Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

tsf...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

homepage being hijacked to guarduptodate.com, need help!

Unread postby tsf » May 13th, 2006, 1:43 pm

Kimberly wrote:Hello cedarboy88,

Delete all instances of SmitfraudFix or Smitrem, we will use the latest version since it's updated almost daily. There is a new variant of SpyFalcon running in the wild and I think you might be affected by it.

Other than that, you have a trojan on your PC and Messenger Plus 3 comes bundled with LOP (known to change your homepage). I recommend the uninstall of Messenger Plus 3

I would like to see a startuplist as a start too please. The fact that you are unable to remove the infection may be related to different issues. Please follow the instructions below and post the requested logs. Registry may be disabled or we might find ourselves confronted to a rootkit.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Before we start to fix your computer, I would like you to move HijackThis to it's own folder. Do not attempt to fix anything before you moved HijackThis.
Create a folder for Hijackthis on the C: drive called C:\HJT. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it HJT.
Locate HijackThis.exe and right click on it, select cut, right click in the folder you just did create and select paste.
______________________________

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login under your account.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\winjyp32.dll

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.

Using Windows Explorer, Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Note : You will probably find a lot of files, random names like in the sample below - all are *.tmp or *.tmp.exe - make sure you get them all or you will get reinfected by the trojan! Let me know if you are unable to delete them.

C:\WINDOWS\Temp\win53D.tmp
C:\WINDOWS\Temp\win53F.tmp.exe

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
______________________________

Reboot in normal Mode

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

Run HijackThis, click on Open the Misc Tools Section, put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/paste the content in your reply.
Click Back and Click on Scan. When the scan is finished, click Save Log and paste the content in your reply.
______________________________

Download Findlop to your Desktop
http://metallica.geekstogo.com/findlop.zip

Create a folder for Findlop on the C: drive called C:\lop. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it lop. Extract all the files from the zip archive into that folder.

Open the lop folder and doubleclick findlop.bat and it will create the file C:\findlop.txt
Copy the content into your next post.
______________________________

Please post:
  1. c:\rapport.txt
  2. Winpfind log
  3. Results of the Kaspersky Scan
  4. A new HijackThis log and the startuplist
  5. C:\findlop.txt
Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim




i dont know when u wrote this, but i'm facing the same problem.
but your instruction doesn't seem to work.
i posted a hijackthis log below.
u said about removin winjyp32.dll, but i didn't have that.
but plz note this:
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll

i think i saw it once endin with :(flie missing). is this the prob?? (was scannin in safe mode)

any help is appreciated
tsf
Active Member
 
Posts: 4
Joined: May 13th, 2006, 1:28 pm
Advertisement
Register to Remove

Unread postby 'KotaGuy » May 13th, 2006, 1:46 pm

tsf... please don't post in other people threads... can get confusing that way.

If you would like some help can you post a new HJT as a reply to this topic please.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Re: homepage being hijacked to guarduptodate.com, need help!

Unread postby tsf » May 13th, 2006, 1:48 pm

Logfile of HijackThis v1.99.1
Scan saved at 10:20:05 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
F:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp8ED.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - F:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe" -startminimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE91412-688C-4291-8DE4-2931332B048A}: NameServer = 203.188.255.162,203.188.255.163
O17 - HKLM\System\CCS\Services\Tcpip\..\{863981C4-1F2A-4D07-B650-04772D96E274}: NameServer = 203.188.255.162,203.188.255.163
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B6467E-0328-4BC4-B7D7-53187CA8B601}: NameServer = 203.112.202.251,203.112.202.252
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - D:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
tsf
Active Member
 
Posts: 4
Joined: May 13th, 2006, 1:28 pm

Unread postby 'KotaGuy » May 13th, 2006, 1:52 pm

Thanks for posting the log... lets get rid of this smitfraud infection for you :)

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby tsf » May 14th, 2006, 12:13 pm

here u go kotaguy:

SmitFraudFix v2.43

Scan done at 22:12:08.73, Sun 05/14/2006
Run from C:\Documents and Settings\ABC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\twain32.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ABC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ABC\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
tsf
Active Member
 
Posts: 4
Joined: May 13th, 2006, 1:28 pm

Unread postby 'KotaGuy » May 14th, 2006, 3:45 pm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download, install, and update the free version of Ewido Anti-Malware:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes, the status bar at the bottom will display "Update successful"
  5. Exit Ewido. DO NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido


Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.


Warning : running option #2 on a non infected computer will remove your Desktop background.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby tsf » May 19th, 2006, 12:30 pm

hi,(apologies for late reply)

u r really an god send angel!!!! ur ideas worked perfectly!!!!! thank u very much, i was on the verge of formattin my drive.
it took out the hijackin guarduptodate and 404dns and that annoyin pop-up on the lower right hand of the screen.

just to be sure, here are the reports u wanted:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:01:10 PM, 5/19/2006
+ Report-Checksum: 4D5047EC

+ Scan result:

[300] C:\WINDOWS\system32\wineij32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\Documents and Settings\ABC\Cookies\abc@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\ABC\Cookies\abc@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\ABC\Cookies\abc@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060502-221336-422.dll -> Downloader.Zlob.mz : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060502-221426-187.dll -> Downloader.Zlob.mz : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060502-221455-707.dll -> Downloader.Zlob.mz : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060506-223304-236.dll -> Downloader.Zlob.nn : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060508-153119-978.dll -> Downloader.Zlob.nn : Cleaned with backup
C:\Documents and Settings\ABC\Desktop\backups\backup-20060511-095654-478.dll -> Downloader.Zlob.nn : Cleaned with backup
C:\Documents and Settings\ABC\Local Settings\Temporary Internet Files\Content.IE5\N1THM3DZ\x2[1].htm -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned with backup
C:\Documents and Settings\ABC\Local Settings\Temporary Internet Files\Content.IE5\SXARS963\mulbin1[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
C:\RECYCLER\NPROTECT\00004064.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\RECYCLER\NPROTECT\00004065.exe -> Dropper.VB.kk : Cleaned with backup
C:\WINDOWS\system32\AdServ.dll -> Trojan.Agent.qt : Cleaned with backup
C:\WINDOWS\system32\wineij32.dll -> Trojan.Agent.qt : Cleaned with backup
F:\HERO\HyperCam\CmHelper.dll -> Dropper.Paradrop.a : Cleaned with backup


::Report End



SmitFraudFix v2.43

Scan done at 20:20:15.00, Fri 05/19/2006
Run from C:\Documents and Settings\ABC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\twain32.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of HijackThis v1.99.1
Scan saved at 10:28:52 PM, on 5/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
F:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - F:\norton\NAV\External\NORTON\APP\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe" -startminimize
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - F:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE91412-688C-4291-8DE4-2931332B048A}: NameServer = 203.188.255.162,203.188.255.163
O17 - HKLM\System\CCS\Services\Tcpip\..\{863981C4-1F2A-4D07-B650-04772D96E274}: NameServer = 203.188.255.162,203.188.255.163
O17 - HKLM\System\CCS\Services\Tcpip\..\{99B6467E-0328-4BC4-B7D7-53187CA8B601}: NameServer = 203.112.202.251,203.112.202.252
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - D:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - F:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



thanks a lot man.
tsf
Active Member
 
Posts: 4
Joined: May 13th, 2006, 1:28 pm

Unread postby 'KotaGuy » May 19th, 2006, 1:04 pm

Thanks for posting the logs... just a couple other things to take care of...

First... go here and install the newest Java version.

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

Click Start>Run type in appwiz.cpl and hit enter. From the list uninstall:

JS2E Runtime Environment 5.0 Update 1
Registry Cleaner Trial
DAP or Download Accelerator Plus
<< If its the free version.

Run and scan with HijackThis. With all browsers and windows closed, place checks beside the following and fix if found:

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe" -startminimize
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)


Reboot and post a new HJT log please.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby 'KotaGuy » May 27th, 2006, 12:02 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 70 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware