Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

W32/Alemod.f.dll

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

W32/Alemod.f.dll

Unread postby JukeBoxGuy » June 7th, 2006, 2:27 pm

I've been going nuts trying to repair this.

Below is my HJT log. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 2:16:01 PM, on 6/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\dslaunch.exe
C:\WINNT\system32\TFncky.exe
C:\WINNT\system32\TWarnMsg.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\progra~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINNT\sysldr32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\wupdmgr.exe
C:\WINNT\osaupd.exe
C:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINNT\dslaunch.exe
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINNT\system32\yaemu.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINNT\sysldr32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sywsvcs.exe
O4 - Global Startup: OSA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc/oFnXUsv9ZR8QttwytNC0.chm::/on.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exe
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDD7022-3571-48E1-A900-7DDC169B7503}: NameServer = 85.255.115.6,85.255.112.20
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\progra~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\progra~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\progra~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: THotkey - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida
Advertisement
Register to Remove

Unread postby waterfalls » June 7th, 2006, 2:53 pm

JukeBoxGuy -

Welcome to MalwareRemoval! I will review your log and post back with directions.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby waterfalls » June 7th, 2006, 3:27 pm

Hi JukeBoxGuy -

Before we begin, you need to be aware that one of the malware files on your computer can allow attackers to access your computer, stealing passwords and personal data. If you have any passwords saved on your hard drive, you should change the passwords immediately. If you have sensitive data on your computer such as bank account information, credit card information, etc., please read this article.

Please follow these directions in the order given.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [yaemu.exe] C:\WINNT\system32\yaemu.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINNT\sysldr32.exe
O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sywsvcs.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://cc.ad-ware.cc/oFnXUsv9ZR8QttwytNC0.chm::/on.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:@mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDD7022-3571-48E1-A900-7DDC169B7503}: NameServer = 85.255.115.6,85.255.112.20


Close ALL browsers and open windows except HijackThis and click 'Fix Checked'.


• Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it but allow it instead.
You will then be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads, please post the text that will open (report.txt) and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby JukeBoxGuy » June 8th, 2006, 11:11 am

Here is the new HJT log. Fixwareout indicated that it would provide a report, but no report opened on the desktop.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:13 AM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\S3tray.exe
C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\dslaunch.exe
C:\WINNT\system32\TFncky.exe
C:\WINNT\system32\TWarnMsg.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\wupdmgr.exe
C:\WINNT\osaupd.exe
C:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINNT\dslaunch.exe
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\progra~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: OSA.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\progra~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\progra~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\progra~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: THotkey - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby waterfalls » June 8th, 2006, 1:08 pm

The report is probably at:
C:\fixwareout\report.txt

Just copy and paste it in your reply.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby JukeBoxGuy » June 8th, 2006, 1:21 pm

Here is report.txt. Unforunately, when the report didn't show on the desktop, I ran the application again, so the report doesn't show anything.

Sorry :oops:


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby waterfalls » June 8th, 2006, 2:43 pm

Okay, no problem.

• Download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby JukeBoxGuy » June 8th, 2006, 4:00 pm

Here's the Blacklight log.

Also if it means anything, one of the original symptoms was cmd windows labeled "C:\WINNT\System32\svchost.exe" kept opening and closing on the desktop. After deleting the HJT entries these windows disappeared. Now they are back again.... :(

06/08/06 15:46:08 [Info]: BlackLight Engine 1.0.37 initialized
06/08/06 15:46:08 [Info]: OS: 5.0 build 2195 (Service Pack 4)
06/08/06 15:46:08 [Note]: 7019 4
06/08/06 15:46:08 [Note]: 7005 0
06/08/06 15:46:21 [Note]: 7006 0
06/08/06 15:46:21 [Note]: 7022 0
06/08/06 15:46:22 [Note]: 7011 1012
06/08/06 15:46:22 [Note]: 7026 0
06/08/06 15:46:23 [Note]: 7026 0
06/08/06 15:46:23 [Note]: FSRAW library version 1.7.1015
06/08/06 15:54:16 [Note]: 7007 0
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby waterfalls » June 8th, 2006, 5:16 pm

Hi JukeBoxGuy -

Please follow these directions exactly and in the order given.

• Download SmitfraudFix (by S!Ri) to your Desktop from here:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

• Download the trial version of Ewido Anti-Malware from here:
http://www.ewido.net/en/download/
  • Install Ewido Anti-Malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See, http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

• Post back the rapport.txt.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby JukeBoxGuy » June 8th, 2006, 5:52 pm

Here is rapport.txt:

SmitFraudFix v2.56

Scan done at 17:49:01.73, Thu 06/08/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

C:\


C:\WINNT

C:\WINNT\notepad.com FOUND !
C:\WINNT\osaupd.exe FOUND !
C:\WINNT\sysldr32.exe FOUND !
C:\WINNT\wupdmgr.exe FOUND !

C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32

C:\WINNT\system32\~update.exe FOUND !
C:\WINNT\system32\notepad.com FOUND !
C:\WINNT\system32\reger.exe FOUND !
C:\WINNT\system32\winsrv32.exe FOUND !

C:\Documents and Settings\Administrator\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys

HKLM\SOFTWARE\WinHound.com FOUND !

Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby waterfalls » June 8th, 2006, 6:08 pm

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

• Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

• Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

• Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
______________________________
• Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.
______________________________

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

• Please post:
  1. c:\rapport.txt
  2. Ewido log
  3. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby JukeBoxGuy » June 8th, 2006, 9:19 pm

Things are looking much better. Here is rapport.txt:

SmitFraudFix v2.56

Scan done at 19:45:43.86, Thu 06/08/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Deleting infected files

C:\WINNT\notepad.com Deleted
C:\WINNT\osaupd.exe Deleted
C:\WINNT\sysldr32.exe Deleted
C:\WINNT\system32\~update.exe Deleted
C:\WINNT\system32\notepad.com Deleted
C:\WINNT\system32\reger.exe Deleted

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting Temp Files


Registry Cleaning

HKLM\SOFTWARE\WinHound.com Deleted

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


Reboot

C:\WINNT\system32\winsrv32.exe Deleted

End
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby JukeBoxGuy » June 8th, 2006, 9:21 pm

Here is the Ewido scan log:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 9 : 0 3 : 3 5 P M , 6 / 8 / 2 0 0 6

+ R e p o r t - C h e c k s u m : 7 6 E 2 E 2 A



+ S c a n r e s u l t :



C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ S t a r t M e n u \ P r o g r a m s \ S t a r t u p \ O S A . e x e - > D o w n l o a d e r . S m a l l : C l e a n e d w i t h b a c k u p

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ S t a r t M e n u \ P r o g r a m s \ S t a r t u p \ w u p d m g r . e x e - > T r o j a n . F a k e a l e r t : C l e a n e d w i t h b a c k u p

C : \ r e a d m e . e x e - > D o w n l o a d e r . S m a l l : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 1 0 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 1 2 2 . t x t - > T r a c k i n g C o o k i e . W e g c a s h : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 1 5 . t x t - > T r a c k i n g C o o k i e . S p e c i f i c c l i c k : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 1 5 0 . t x t - > T r a c k i n g C o o k i e . R e l i a b l e s t a t s : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 0 9 . t x t - > T r a c k i n g C o o k i e . M y a f f i l i a t e p r o g r a m : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 1 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 2 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 3 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 4 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 5 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 6 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 7 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 8 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 4 9 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 5 0 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 5 1 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 5 2 . t x t - > T r a c k i n g C o o k i e . E s o m n i t u r e : C l e a n e d w i t h b a c k u p

C : \ R e c y c l e d \ D c 2 7 0 . t x t - > T r a c k i n g C o o k i e . R e l i a b l e s t a t s : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d . y i e l d m a n a g e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . Y i e l d m a n a g e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d b r i t e [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d b r i t e : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d o p t . s p e c i f i c c l i c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . S p e c i f i c c l i c k : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d r e v o l v e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d r e v o l v e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d s . r e a l c a s t m e d i a [ 1 ] . t x t - > T r a c k i n g C o o k i e . R e a l c a s t m e d i a : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a d v e r t i s i n g [ 2 ] . t x t - > T r a c k i n g C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a s - u s . f a l k a g [ 1 ] . t x t - > T r a c k i n g C o o k i e . F a l k a g : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ a t d m t [ 2 ] . t x t - > T r a c k i n g C o o k i e . A t d m t : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ c . g o c l i c k [ 2 ] . t x t - > T r a c k i n g C o o k i e . G o c l i c k : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ c e n t r p o r t [ 1 ] . t x t - > T r a c k i n g C o o k i e . C e n t r p o r t : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ c o m [ 2 ] . t x t - > T r a c k i n g C o o k i e . C o m : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ c o u n t e r 1 1 . s e x t r a c k e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . S e x t r a c k e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ c s . s e x c o u n t e r [ 2 ] . t x t - > T r a c k i n g C o o k i e . S e x c o u n t e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ d o u b l e c l i c k [ 2 ] . t x t - > T r a c k i n g C o o k i e . D o u b l e c l i c k : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ e h g - d i g . h i t b o x [ 2 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ e h g - f o x s p o r t s . h i t b o x [ 1 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ f r e e . w e g c a s h [ 2 ] . t x t - > T r a c k i n g C o o k i e . W e g c a s h : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ h i t b o x [ 2 ] . t x t - > T r a c k i n g C o o k i e . H i t b o x : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ i m a g e . m a s t e r s t a t s [ 1 ] . t x t - > T r a c k i n g C o o k i e . M a s t e r s t a t s : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ m e d i a p l e x [ 1 ] . t x t - > T r a c k i n g C o o k i e . M e d i a p l e x : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ p a y p o p u p [ 1 ] . t x t - > T r a c k i n g C o o k i e . P a y p o p u p : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ p r o g r a m s . w e g c a s h [ 1 ] . t x t - > T r a c k i n g C o o k i e . W e g c a s h : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ s e r v e d b y . a d v e r t i s i n g [ 1 ] . t x t - > T r a c k i n g C o o k i e . A d v e r t i s i n g : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ s e x t r a c k e r [ 1 ] . t x t - > T r a c k i n g C o o k i e . S e x t r a c k e r : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ s t a t . o n e s t a t [ 2 ] . t x t - > T r a c k i n g C o o k i e . O n e s t a t : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ s t a t s 3 . p o r n t r a c k [ 1 ] . t x t - > T r a c k i n g C o o k i e . P o r n t r a c k : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ t r a c k i n g . g 3 x [ 2 ] . t x t - > T r a c k i n g C o o k i e . G 3 x : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ t r a f f i c m p [ 1 ] . t x t - > T r a c k i n g C o o k i e . T r a f f i c m p : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ w w w . h o t t i t s . c o m . 2 2 5 4 5 . f b . d b b s r v [ 2 ] . t x t - > T r a c k i n g C o o k i e . D b b s r v : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ C o o k i e s \ a d m i n i s t r a t o r @ z e d o [ 2 ] . t x t - > T r a c k i n g C o o k i e . Z e d o : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ n o t e p a d . c o m - > D o w n l o a d e r . S m a l l : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ S Y S T E M 3 2 \ n o t e p a d . c o m - > D o w n l o a d e r . S m a l l : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S h o s t s - > T r o j a n . Q h o s t . r : C l e a n e d w i t h b a c k u p





: : R e p o r t E n d
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby JukeBoxGuy » June 8th, 2006, 9:23 pm

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:16 PM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\S3tray.exe
C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\dslaunch.exe
C:\WINNT\system32\TFncky.exe
C:\WINNT\system32\TWarnMsg.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINNT\dslaunch.exe
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TWarnMsg] TWarnMsg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\progra~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\progra~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\progra~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\progra~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\progra~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: THotkey - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
JukeBoxGuy
Active Member
 
Posts: 8
Joined: June 7th, 2006, 1:33 pm
Location: Florida

Unread postby waterfalls » June 9th, 2006, 2:22 pm

Well, you picked up some new things.

Looks like you installed Spybot. However, you need to disable TeaTimer so it will not interfere with HijackThis' fixes.

• Open Spybot-S&D
- Go to the Mode menu, and make sure "Advanced Mode" is selected
- On the left hand side, choose Tools -> Resident
- Uncheck "Resident TeaTimer" and OK any prompts

• Reboot your computer.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O16 - DPF: {14242341-4241-1432-1431-142423525557} - file://C:\Recycled\Q330995.exe


Close all browsers and windows except HijackThis and click 'Fix Checked'.

• Navigate to and delete the following file:
C:\WINNT\system32\blank.htm <-- this file

• Empty your Recycle Bin!

• Reboot your computer.

• Re-enable TeaTimer
- Open Spybot-S&D
- Go to the Mode menu, and make sure "Advanced Mode" is selected
- On the left hand side, choose Tools -> Resident
- Check "Resident TeaTimer" and OK any prompts

• Reboot your computer.

• Perform an onlinescan with Panda Online. Please use this scanner instead of any other scanner! You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component, allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

• Post back with the results of the Panda Online scan and a new HijackThis log. Also, how is your computer running now?
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 200 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware