pm

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 11:25:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141644
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 44449
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 3055 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\web.exe Infected: Trojan-Downloader.Win32.Small.bnv

Scan process completed.


My results uploaded is based on sequence as followed with your instructions, kim. Thanks! so what should I do next?
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 23rd, 2005, 12:34 am

Hello Tommie,

You may delete this file:
C:\WINDOWS\system32\web.exe

Can you please post the results from the smitfiles.txt again, it looks like it got cut off because I can't see the end of the log. Also I would like to see the results from the PandaScan.

Thank you.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Smitfiles

Unread postby Tommie » September 23rd, 2005, 1:22 am

smitRem log file
version 2.4

by noahdfear

The current date is: Fri 09/23/2005
The current time is: 9:19:16.65

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

ncompat.tlb
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)


I don't have any software of PandaScan. I used to have it but I uninstalled it a couple days ago. Thank you.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Tommie » September 23rd, 2005, 7:05 am

Kim, sorry to bother u again. I just want to know what I should do next. I'm really anxious to get my computer clean again through your help. Thank you. Now I don't even know whether the virus is still remained in my computer or cleaned..haha..
Thank You,
Tommie
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 23rd, 2005, 9:56 am

Hello Tommie,

That's normal, everybody likes a clean computer. :) Normally the main part of the infection should be gone, that's why I wanted the full smitfiles log. You still may have leftovers, that is something we are going to check now. But first we have to clean up another stubborn file.

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s


Close ALL windows and browsers except HijackThis and click Fix Checked

Using Killbox delete the following file on reboot:

C:\WINDOWS\System\svchost.exe
______________________________

Type Start, Run and type in Regedit, click Ok

Navigate to this key: (The registry left pane is a tree just like Windows Explorer is a tree. Clicking the + in front of each successive key will open the branch until you reach the final destination.)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies

Click File > Export. Click on the Desktop Icon in the left pane, name the file Policy and save the file to your Desktop.

Now goto:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main

Click File > Export. Click on the Desktop Icon in the left pane, name the file Expmain and save the file to your Desktop.

Locate Policy.reg on your Desktop, highlight the file and right-click. Select Modify from the popup menu. The file will open up in Notepad. Select the text and past it into your reply.
Perform the same for the Expmain.reg file.
______________________________

The PandaScan is an online scan. I did ask you to perfrom this scan because when I see the results of the scan, I can tell if you have any leftovers.
So please goto the following page and allow the ActiveX control to be installed and perform a scan.
http://www.pandasoftware.com/activescan ... ncipal.htm
Save the results from the scan and post them into your reply!
______________________________

Post a new HijackThis log from Normal Mode, not Safe mode like the previous one, along with the results from ActiveScan and the content of the 2 registry files.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

policy reg

Unread postby Tommie » September 23rd, 2005, 10:17 am

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

expmain reg

Unread postby Tommie » September 23rd, 2005, 10:17 am

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000001
"NoJITSetup"=dword:00000001
"Disable Script Debugger"="yes"
"Show_ChannelBand"="No"
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=hex:01,00,00,00
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Use_DlgBox_Colors"="yes"
"Check_Associations"="No"
"FullScreen"="no"
"Window_Placement"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00,80,04,00,00,42,03,00,\
00
"Error Dlg Displayed On Every Error"="no"
"Error Dlg Details Pane Open"="no"
"NotifyDownloadComplete"="yes"
"ShowedCheckBrowser"="Yes"
"Use FormSuggest"="no"
"HistoryViewType"=hex:00,00
"AddToFavoritesExpanded"=dword:00000000
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Enable Browser Extensions"="REG_SZ:no"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"=dword:00000000
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware