Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Similar to Spyaxe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Similar to Spyaxe

Unread postby covers » June 7th, 2006, 3:37 pm

Log file follows but have got rid of flashing icon and found 'mssearch' + other files in registry that are the same as Spyaxe. Used Smitrem but browser still hijacked.

Logfile of HijackThis v1.99.1
Scan saved at 20:20:17, on 07/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Downloads\Utils\Spyware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.19.226.213:80
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Kremlin Sentry.lnk = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) -
O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) -
O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) -
O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) -
O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) -
O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) -
O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) -
O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) -
O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) -
O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5891995203
O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) -
O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) -
O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) -
O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) -
O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) -
O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) -
O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) -
O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) -
O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) -
O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) -
O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) -
O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) -
O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) -
O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) -
O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London
Advertisement
Register to Remove

reply

Unread postby tim s » June 7th, 2006, 9:02 pm

Hello covers,

Welcome to the MalWare Removal forums! My name is Tim. I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:

1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!

2. Understand that cleaning your computer can sometimes take multiple passes/posts,
and it's important to follow the steps as listed including re-running scans as listed

3. Please reply to this thread, do not start another.


If you can do those three things, everything should go smoothly.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

reply

Unread postby tim s » June 7th, 2006, 10:31 pm

Hi covers

I see signs in your log of an infection. I need to see deeper please do the following


Run an online scan at Kaspersky

If you have a and extra tool that blocks popups(I hear beep when mine pops it) you will have to click on it and allow Kaspersky 's popup link.

  • Please go here to run Kaspersky Online Virus Scanner.
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:

    1. Scan using the following Anti-Virus database:
    • Extended

    2. Scan Options:
    • Scan Archives
    • Scan Mail Bases
  • Click OK
  • Now under select a target to scan, select My Computer.
  • This will scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button, and save it to your Desktop.
  • Copy and paste that information in your next post.


--------------------------------------------------------------------------------------------------------------------


Download SmitfraudFix (by S!Ri) to your Desktop. Click Here
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Please post back:
Kaspersky scan results
rapport.txt
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Kaspersky report only - see message body

Unread postby covers » June 9th, 2006, 4:31 pm

Smitfraud message in window - 'process.exe' missing (but it is there)???


KASPERSKY ON-LINE SCANNER REPORT
Friday, June 09, 2006 9:20:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/06/2006
Kaspersky Anti-Virus database records: 199563


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 40650
Number of viruses found 4
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:22:29

Infected Object Name Virus Name Last Action
C:\Program Files\Norton AntiVirus\Quarantine\053D224F.tmp Infected: Trojan-Downloader.Win32.Zlob.ri skipped

C:\Program Files\Norton AntiVirus\Quarantine\1F4C490C.tmp Infected: Trojan-Downloader.Win32.Zlob.ri skipped

C:\WINDOWS\system32\acvgxw.dll Infected: not-virus:Hoax.Win32.Renos.dj skipped

C:\WINDOWS\system32\atmclk.exe Infected: Trojan-Downloader.Win32.Zlob.rk skipped

C:\WINDOWS\system32\dcomcfg.exe Infected: Trojan-Downloader.Win32.Zlob.rk skipped

C:\WINDOWS\system32\simpole.tlb Infected: Trojan-Downloader.Win32.Zlob.rk skipped

C:\WINDOWS\system32\systray32s.exe Infected: Backdoor.Win32.VirtualAve.f skipped

Scan process completed.
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

reply

Unread postby tim s » June 9th, 2006, 6:54 pm

Hi covers

Your virus protection(firewall) may have blocked it.

We will do this
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) With Arrow Keys Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml

Next

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

When done reboot back to normal mode and post rapport.txt
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

reply

Unread postby tim s » June 9th, 2006, 7:04 pm

Hi covers

I also need to know if you know this IP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.19.226.213:80
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

By the way thanks Tim

Unread postby covers » June 10th, 2006, 7:41 am

That IP was me experimenting with proxy servers - I'd forgotten to get rid of it.

SmitFraudFix v2.56

Scan done at 12:33:08.71, 10/06/2006
Run from C:\Documents and Settings\StuartC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\acvgxw.dll FOUND !
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\StuartC\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\StuartC\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

Forgot

Unread postby covers » June 10th, 2006, 7:43 am

The reason Smitfraud couldn't find 'process.exe' seems to be that I needed to extract the original Smitfraud zip file 1st. I did this and it worked.
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

reply

Unread postby tim s » June 10th, 2006, 11:36 pm

Hi covers

Thanks for posting log.

These programs can prevent malware clearing. Please disable them if you have them running.
Microsoft AntiSpyware Real-time Protection


  1. Open Microsoft AntiSpyware.
  2. Click Tools
  3. Click Settings.
  4. Click Real-time Protection.
  5. Uncheck Enable the Microsoft AntiSpyware Security Agents on startup recommended).
  6. Uncheck Enable real-time spyware threat protection (recommended).
  7. Click Save
  8. Close Microsoft AntiSpyware.
  9. Right click the Microsoft AntiSpyware icon on the taskbar
  10. Shutdown Microsoft AntiSpyware.

Don't forget to re-start Microsoft AntiSpyware when your machine is clean and undo the changes above.

-----------------------------------------------------------------------------------------------


Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download the trial version of Ewido anti-malware 3.5 from here:
Very Important Do Not Run Yet!!
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:
  1. c:\rapport.txt
  2. Ewido log
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

rapport.txt +

Unread postby covers » June 11th, 2006, 12:06 pm

I've also included 2 temp files at the end that will not delete (I've tried both in normal & safe about 5 or 6 times):

SmitFraudFix v2.56

Scan done at 16:07:24.92, 11/06/2006
Run from C:\Documents and Settings\StuartC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\acvgxw.dll Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:42:17, 11/06/2006
+ Report-Checksum: E7F64AE9

+ Scan result:

C:\WINDOWS\system32\systray32s.exe -> Backdoor.VirtualAve.f : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 16:51:43, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\Utils\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Kremlin Sentry.lnk = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) -
O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) -
O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) -
O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) -
O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) -
O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) -
O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) -
O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) -
O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) -
O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5891995203
O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) -
O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) -
O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) -
O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) -
O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) -
O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) -
O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) -
O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) -
O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) -
O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) -
O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) -
O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) -
O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) -
O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) -
O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A86E03AB-4BDB-4003-AF4F-33EB6CB0EF43}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Ã
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

reply

Unread postby tim s » June 11th, 2006, 2:51 pm

Hi covers,
Thanks for the logs.
Windows and some installed programs will use temp files which locks them and disallows them being deleted.
The temp files that wouldn't delete maybe nothing but if you want to check do the following.

Please go to http://www.virustotal.com/en/indexf.html and follow the

instructions to upload (full path to temp file to be checked.Example>C:\Windows\Temp\??????) from your pc for a scan.
Please copy / paste the results into your next reply.

.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Virustotal log

Unread postby covers » June 12th, 2006, 3:29 pm

I also checked the registry for 'freetestonline.net' which was one of the icons installed on the desktop when I was hijacked. I found 1 instance of it in a folder called 'Search Assistant' which I found last time as well. I've deleted that.
My browser now seems ok so thanks for all your help. Anything else I need to do?


STATUS: FINISHEDComplete scanning result of "_DFB004.tmp", received in VirusTotal at 06.12.2006, 21:04:38 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.12.2006 no virus found
Authentium 4.93.8 06.12.2006 no virus found
Avast 4.7.844.0 06.11.2006 no virus found
AVG 386 06.12.2006 no virus found
BitDefender 7.2 06.12.2006 no virus found
CAT-QuickHeal 8.00 06.12.2006 no virus found
ClamAV devel-20060426 06.12.2006 no virus found
DrWeb 4.33 06.12.2006 no virus found
eTrust-InoculateIT 23.72.34 06.11.2006 no virus found
eTrust-Vet 12.6.2252 06.12.2006 no virus found
Ewido 3.5 06.12.2006 no virus found
Fortinet 2.77.0.0 06.12.2006 no virus found
F-Prot 3.16f 06.12.2006 no virus found
Ikarus 0.2.65.0 06.12.2006 no virus found
Kaspersky 4.0.2.24 06.12.2006 no virus found
McAfee 4782 06.12.2006 no virus found
Microsoft 1.1441 06.12.2006 no virus found
NOD32v2 1.1594 06.12.2006 no virus found
Norman 5.90.21 06.12.2006 no virus found
Panda 9.0.0.4 06.12.2006 no virus found
Sophos 4.06.0 06.12.2006 no virus found
Symantec 8.0 06.12.2006 no virus found
TheHacker 5.9.8.158 06.12.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.12.2006 no virus found


Aditional Information
File size: 32768 bytes
MD5: fdf1ba2e89e11c6756ac6d069e2850ca
SHA1: 981caf3b987aab70c77747ecfcbb9ab4d91bee69


STATUS: FINISHEDComplete scanning result of "_DF91D.tmp", received in VirusTotal at 06.12.2006, 21:04:16 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.12.2006 no virus found
Authentium 4.93.8 06.12.2006 no virus found
Avast 4.7.844.0 06.11.2006 no virus found
AVG 386 06.12.2006 no virus found
BitDefender 7.2 06.12.2006 no virus found
CAT-QuickHeal 8.00 06.12.2006 no virus found
ClamAV devel-20060426 06.12.2006 no virus found
DrWeb 4.33 06.12.2006 no virus found
eTrust-InoculateIT 23.72.34 06.11.2006 no virus found
eTrust-Vet 12.6.2252 06.12.2006 no virus found
Ewido 3.5 06.12.2006 no virus found
Fortinet 2.77.0.0 06.12.2006 no virus found
F-Prot 3.16f 06.12.2006 no virus found
Ikarus 0.2.65.0 06.12.2006 no virus found
Kaspersky 4.0.2.24 06.12.2006 no virus found
McAfee 4782 06.12.2006 no virus found
Microsoft 1.1441 06.12.2006 no virus found
NOD32v2 1.1594 06.12.2006 no virus found
Norman 5.90.21 06.12.2006 no virus found
Panda 9.0.0.4 06.12.2006 no virus found
Sophos 4.06.0 06.12.2006 no virus found
Symantec 8.0 06.12.2006 no virus found
TheHacker 5.9.8.158 06.12.2006 no virus found
UNA 1.83 06.09.2006 no virus found
VBA32 3.11.0 06.12.2006 no virus found


Aditional Information
File size: 32768 bytes
MD5: fdf1ba2e89e11c6756ac6d069e2850ca
SHA1: 981caf3b987aab70c77747ecfcbb9ab4d91bee69
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

reply

Unread postby tim s » June 13th, 2006, 8:11 pm

Hi covers,

Sorry about the delay on repling.
Glad to hear things are running better now.
Log looks clean... great job!

Please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable
    and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with instructions from tutorial above

  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.


  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine.
    This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  4. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
    You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Download and install Ad-Aware.
    You should also scan your computer with this program on a regular basis
    just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  9. Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  10. IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

thanks

Unread postby covers » June 14th, 2006, 4:17 pm

done as you suggested. All but one of the active x bits were already as you suggested. I have ad-aware, spywareblaster, norton anti-virus + microsoft anti-spyware. I will install the others. The things we need to do just to stop some idiots ... well, being idiots. Once again, thanks
covers
Active Member
 
Posts: 7
Joined: June 7th, 2006, 3:30 pm
Location: London

Unread postby Nick-YF19 » June 17th, 2006, 3:02 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 603 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware