Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware Protect 2009 attack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware Protect 2009 attack

Unread postby wesmat » May 28th, 2009, 12:51 pm

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40, on 2009-05-28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Documents and Settings\FITZPATRICK\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2722722906
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Filter hijack: text/html - {62d2ca9d-4084-43c4-ab2d-6ec850de4a82} - C:\WINDOWS\system32\mst123.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9930 bytes
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm
Advertisement
Register to Remove

Re: Spyware Protect 2009 attack

Unread postby MWR 3 day Mod » May 31st, 2009, 2:00 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Spyware Protect 2009 attack

Unread postby askey127 » May 31st, 2009, 9:02 pm

Hi wesmat,
----------------------------------------------------------
Sorry for the delay in answering your request.
We have had more logs than we could handle in a timely manner.
If you still need help and are not receiving it elsewhere, please proceed as follows:
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here. Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Please post the contents of install.txt in your next post.
------------------------------------------------------
Please download SmitFraudFix.exe by S!Ri and save it to the desktop.
  1. Double click on SmitfraudFix.exe.
  2. Press 1 then hit the Enter key.
  3. It will create a report named rapport.txt, usually in the root (base folder) of your C drive
  4. Please copy/paste the content of that text file report (C:\rapport.txt) into your next reply.

So we are looking for the contents of the install.txt file from CCleaner, and the contents of rapport.txt from the Smitfraudfix scan.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 1st, 2009, 12:41 pm

Ok Here are the results:

3D Groove Playback Engine
ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
AIM 6
Aim Plugin for QQ Games
AIM Toolbar
American Flag Screen Saver
AOL Instant Messenger
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Avery Wizard 3.1
Banctec Service Agreement
Bonjour
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Support Center (Support Software)
DellSupport
Digital Line Detect
Doggie Daycare (remove only)
Download Updater (AOL LLC)
Family Feud (remove only)
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 11
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Miuchiz - Planet Mion
Modem Helper
NetWaiting
QQ Games
QuickTime
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Uninstall Startup Inspector
VGA Dual-Mode Camera
W Photo Studio
WebCyberCoach 3.2 Dell
Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/30/2004 2.0.0.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Music Jukebox
Yahoo! Toolbar


SmitFraudFix v2.417

Scan done at 12:33:58.26, 2009-06-01
Run from E:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\sysguard.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\FITZPATRICK


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FITZPA~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\FITZPATRICK\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FITZPA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Google\googletoolbar1.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CCS\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS3\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby askey127 » June 1st, 2009, 3:04 pm

wesmat,
----------------------------------------------------
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
----------------------------------------------------
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 1st, 2009, 5:36 pm

Here is the new rapport.txt file

SmitFraudFix v2.417

Scan done at 15:47:48.76, 2009-06-01
Run from E:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\sysguard.exe Deleted
C:\Program Files\Google\googletoolbar1.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CCS\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2614C542-E031-4AAA-B069-0BA70616C0F2}: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS3\Services\Tcpip\..\{794D770E-21FF-4B42-8BBE-F9D81E79EED3}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{87E4F45E-BCAE-4BE0-B4C7-D0DFE3668AF4}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AA03812F-EECD-4F42-8147-A8E845E2D74C}: DhcpNameServer=90.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.175.128.46 65.175.128.47


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby askey127 » June 1st, 2009, 5:59 pm

wesmat,
Good so far.
------------------------------------------------------------
Please download the OTM by OldTimer.
Save it to your desktop
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: Select all
    :Files
    c:\Program Files\Spyware Protect 2009
    c:\Program Files\Spyware Protect 2009\gfx.bin
    c:\Program Files\Spyware Protect 2009\options.ini
    c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe
    c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe.MANIFEST
    c:\Program Files\Spyware Protect 2009\SpywareProtect2009_start_setup.exe
    c:\Program Files\Spyware Protect 2009\tp_starter.exe
    c:\Program Files\Spyware Protect 2009\uninstall.exe
    c:\Program Files\Spyware Protect 2009\uninstall.log
    c:\Program Files\Spyware Protect 2009\vbase.ini
    c:\Program Files\Spyware Protect 2009\lang
    c:\Program Files\Spyware Protect 2009\lang\english.lng
    c:\WINDOWS\system32\vbzlib2.dll
    c:\WINDOWS\aazalirt.exe
    c:\WINDOWS\dkekkrkska.exe
    c:\WINDOWS\dkewiizkjdks.exe
    c:\WINDOWS\iddqdops.exe
    c:\WINDOWS\ienotas.exe
    c:\WINDOWS\iqmcnoeqz.exe
    c:\WINDOWS\irprokwks.exe
    c:\WINDOWS\jikglond.exe
    c:\WINDOWS\jiklagka.exe
    c:\WINDOWS\jrjakdsd.exe
    c:\WINDOWS\jungertab.exe
    c:\WINDOWS\kitiiwhaas.exe
    c:\WINDOWS\kkwknrbsggeg.exe
    c:\WINDOWS\klopnidret.exe
    c:\WINDOWS\krkdkdkee.exe
    c:\WINDOWS\krkmahejdk.exe
    c:\WINDOWS\krtawefg.exe
    c:\WINDOWS\krujmmwlrra.exe
    c:\WINDOWS\ktknamwerr.exe
    c:\WINDOWS\kuruhccdsdd.exe
    c:\WINDOWS\ooorjaas.exe
    c:\WINDOWS\oranerkka.exe
    c:\WINDOWS\oropbbsee.exe
    c:\WINDOWS\otnnbektre.exe
    c:\WINDOWS\otowjdseww.exe
    c:\WINDOWS\otpeppggq.exe
    c:\WINDOWS\rkaskssd.exe
    c:\WINDOWS\ronitfst.exe
    c:\WINDOWS\seeukluba.exe
    c:\WINDOWS\skaaanret.exe
    c:\WINDOWS\sysguardn.exe
    c:\WINDOWS\tobmygers.exe
    c:\WINDOWS\tobykke.exe
    c:\WINDOWS\zibaglertz.exe
    
    :reg
    [-HKEY_CURRENT_USER\Software\Spyware Protect 2009]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\Spyware Protect 2009]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Spyware Protect 2009]
     
    
  • Return to OTM, right click in the "Paste List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 1st, 2009, 6:46 pm

OTM results:

========== FILES ==========
File/Folder c:\Program Files\Spyware Protect 2009 not found.
File/Folder c:\Program Files\Spyware Protect 2009\gfx.bin not found.
File/Folder c:\Program Files\Spyware Protect 2009\options.ini not found.
File/Folder c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe not found.
File/Folder c:\Program Files\Spyware Protect 2009\SpywareProtect2009.exe.MANIFEST not found.
File/Folder c:\Program Files\Spyware Protect 2009\SpywareProtect2009_start_setup.exe not found.
File/Folder c:\Program Files\Spyware Protect 2009\tp_starter.exe not found.
File/Folder c:\Program Files\Spyware Protect 2009\uninstall.exe not found.
File/Folder c:\Program Files\Spyware Protect 2009\uninstall.log not found.
File/Folder c:\Program Files\Spyware Protect 2009\vbase.ini not found.
File/Folder c:\Program Files\Spyware Protect 2009\lang not found.
File/Folder c:\Program Files\Spyware Protect 2009\lang\english.lng not found.
File/Folder c:\WINDOWS\system32\vbzlib2.dll not found.
File/Folder c:\WINDOWS\aazalirt.exe not found.
File/Folder c:\WINDOWS\dkekkrkska.exe not found.
File/Folder c:\WINDOWS\dkewiizkjdks.exe not found.
File/Folder c:\WINDOWS\iddqdops.exe not found.
File/Folder c:\WINDOWS\ienotas.exe not found.
File/Folder c:\WINDOWS\iqmcnoeqz.exe not found.
File/Folder c:\WINDOWS\irprokwks.exe not found.
File/Folder c:\WINDOWS\jikglond.exe not found.
File/Folder c:\WINDOWS\jiklagka.exe not found.
File/Folder c:\WINDOWS\jrjakdsd.exe not found.
File/Folder c:\WINDOWS\jungertab.exe not found.
File/Folder c:\WINDOWS\kitiiwhaas.exe not found.
File/Folder c:\WINDOWS\kkwknrbsggeg.exe not found.
File/Folder c:\WINDOWS\klopnidret.exe not found.
File/Folder c:\WINDOWS\krkdkdkee.exe not found.
File/Folder c:\WINDOWS\krkmahejdk.exe not found.
File/Folder c:\WINDOWS\krtawefg.exe not found.
File/Folder c:\WINDOWS\krujmmwlrra.exe not found.
File/Folder c:\WINDOWS\ktknamwerr.exe not found.
File/Folder c:\WINDOWS\kuruhccdsdd.exe not found.
File/Folder c:\WINDOWS\ooorjaas.exe not found.
File/Folder c:\WINDOWS\oranerkka.exe not found.
File/Folder c:\WINDOWS\oropbbsee.exe not found.
File/Folder c:\WINDOWS\otnnbektre.exe not found.
File/Folder c:\WINDOWS\otowjdseww.exe not found.
File/Folder c:\WINDOWS\otpeppggq.exe not found.
File/Folder c:\WINDOWS\rkaskssd.exe not found.
File/Folder c:\WINDOWS\ronitfst.exe not found.
File/Folder c:\WINDOWS\seeukluba.exe not found.
File/Folder c:\WINDOWS\skaaanret.exe not found.
File/Folder c:\WINDOWS\sysguardn.exe not found.
File/Folder c:\WINDOWS\tobmygers.exe not found.
File/Folder c:\WINDOWS\tobykke.exe not found.
File/Folder c:\WINDOWS\zibaglertz.exe not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Spyware Protect 2009\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\uninstall\Spyware Protect 2009\\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Spyware Protect 2009\\ not found.

OTM by OldTimer - Version 2.1.0.0 log created on 06012009_184148
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby askey127 » June 1st, 2009, 8:23 pm

wesmat,
It looks like SmitfraudFix may have removed the only file left from Spyware Protect.
We will check again later with a different tool.
----------------------------------------------------------
Remove Program(s) with CCleaner
Open CCleaner. In the Left Pane, click Tools. Verify that Uninstall is highlighted in color, or click on it.
Click and Highlight the Following Programs, one at a time, and click the Run Uninstaller button for each one.
Wait for completion of each one before highlighting and Uninstalling the next.
Adobe Reader 7.0.9
Java(TM) 6 Update 11

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
--------------------------------------------------------
Download the Newest Version of Adobe Reader
  • Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

If you prefer a simple reader, without plug-ins, that is smaller and faster, take a look at the free Foxit Reader here : http://www.foxitsoftware.com/downloads/
I would recommend the older Foxit version 2.3 only, without the toolbar.
Foxit version 3.0 has the undesirable ASK toolbar, and it's uncertain whether you can avoid it during installation.
------------------------------------------------------------
Download the latest version of Java SE Runtime Environment(JRE), and install it to your computer.
It is the 2nd item on the page, called JRE 6 Update 14
Select Windows and multi-language, and check to agree to the license.
Download it, choose Save, and save it to your desktop.
Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 1st, 2009, 10:18 pm

Ok, everything went fine except for the last step, the Kapersky scan. The update stalls with nothing completed and I get a java applet error: "Starting Java applet failed! Please go online to use this program." However I am online. Attached is a snapshot of the error.
You do not have the required permissions to view the files attached to this post.
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby askey127 » June 2nd, 2009, 6:53 am

wesmat,
It doesn't like the Java installation. Don't know why. It does happen sometimes.
-----------------------------------------------------------
Post a New HiJackThis Log
Start HijackThis
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder. In addition, the list opens in Notepad so you can also save as another name in another location if you wish. Please paste the contents into your next reply. You can use separate posts if you wish.
Click the "X" in the upper right corner of the HiJackThis window to close it.

Now Let's try this scan:
-------------------------------------------------------------
Run Panda Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
You will need to use Internet Explorer for this scan.
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of coffee and do something else for a while. It's not quick.
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small export to notepad button and save the report to your desktop.
  • Please post the report in your reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 2nd, 2009, 10:37 am

Here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:21:54, on 2009-06-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\FITZPATRICK\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2722722906
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Filter hijack: text/html - {62d2ca9d-4084-43c4-ab2d-6ec850de4a82} - C:\WINDOWS\system32\mst123.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8797 bytes


Uninstall List:
3D Groove Playback Engine
ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player
AIM 6
Aim Plugin for QQ Games
AIM Toolbar
American Flag Screen Saver
AOL Instant Messenger
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Avery Wizard 3.1
Banctec Service Agreement
Bonjour
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Support Center (Support Software)
DellSupport
Digital Line Detect
Doggie Daycare (remove only)
Download Updater (AOL LLC)
Family Feud (remove only)
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Miuchiz - Planet Mion
Modem Helper
NETGEAR WG111 Software
NetWaiting
QQ Games
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Uninstall Startup Inspector
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VGA Dual-Mode Camera
W Photo Studio
WebCyberCoach 3.2 Dell
Windows Defender Signatures
Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/30/2004 2.0.0.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Music Jukebox
Yahoo! Toolbar

Active Scan:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-06-02 10:33:28
PROTECTIONS: 1
MALWARE: 32
SUSPECTS: 12
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090601-0] 4.8.1335 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00132447 adware program Adware No 0 Yes No hkey_current_user\software\ssb3
00132447 adware program Adware No 0 Yes No c:\windows\ss3unstl.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@mediaplex[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@www.burstbeacon[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@ads.pointroll[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@adrevolver[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@target[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\FITZPATRICK\Cookies\fitzpatrick@atwola[1].txt
00484705 Application/IEDefender HackTools No 0 Yes No E:\SmitfraudFix\IEDFix.C.exe
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0040708.sys
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP208\A0037709.dll
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP210\A0037823.dll
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP208\A0037695.dll
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP210\A0037842.dll
00921467 Generic Malware Virus/Trojan No 0 Yes No E:\SmitfraudFix\404Fix.exe
00966839 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0040672.dll
00966892 Adware/SpywareProtect2009 Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP226\A0041199.dll
00966892 Adware/SpywareProtect2009 Adware No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP227\A0041328.dll
02893775 Spyware/Iehelp Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178\A0032737.exe
02893775 Spyware/Iehelp Spyware No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP215\A0040151.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP212\A0040011.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178\A0032743.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Downloads\PetVet2Setup-dm[1].exe
No C:\My Games\Hyperballoid 2 - Time Rider\Hyperballoid2.exe
No C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{24C8EE9E-CACE-4C60-8B1F-E2317BC2B510}.exe
No C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe
No C:\Program Files\iWin.com\Kudos\GLWorker.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP178\A0032739.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP215\A0040149.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP215\A0040156.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP215\A0040157.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0047366.exe
No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0047635.exe
No E:\SmitfraudFix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby askey127 » June 2nd, 2009, 1:19 pm

wesmat,
You can delete SmitfraudFix.

I would run CCleaner with the "cookies" box checked. You have quite a few tracking cookies.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the file shown below, select View, Details, highlight the listed file only, and press Delete.
Be careful not to delete any file without double-checking the exact spelling of the filename.

C:\Windows\ss3unstl.exe

If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note if you cannot delete..
-----------------------------------------------------------
You can keep Malwarebytes Anti-Malware. Once every week or two, update it and run a Quick Scan.
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

You should be good to go if there are no other issues.
Let me know.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 2nd, 2009, 2:13 pm

Ok - everything went smooth for that last step. :-)

I'm kinda the neighborhood computer geek. I've applied and been accepted to the MRU - just havn't started classes yet. Last night another friend called with a virus - her desktop went away and something calling itself 'Privacy Center' appeared and reported she has virus issues - obviously a scam. I found the only active app in the Task Manager is pc.exe, so I killed it and was able to restart explorer.exe and ran hijack this. Should I start a new post for help w/ this?
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm

Re: Spyware Protect 2009 attack

Unread postby wesmat » June 2nd, 2009, 2:37 pm

Ignore that last msg - of course I have to submit a new request. which I just did. Thanks for all your help.
wesmat
Regular Member
 
Posts: 92
Joined: April 9th, 2009, 4:08 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 284 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware