Solved: Yet another Trojan-Spy.HTML.Smitfraud.c infection

jweiss · Jun 29, 2005

My machine is infected with Trojan-Spy.HTML.Smitfraud.c. I've tried using the fixes posted for other users (i.e., using a new registry file, killbox, ccleaner, etc.) but it's a persistent little bugger and still prevents my computer for starting in a normal mode; that is, I still get the OS (Win XP)warning that I'm infected.

Below is my HJT log. I would be endlessly appreciative of some guidance about how to get rid of this virus.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\dhcpclient.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\phqg.EXE
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\upaa\atan.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\fxvdxo.exe
C:\temp\180SAPack.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\msxct.exe
C:\Program Files\180searchassistant\sais.exe
C:\WINDOWS\System32\9pdoi0io.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\phqg.EXE
C:\WINDOWS\System32\1hq0riat.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\9pdoi0io.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\phqg.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\temp\180SAPack.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [1hq0riat] C:\WINDOWS\System32\1hq0riat.exe
O4 - HKLM\..\Run: [aEDDlqI7c] C:\WINDOWS\fxvdxo.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "c:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [9pdoi0io] C:\WINDOWS\System32\9pdoi0io.exe
O4 - HKLM\..\Run: [wfwrgrot] C:\WINDOWS\wfwrgrot.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_ringtones.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4678
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

tj416 · Jun 29, 2005

Hi jweiss,

Since HijackThis does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you run a full system scan tool like an online virus scan, Ad-aware SE and Spybot S&D. I would like to START with those steps and finish the cleanup of strays or undetected items with HJT. I have provided instructions on how to run scans with a Online virus scanner, Ad-aware SE and Spybot S&D in this post.

1) Run one of these Online virus scanners:

2) Download, install, update and run a scan with Spybot S&D:

Download and Install Spybot S&D, accepting the Default Settings.
In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to Search for Updates and then download and install all available Updates.
Next click the button Check for Problems
When Spybot is complete, it will be showing RED entries bold 'Black' entries and GREEN entries in the window.
Make certain there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.
REBOOT to complete the scan and clear memory.

3) Download, install, update, configure and run a scan with Ad-aware SE:

Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan.
Close ALL windows except Ad-Aware SE.
Click on theworld icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Once the update is finished click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window:
- In the General window make sure the following are selected in green:
  - Under Safety:
    - Automatically save log-file
    - Automatically quarantine objects prior to removal
    - Safe Mode (always request confirmation)
  - Under Definitions:
    - Prompt to update outdated definitions - set the number of days
- Click on the Scanning button on the left and select in green :
  - Under Driver, Folders & Files:
    - Scan Within Archives
  - Under Select drives & folders to scan:
    - choose all hard drives
  - Under Memory & Registry: all green
    - Scan Active Processes
    - Scan Registry
    - Deep Scan Registry
    - Scan my IE favorites for banned URLs
    - Scan my Hosts file
- Click on the Advanced button on the left and select in green:
  - Under Shell Integration:
    - Move deleted files to recycle bin
  - Under Logfile Detail Level: (all green)
    - include addtional object information
    - DESELECT - include negligible objects information
    - include environment information
  - Under Alternate Data Streams:
    - Don't log streams smaller than 0 bytes
    - Don't log ADS with the following names: CA_INOCULATEIT
- Click the Tweak button and select in green:
  - Under Scanning Engine:
    - Unload recognized processes during scanning
    - Scan registry for all users instead of current user only
  - Under Cleaning Engine:
    - Let Windows remove files in use at next reboot
  - Under Log Files:
    - Include basic Ad-aware SE settings in logfile
    - Include additional Ad-aware SE settings in logfile
    - Please do not check: Include Module list in logfile
Click on Proceed to save the settings.
Click Start
Choose 'Perform Full System Scan'
DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
Save the log file when it asks and then click Finish
REBOOT to complete the removal of what Ad-Aware SE found.

4) Prepare in your reply:

A fresh HijackThis log.

jweiss · Jun 29, 2005

I should have mentioned that I have repeatedly run McAfeee Virus scan, Spybot S&D, and Ad-Aware 1.06 on this machine in an attempt to cure this virus. I will try again using the instructions you posted and then post my new HJT file. Thanks much for your prompt reply.

jweiss · Jun 29, 2005

OK, I ran the eTrust Anti-virus Scanner, Spybot R&D, and Ad-Aware SE and cleaned as much as I could off of the machine (and there was plenty, as every time I start up again, a bunch of adware and other junk somehow reappears).

Here is my new HJT log. A thousand thank yous if you can help me get rid of this badboy.

Logfile of HijackThis v1.99.1
Scan saved at 8:35:38 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dhcpclient.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\phqg.EXE
C:\WINDOWS\System32\1hq0riat.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\Hjiipv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\oimf\oimfm.exe
C:\PROGRA~1\COMMON~1\oimf\oimfa.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [1hq0riat] C:\WINDOWS\System32\1hq0riat.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [9pdoi0io] C:\WINDOWS\System32\9pdoi0io.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hjiipv.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [oimf] C:\PROGRA~1\COMMON~1\oimf\oimfm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

tj416 · Jun 29, 2005

Hi jweiss,

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Prepare Ewido Security Suite for use:
- Download the trial version of Ewido Security Suite.
- Install the Program.
- Click on the "update" button on the left hand side of the window.
- Click on "Start Update".
- You should not run the program yet so Exit the program.
Prepare Nailfix for use:
- Download Nailfix.
- Unzip the contents of the zip file to your Desktop.
- Do not run it yet.
Reboot into Safe mode. To reboot in Safe mode:
- Restart your computer and immediately begin tapping the F8 key on your keyboard.
- If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
Run Nailfix:
- Double-click on Nailfix.cmd.
- Your desktop and icons will disappear and reappear, and a window should open and close very quickly. Don't be alarmed, this is normal.
Run Ewido Security Suite:
- Open Ewido Security Suite.
- Click on the "scanner" button on the left hand side of the window.
- Click on "Start".
- After the scan is completed, save the logfile from the scan.
Run HijackThis:
- Open HijackThis, run a scan and check this item:
  - F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
- Close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.
Restart your computer normally to return to normal mode.
Prepare in your reply:
- Please post a fresh HijackThis log.
- Please post the Ewido Security Suite log.

jweiss · Jun 29, 2005

TJ,
I performed the tasks you suggested. I wasn't able to produce a Ewido Security Suite log because the program closed when it was done, before it allowed me to select any "create a log" function. Nevertheless, my fresh HJT log is below. Notice, that nail.exe is still there (as it smitfraud), despite several attempts to delete it.

Thank you once again.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:49 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\nlhelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mscys.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [jKhRZj.exe] C:\documents and settings\jstagen\local settings\temp\jKhRZj.exe
O4 - HKLM\..\Run: [XfD.exe] c:\windows\system32\XfD.exe
O4 - HKLM\..\Run: [2r.exe] C:\windows\system32\2r.exe
O4 - HKLM\..\Run: [o62T36U] nlhelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

jweiss · Jul 1, 2005

TJ (or anyone else): Any thoughts about how to resolve this?

Thanks.

cybertech · Jul 1, 2005

* Click here to download smitRem.zip.

Save the file to your desktop.
Unzip smitRem.zip to extract the two files it contains.
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go here to download CCleaner.

Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

Click here to download Nailfix.zip
Unzip it to the desktop but do NOT run it yet.

* Download the trial version of Ewido Security Suite here.

Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Hmg.exe] C:\WINDOWS\SYSTEM32\Hmg.exe
O4 - HKLM\..\Run: [csvwPsW] C:\WINDOWS\vxrimxt.exe
O4 - HKLM\..\Run: [rafov] C:\WINDOWS\rafov.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [jKhRZj.exe] C:\documents and settings\jstagen\local settings\temp\jKhRZj.exe
O4 - HKLM\..\Run: [XfD.exe] c:\windows\system32\XfD.exe
O4 - HKLM\..\Run: [2r.exe] C:\windows\system32\2r.exe
O4 - HKLM\..\Run: [o62T36U] nlhelper.exe
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c139.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:

Click on scanner
Put a check by the following before you scan:
- Binder
  [*]Crypter
  [*]Archives
Click the Start Scan button to start the scan.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

* Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

* Start Ccleaner and click Run Cleaner

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

jweiss · Jul 2, 2005

Dude, I think it worked. I don't see the smitfraud warnings when Windows is booting anymore. Unbelievable. I can't possibly express how appreciative I am for your generous help.

The logs are below. Let me know if I need to take anymore action to finally exterminate this problem once and for all.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:36:25 PM, 7/1/2005
+ Report-Checksum: CF4F3E28

+ Date of database: 7/2/2005
+ Version of scan engine: v3.0

+ Duration: 38 min
+ Scanned Files: 36285
+ Speed: 15.90 Files/Second
+ Infected files: 179
+ Removed files: 179
+ Files put in quarantine: 179
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000572.exe/ransy.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000572.exe/rany.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000573.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000574.exe -> Spyware.SAHA -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000575.exe -> Backdoor.Codbot.ag -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000576.dll -> Spyware.SBSoft.g -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000577.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000578.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000579.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000580.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000581.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000582.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000583.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000584.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000585.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000586.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000587.exe -> TrojanDownloader.VB.em -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000596.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000597.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000598.exe -> TrojanDownloader.TSUpdate.l -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000599.exe -> TrojanDownloader.TSUpdate.k -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000600.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000601.exe -> Spyware.WeirWeb -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000602.exe -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000603.exe -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000604.dll -> Spyware.180Solutions -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000605.exe -> Spyware.PurityScan -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000606.exe/ransy.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000606.exe/rany.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000609.dll -> Trojan.Agent.eq -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000610.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000617.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000618.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000619.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000620.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000622.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{2C6F38C6-0DC6-40EE-93A9-B2280DC2174F}\RP3\A0000628.exe -> Trojan.Nail -> Cleaned with backup
C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
D:\IE Files\Cookies\julie [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\julie [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]-5-275483-101516[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_9m6h[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected] 0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_1j8l[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected]_2c7p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\IE Files\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup

::Report End

jweiss · Jul 2, 2005

ACTIVESCAN
Incident Status Location
Adware:Adware/ImGiant No disinfected C:\WINDOWS\INF\adrmimg.inf
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM32\dsmanager.dll Adware:Adware/Sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\SYSTEM32\webdlg32.inf
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\HKDSK~1.EXE
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.inf
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\winsx.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msxct1.ini
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\usta33.ini
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\aypiwj.exe
Spyware:Spyware/Lowzones No disinfected C:\WINDOWS\r.bat
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp1.html
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp2.html
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp3.html
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp4.html
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\update-sp5.html
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf

Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\oimf\oimfd\oimfc.dll Possible Virus. No disinfected C:\Program Files\SurfAccuracy\SAccU.exe
Virus:W32/Sdbot.EEX.worm Disinfected C:\nvidea.exe Virus:Trj/Multidropper.QW Disinfected C:\iMeshInst.exe Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\jstagen\Start Menu\WEB-Search.url
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\jstagen\Favorites\WeirdOnTheWeb.url
Adware:Adware/WUpd No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\MediaAccC[1].dll
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.INF]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[6].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[7].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[8].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0DKN4H0P\webservice[9].htm
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\unstall[1].exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\mtrslib2[1].js
Adware:Adware/Apropos No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\weirdontheweb_ideal[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[5].htm
Adware:Adware/Apropos No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\auto_update[1]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\webservice[6].htm
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab]
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab][ipreg32.inf]
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\help[1].chm[ipreg32.cab][ipreg32.dll]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KZIP2HKV\ysb_ringtones[1].cab[YSBactivex.dll]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\0006_regular[1].cab[istactivex.dll]
Adware:Adware/DownloadWare No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\1[1].txt
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\webservice[4].htm
Virus:Trj/Joiner.AB Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\48[1].exe
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\joysaver[1].cab[m67m.inf]
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\joysaver[1].cab[m67m.ocx]
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\ysb[1].dll
Possible Virus. No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\sacc_remove[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDIR89YZ\webservice[5].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\Bridge-c139[1].cab[MediaAccX.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2JWTYV\package_MARKETING27[1].exe

HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:52:24 PM, on 7/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mscys.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Thanks.

cybertech · Jul 2, 2005

You need to print out these instructions or save them to your desktop as a text file with Notepad.

Click here to download KillBox.
Save it to your desktop.

Click here and use the removal tool.

After you have done that reboot to safe mode.

Now disconnect from the internet, turn off or disconnect your modem.

Close all browser windows.

Run HJT again and put a check in the following:

O4 - HKCU\..\Run: [Zxt3RWYpU] mscys.exe

O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)

Close all applications and browser windows before you click "fix checked".

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Run Killbox
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste each of the following paths, one at a time and click the red circle with the white X in it, when it asks you to delete the file on reboot click Yes, when it asks you to reboot click No.

C:\WINDOWS\INF\adrmimg.inf
C:\WINDOWS\SYSTEM32\dsmanager.dll
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\webdlg32.inf
C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
C:\WINDOWS\SYSTEM32\HKDSK~1.EXE
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\webdlg32.inf
C:\WINDOWS\winsx.inf
C:\WINDOWS\msxct1.ini
C:\WINDOWS\usta33.ini
C:\WINDOWS\unstall.exe
C:\WINDOWS\aypiwj.exe
C:\WINDOWS\r.bat
C:\WINDOWS\System32\mscys.exe
C:\WINDOWS\update-sp1.html
C:\WINDOWS\sepsd.bin
C:\WINDOWS\update-sp2.html
C:\WINDOWS\update-sp3.html
C:\WINDOWS\update-sp4.html
C:\WINDOWS\update-sp5.html
C:\Program Files\Common Files\oimf\oimfd\oimfc.dll
C:\Program Files\SurfAccuracy\SAccU.exe
C:\Documents and Settings\jstagen\Start Menu\WEB-Search.url
C:\Documents and Settings\jstagen\Favorites\WeirdOnTheWeb.url

Close killbox.

Open a dos window, go to start, run and type cmd then press enter.

Type the following bolded lines into the dos window pressing the enter key after each line

cd\
cd C:\WINDOWS\Downloaded Program Files
del conflict.2\.

press Y to confirm the delete

rd conflict.2
del m67m.inf
del ipreg32.inf
del WildApp.inf
exit

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 Open the Content.IE5 folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Content.IE5 folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files".

Put a check by "Delete Offline Content" and click OK.

Empty your recycle bin.

Reboot and post another log.

jweiss · Jul 2, 2005

Done. The only problem I have now is that McAfee tells me that my wininet.dll is infected with W32\Alemod.dll (but perhaps that's an unrelated issue).

Here's my latest HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 1:34:46 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Gracias.

cybertech · Jul 2, 2005

Did you run the removal tool?

tj416 · Jul 2, 2005

Hi jweiss,

Copy the part below into notepad and save it as searchwininet.bat
Set filetype to "All files"

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click the file and when it is ready it will open files.txt
Post the content of that file

jweiss · Jul 3, 2005

No, I somehow skipped the removal tool step, but now I've run it.

I got rid of the contaminated wininet.dll file by replacing it with the one from the dllcache folder. (First I renamed it, then replaced it, then had McAfee delete the renamed version.)

My new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:16 AM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Thanks.

Solved: Yet another Trojan-Spy.HTML.Smitfraud.c infection

jweiss

tj416

jweiss

jweiss

tj416

jweiss

jweiss

cybertech

Retired Moderator

jweiss

jweiss

cybertech

Retired Moderator

jweiss

cybertech

Retired Moderator

tj416

jweiss

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Welcome to Tech Support Guy!

Latest posts

Staff online

Members online