MalWare Removal Forum

Hi Bob,
Ok done that, one point I couldn't find Spybot on the Add remove programes in control panel, so I have taken it out using uninstall feature on programme itself, I have downloaded again and this time it updates ok (Wouldnt update before!!), so have run a check for problems and have this report from Spybot, Once you give the go ahead I'll fix problems button

MalwareWipe: Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\MalwareWipe.EXE

MalwareWipe: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{1FC4ADE1-15D3-057E-81D5-DD934DE6542E}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{04DA0CE8-87C6-4379-9CBD-5D6E93C919E8}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0678CAB9-7825-467E-9310-CDD2DCA855D0}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1386F568-F1AB-477D-B69E-31D66B6E4DAA}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{210E3B48-776B-4F4B-B80A-2BB59F1A676D}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2E3C5BE8-3EA7-48A7-97FA-7E2AB0A88392}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{576BB1E3-B26D-4BCB-A0BD-B49FF2469936}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{5F8BD6DC-6D30-4A6F-9D07-3822DFA605D7}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{694E0F65-5EF7-40FB-9412-48AFCE704720}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{74878382-B258-484B-A614-475D8DCF104B}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{7B8A51F7-0700-4CEB-978E-E0A3C88CB4B4}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{87FF9647-1710-4EB6-97C9-65484F9C61E9}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A7358DCF-6343-45AE-930D-5C2BB96B9116}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{B4BFACA9-37BA-45BC-8EE6-6F9910651B0B}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BE18EBF9-4F98-4333-8DD2-AEBA2911A80B}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{DDC17036-3DE8-4FEB-948E-D225CF5BCC95}

MalwareWipe: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E8194604-B6D1-4D63-ABC7-8C2D89E6D497}

MalwareWipe: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{96467F12-0518-4E85-AC6A-4858017F1400}

MalwareWipe: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-117609710-1202660629-854245398-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\MalwareWiper\MalwareWiper.exe

MalwareWipe: Program directory (Directory, nothing done)
C:\Program Files\MalwareWiper\

MalwareWipe: Executable (File, nothing done)
C:\Program Files\MalwareWiper\MalwareWiper.exe

MarketScore: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rlvknlg.exe

MarketScore: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rlvknlg.exe

Zlob.PornPassManager: Program directory (Directory, nothing done)
C:\Program Files\PornPass Manager\

Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)


Clickbank: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Firefox: default) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Firefox: default) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Firefox: default) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


ErrorSafe: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-24 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-24 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-11-24 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-24 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-24 Includes\PUPSC.sbi (*)
2006-11-24 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-24 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-24 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-24 Includes\Trojans.sbi (*)
2006-11-24 Includes\TrojansC.sbi (*)

Hmmm before you do that:


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________



Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with any others I have asked for in your next reply.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.




IMPORTANT: Do NOT run any other options until you are asked to do so!
_________________

Hi Bob struggling here,

Am trying to unzip, but all I get to is
Precess.exe file missinmg!
unzip all archive in a folder
Press any key to continue
This is under a dialogue box called Select C:\WINDOWS\system32\cmd.exe

Try redownloading the file after deleting the one you have downloaded already.
_________________

Hi Bob,, still the same,

I have a list of files in the PKZip folder and i double click the CMD file as u say, and then get the same as above,

Maybe I am not extracting the zip properly??

Ha i found a button called Zip wizard who took me thru it step by step,

so now I have the following Log,

Will do nothing until I get your next instruction

thanks
Mike

SmitFraudFix v2.124

Scan done at 21:24:47,15, 26/11/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and

Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MalwareWiper\ FOUND !
C:\Program Files\PornPass Manager\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Ok nothing that spybot can't handle...

Re run spybot and let it fix everything it found.

Let me know how this goes and if there are any other issues we need to look into.

Hi Bob

Everything looking Good, Spybot asked me to set auto check on next start up done that and all clean, Mozilla coming up a lot faster and rendering pages faster. Same with IE.

All looking good, coulple of questions,
what can protection can i install to prevent this type (and any others) of problem reocurring.

Second, I notice that when I try to go to Mymsn page it tells me the requested page is not available, login looks ok etc ( that used tobe my home page, now my home page is MSN and that renders ok.

Thanks for your help

Mike

To reset your home page in IE.

open Internet explorer.
click
tools
internet options
Under the general tab type in the address you want to be your home page.
click apply then OK.



Great news !

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.





___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them. Many infections are caught on these types of sites.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep these updated and run weekly if you don't already have them.

Adaware
Tutorial

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



___________________________________
Keep windows updated here

___________________________________
You can read about alot safer surfing here


___________________________________
And it goes without saying do not open Email from someone you don't know.

___________________________________
This is how you may have become infected



Safe and Happy Surfing.

Hello Box

All the above completed, system looks to be working ok and faster than before, I have all the latest updates on all the security programmes you gave me


I am now happy happy happy,

Can I say again many thanks for help and info, really appreciated, will show appreciation in donations area via paypal.

Saved me getting my machine completely rebuilt with the usual loss of favourites and bits I forget to tell the expert about

Many thanks to all the guys at MRU, great work thanks

Mike