Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Taken over by trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Taken over by trojans

Unread postby overwhelmed » June 19th, 2005, 12:14 am

So I have been reading some of the topics that are related to my problem and have tried everything but I still show viruses. My computer is infected with the smitfraud virus. I have managed to remove the blue screen but when I ran Spbot and Adware the viruses that were quarantined still show. Below is my HJT log


HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:59:43 PM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {B2B3F401-4767-4122-B715-DFB8158EC79A} - C:\WINDOWS\System32\ldgn.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


PANDA scan

Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\System32\cd_clint.dll
Adware:Adware/DownloadWare No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\System32\aupdate.conf
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM32\aupdate.conf
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\oleadm.dll
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\wp.bmp


Can someone please help?? Thanks so much in advance.
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am
Advertisement
Register to Remove

Re: Taken over by trojans

Unread postby Perculator » June 19th, 2005, 6:24 am

I will take a look at your log and provide a fix for you.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Re: Taken over by trojans

Unread postby Perculator » June 19th, 2005, 4:49 pm

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
CWShredder
Download SpSeHjfix Here.
Download CleanUp! here or here.


Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Find and doubleclick the file cleanup.exe.

Go to option
Select ‘custom’
Put a check to:
    * Prefetch
    * Temp
    * All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.
.


Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again


Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run these on-line virus scans at
CA eTrust Antivirus scan

restart your computer

now run
Panda virus check
and save the log it makes
(Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck
and prepare yourself because you also have an even nastier infection.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby overwhelmed » June 20th, 2005, 8:19 am

I have done everything you told me to do to a T and it seems as though I still have the trojans. By the way when I was done with the safemode, my homepage was changed to http://www.kidshealth.org, which I thought was interesting. Below are my logs. Thanks again for your help I really appreaciate it.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:57:56 AM, on 6/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {B2B3F401-4767-4122-B715-DFB8158EC79A} - C:\WINDOWS\System32\ldgn.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

PANDA LOG


Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\System32\cd_clint.dll
Adware:Adware/DownloadWare No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\System32\aupdate.conf
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM32\aupdate.conf
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\oleadm.dll
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\wp.bmp


SPSeHjFix LOG


(6/19/05 6:51:57 PM) SPSeHjFix started v1.1.2
(6/19/05 6:51:57 PM) OS: WinXP Service Pack 1 (5.1.2600)
(6/19/05 6:51:57 PM) Language: english
(6/19/05 6:51:57 PM) Win-Path: C:\WINDOWS
(6/19/05 6:51:57 PM) System-Path: C:\WINDOWS\System32
(6/19/05 6:51:57 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(6/19/05 6:52:18 PM) Disinfection started
(6/19/05 6:52:18 PM) Bad-Dll(IEP): c:\docume~1\owner\locals~1\temp\se.dll
(6/19/05 6:52:18 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:18 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:18 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/19/05 6:52:18 PM) Stealth-String not found
(6/19/05 6:52:18 PM) No locked Files to delete. End without Reboot
(6/19/05 6:52:26 PM) Disinfection started
(6/19/05 6:52:26 PM) Bad-Dll(IEP): c:\docume~1\owner\locals~1\temp\se.dll
(6/19/05 6:52:26 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:26 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:26 PM) Bad IE-pages: (none)
(6/19/05 6:52:26 PM) Stealth-String not found
(6/19/05 6:52:26 PM) No locked Files to delete. End without Reboot


(6/19/05 6:52:35 PM) SPSeHjFix started v1.1.2
(6/19/05 6:52:35 PM) OS: WinXP Service Pack 1 (5.1.2600)
(6/19/05 6:52:35 PM) Language: english
(6/19/05 6:52:35 PM) Win-Path: C:\WINDOWS
(6/19/05 6:52:35 PM) System-Path: C:\WINDOWS\System32
(6/19/05 6:52:35 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(6/19/05 6:52:37 PM) Disinfection started
(6/19/05 6:52:37 PM) Bad-Dll(IEP): (not found)
(6/19/05 6:52:37 PM) Bad-Dll(IEP) in BHO: (not found)
(6/19/05 6:52:37 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:37 PM) UBF: 8 - UBB: 4 - UBR: 14
(6/19/05 6:52:37 PM) Bad IE-pages: (none)
(6/19/05 6:52:37 PM) Stealth-String not found
(6/19/05 6:52:37 PM) Not infected->END


CA scan:

File Infection Status Path

archive.jar-27ef2cd7-125520e4.zip>RunString.class Java.Shinwow
infected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\

tb.jar-796b13a3-7b457951.zip>RunString.class Java.Shinwow
infected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\

wininet.dll Win32.Alemod.A
infected C:\WINDOWS\SYSTEM32
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Unread postby Perculator » June 21st, 2005, 8:15 am

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\System32\ldgn.dll



* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\WildTangent


While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {B2B3F401-4767-4122-B715-DFB8158EC79A} - C:\WINDOWS\System32\ldgn.dll (file missing)

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" –boot


click FIX CHECKED:
Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Follow up

Unread postby overwhelmed » June 23rd, 2005, 12:36 am

Did everthing you suggested step by step. A couple of observation though, my C:\Program Files\Windows folder is gone. It used to be there.
Even though my homepage is http://www.cnn.com, when I launch IE the website displayed is http://www.kidshealth.org, do you know why?

Active Scan Log


Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\System32\cd_clint.dll
Adware:Adware/DownloadWare No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\System32\aupdate.conf
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM32\aupdate.conf
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\wp.bmp


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:26 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Re: Follow up

Unread postby Perculator » June 24th, 2005, 10:19 am

I would advise you to uninstall kazaa as it would probably do more harm then good, cause of the spyware in it.
Go to
Start
Control Panel
Add/remove programs

Select Kazaa by clicking on it and the press the change /remove button

Restart your computer.

Run cleanup again


Download and run panda trial it will now remove everything it finds

And save the log it makes.

Restart your computer and place a fresh hijacklog and the result of panda..

How is your computer feeling now??
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Can't remove Kazaa

Unread postby overwhelmed » June 27th, 2005, 11:54 pm

Here is the update:
* I was unable to remove Kazaa, I get the below message:
"Error in C:\Windows\System32\cd-clint.dll missing entry: ServiceRunDLL"
-Panda Trial did not find anything.
* my homepage is set to http://www.cnn.com but when I launch IE, it shows http://www.kidshealth.org, do you know how I can remove this?
* I still think my computer is infected.

Below is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:56 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again for all your help. I really appreciate it.
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Re: Can't remove Kazaa

Unread postby Perculator » June 30th, 2005, 12:53 am

Please download and run this program

kazaabegone

and restart your computer after the removal, post back a fresh hijack this log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Kazaa Gone but still see the message

Unread postby overwhelmed » June 30th, 2005, 1:58 am

Below is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:57:53 AM, on 6/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I still get the message that my computer is infected with SmitFraud from Panda Antivirus Platinum 7 trial version which has removed it. I thought all the work that we did above has cleaned up? Why does this virus keep appearing?
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Re: Kazaa Gone but still see the message

Unread postby Perculator » June 30th, 2005, 4:01 pm

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Please download the trial version of ewido security suite.

    Install ewido security suite
    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    Launch ewido, there should be an icon on your desktop double-click it.
    The program will prompt you to update click the OK button

    The program will now go to the main screen
You will need to update ewido to the latest definition files.
    On the left hand side of the main screen click update
    Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Please download the Killbox.
Unzip it to the desktop. Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

Code: Select all

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\shnlog.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked and exit HijackThis.

***
Remove these folders if present
C:\Program Files\MarketBrowser
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Reboot back into Windows and perform a full panda scan.
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let me know if any problems persist.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

smitRem is stuck, should I cancel

Unread postby overwhelmed » July 4th, 2005, 3:54 pm

Hello;

SmitRem has been running for 24 hours now and it is still "scanning". Should I just cancel it and skip this step?
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Re: smitRem is stuck, should I cancel

Unread postby Perculator » July 4th, 2005, 4:57 pm

overwhelmed wrote:Hello;

SmitRem has been running for 24 hours now and it is still "scanning". Should I just cancel it and skip this step?

no problem to skip this smitrem in this occasion, pleas ecarry out the rest of the advise
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

smitfraud still exists - Should I use system restore?

Unread postby overwhelmed » July 9th, 2005, 1:15 am

Hello, I followed your directions but I ran into problems:
1. The SmitRem got stuck and never went anywhere
2. Ewido Security Suite refused to run saying that it was missing the "lang.dll"
3. On the Control Panel, I cannot find "Display"
4. My computer still is infected, everytime I start my computer Panda informs me that I have the SmitFraud virus that has been quarantined but it still exists.

I am wondering if I should use "System Restore" to restore my computer to about 1 month ago when the computer was not infected, will that "cure" it?

Below is PANDA report:
Panda Antivirus Platinum incident report
Filter selected:All, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan complete On-demand antivirus scan 07/09/05 00:05:45 Scan: Outlook Express
Scan complete On-demand antivirus scan 07/09/05 00:05:44 Scan: Microsoft Outlook
Scan started On-demand antivirus scan 07/09/05 00:05:44 Scan: Outlook Express
Scan started On-demand antivirus scan 07/09/05 00:05:43 Scan: Microsoft Outlook
Connection attempt Firewall protection 07/09/05 00:05:11 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/09/05 00:05:10 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:05:05 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/09/05 00:05:04 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:05:02 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/09/05 00:05:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:49 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:39 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:28 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:19 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:06 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:04:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:03:58 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:01:46 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:01:37 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:01:25 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:01:16 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:01:04 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:00:54 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:00:43 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/09/05 00:00:34 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:59:50 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:59:41 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:58:22 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:58:13 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:58:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:57:51 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:57:40 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:57:31 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:57:18 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:57:10 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:58 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:49 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:37 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:31 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:29 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:54:28 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:21 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:54:16 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:54:06 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:53:55 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:53:46 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:51:34 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:51:25 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:51:13 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:51:03 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:50:52 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:50:43 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:50:31 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:50:22 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:49:09 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:49:01 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:48:59 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:48:10 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:48:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:49 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:40 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:28 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:18 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:07 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:47:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:46:58 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:44:46 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:44:37 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:44:25 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:44:16 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:44:04 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:43:55 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:43:46 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:43:43 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:43:38 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:43:34 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:41:22 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:41:13 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:41:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:40:52 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:40:40 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:40:31 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:40:19 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:40:10 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:38:26 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:38:16 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:37:57 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:37:49 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:37:37 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:37:28 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:37:16 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:37:07 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:36:55 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:36:46 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:34:34 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:34:25 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:34:13 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:34:04 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:33:51 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:33:43 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:33:31 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:33:22 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:33:05 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:32:56 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:31:09 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:31:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:49 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:40 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:28 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:19 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:06 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:30:01 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:29:58 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:46 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:43 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:27:40 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:37 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:37 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:27:35 Blocked Application: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Connection attempt Firewall protection 07/08/05 23:27:24 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:16 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:27:04 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/08/05 23:26:55 Blocked Application: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
Connection attempt Firewall protection 07/
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am

Continued

Unread postby overwhelmed » July 9th, 2005, 1:16 am

Seems my whole post did not show up. Below is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:07:15 AM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\PAVJOBS.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
overwhelmed
Regular Member
 
Posts: 28
Joined: June 19th, 2005, 12:07 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware