We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
antispywarebox.xom
Comments
-
You may wish to save these instructions to notepad or print them out for use while in Safe Mode.
Step 1
Re-configure Windows Explorer to show hidden files & folders:
How to Show Hidden Files & Folders
Ensure you're familiar with rebooting into Safe Mode:
How to Boot into Safe mode
Download the trial version of Ewido Anti-Malware
When installing Ewido, under "Additonal Options" uncheck "Install Background Guard" and "Install Scan Via Context Menu".
Launch Ewido and click "Update" on the left side of the main screen to update the definitions file.
Then click "Start Update".
When you receive the "Update successful" prompt, close Ewido.
Note: If you have any problems with the updater, you can Update Ewido Manually.
Step 2
Next, please reboot your computer in Safe Mode - Very Important !!
Scan with HijackThis again and checkmark the boxes before the following entries:-
O2 - BHO: (no name) - !!00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - !!00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - !!00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - !!3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - !!5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - !!77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - !!7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - !!8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - !!9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - Startup: titanshield.lnk = C:\Program Files\TitanShield Antispyware\titanshield.exe
Close ALL OTHER WINDOWS and click "Fix Checked"
Step 3
Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.
Clean your Cache and Cookies in Firefox (if you also have Firefox installed):
Go to Tools > Options. Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking "Clear All".
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
Step 4
Now open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd
Select option #2 - "Clean" by typing 2 and pressing "Enter" to delete the infected files.
You will then receive the following prompt:
"Registry cleaning - Do you want to clean the registry ? (y/n)"
Type Y for yes and press "Enter" to remove the Desktop background and clean the associated registry keys for this infection.
The tool will then check if the file wininet.dll is infected.
You may be prompted to replace the infected file with another copy from your machine (if found):
"Replace infected file ? (y/n)"
Type Y for yes and press "Enter" to restore a clean copy of the file on your machine.
Restart your computer to complete the removal process.
(A log file of the fix can be found at the root of your system drive, usually at C:\rapport.txt)
Step 5
Reboot back into Safe Mode again and open Ewido Anti-Malware.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
Warning: Do NOT open any other windows or your Control Panel while scanning as it may prevent scan completion!!
At the first infection, select "Remove" and checkmark the boxes beside "Perform action on all infections" and "Create encrypted backup" in the left corner.
Upon scan completion, click the Save report button and save the report.txt to your desktop.
Then close Ewido.
Step 6
Next go to Start > Control Panel and click Display | Desktop | Customise Desktop | Web | Webpages and uncheck/delete any pages listed in the panel.
Reboot back to normal Windows mode and run an online scan at Panda ActiveScan
Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
Enter your details in the required fields.
Then click the big Scan Now button.
Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
When the download is complete, click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Step 7
Post the the following in your next reply please:- Fresh HijackThis log (generated after the Panda scan)
- C:\rapport.txt
- Ewido Log.
- Panda scan results.
0 -
i tried to show hidden files but was unable to click the circle to activate.
when i ran hijack the following files were not listed:
O2 - BHO: (no name) - !!00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - !!7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - !!9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
Panda active scan would not run i got the following message:
An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:
Not allowing the application's ActiveX control to be downloaded.
Problems with the Internet connection.
The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...
Latest hijack log not including panda:
Logfile of HijackThis v1.99.1
Scan saved at 23:21:45, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1148941578\ee\AOLHostManager.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1148941578\ee\AOLServiceHost.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
c:\program files\common files\aol\1148941578\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1148941578\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: adobepnl.ADOBE_PANEL - !!0F7E55FC-6D46-491C-922B-4EBC6636B561} - C:\WINDOWS\system32\adobepnl.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Program Files\CA\Etrust Antivirus\Register.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148941578\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: !!0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: !!14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: !!4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\!!04A5A952-13C1-475D-8D23-446F1F2A6766}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\!!04A5A952-13C1-475D-8D23-446F1F2A6766}: NameServer = 205.188.146.145
O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - !!828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe0 -
CONTINUED:
rapport.txt
SmitFraudFix v2.59
Scan done at 21:35:05.53, 13/06/2006
Run from C:\Documents and Settings\Dave\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\about_spyware_bg.gif Deleted
C:\WINDOWS\about_spyware_bottom.gif Deleted
C:\WINDOWS\as.gif Deleted
C:\WINDOWS\as_header.gif Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\box_1.gif Deleted
C:\WINDOWS\box_2.gif Deleted
C:\WINDOWS\box_3.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\button_buynow.gif Deleted
C:\WINDOWS\button_freescan.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\download_box.gif Deleted
C:\WINDOWS\features.gif Deleted
C:\WINDOWS\footer_back.gif Deleted
C:\WINDOWS\footer_back.jpg Deleted
C:\WINDOWS\header_1.gif Deleted
C:\WINDOWS\header_2.gif Deleted
C:\WINDOWS\header_3.gif Deleted
C:\WINDOWS\header_4.gif Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\main_back.gif Deleted
C:\WINDOWS\rf.gif Deleted
C:\WINDOWS\rf_header.gif Deleted
C:\WINDOWS\scan_btn.gif Deleted
C:\WINDOWS\security-center-bg.gif Deleted
C:\WINDOWS\security-center-logo.gif Deleted
C:\WINDOWS\security_center_caption.gif Deleted
C:\WINDOWS\sep_hor.gif Deleted
C:\WINDOWS\sep_vert.gif Deleted
C:\WINDOWS\spacer.gif Deleted
C:\WINDOWS\spacer.gif' Deleted
C:\WINDOWS\spyware-detected.gif Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\star_gray.gif Deleted
C:\WINDOWS\star_gray_small.gif Deleted
C:\WINDOWS\star_small.gif Deleted
C:\WINDOWS\ts.gif Deleted
C:\WINDOWS\ts_header.gif Deleted
C:\WINDOWS\v.gif Deleted
C:\WINDOWS\warning_icon.gif Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win_logo.gif Deleted
C:\WINDOWS\x.gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\dailytoolbar.dll Deleted
C:\WINDOWS\system32\qjrkvy.exe Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\thlwin32.dll Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\users32.exe Deleted
C:\WINDOWS\system32\winflash.dll Deleted
C:\Documents and Settings\Dave\Local Settings\Application Data\TitanShield\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
ewido:
ewido anti-malware - Scan report
+ Created on: 22:45:42, 13/06/2006
+ Report-Checksum: 9249AD0E
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup
HKU\S-1-5-21-3953967176-126840704-1265418935-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\cyjnwhpn.maa -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\system32\ddlyytgb.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\dzmncifd.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\gpkmkclx.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\kowjrimk.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\nakxygpg.rrn -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\niqyesry.fes -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\ojvuibtw.exe -> Downloader.Small.dam : Cleaned with backup
C:\WINDOWS\system32\phqghume.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\yuhujgim.exe -> Downloader.VB.aeq : Cleaned with backup
::Report End
THANKS FOR THE HELP, HOPE THIS CAN BE FIXED0 -
That's looking good. I'd still like to get a strong anti-virus scan done though. So we don't waste time messing about troubleshooting Active X (we can do that later) I'd like you to download a standalone scanner.
Download Dr.Web CureIt to your desktop:- Double-click the drweb-cureit.exe file and allow it to run the express scan.
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow > to the right and the scan will begin.
- At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, click the "Select all/select none" toggle button (if available) next to the files found:
- Then click the green cup icon right below and select Move incurable as you'll see in next image:
This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples). - Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
- After the restart, post the contents of the Dr.Web.csv log file which you saved.
0 -
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\Ca_AOL 9.0\ASPUK;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\ASPUK;Probably BACKDOOR.Trojan;Incurable.Moved.;
zylomgamesplayer.dll;C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer;Trojan.StartPage.1381;Deleted.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
fwRemoteCfg.dll;C:\Program Files\Common Files\FTL Shared;Probably DLOADER.Trojan;Incurable.Moved.;
A0031619.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP182;Trojan.Spambot;Deleted.;
A0031620.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP182;Trojan.PWS.Alanchum;Deleted.;
A0031621.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP182;Trojan.Spambot;Deleted.;
A0031622.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP182;Trojan.DownLoader.6811;Deleted.;
A0041523.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP225;Probably DLOADER.Trojan;Incurable.Moved.;
A0041739.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP226;Probably DLOADER.Trojan;Incurable.Moved.;
A0041892.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP227;Probably DLOADER.Trojan;Incurable.Moved.;
A0043039.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP231;Probably DLOADER.Trojan;Incurable.Moved.;
A0043128.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP231;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0044557.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP239;Trojan.DownLoader.9544;Deleted.;
A0048614.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP252;Trojan.Fakealert.182;Deleted.;
A0048617.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP253;Trojan.Fakealert.182;Deleted.;
A0048648.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP254;Trojan.Fakealert.182;Deleted.;
A0048651.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP255;Trojan.Fakealert.182;Deleted.;
A0048663.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP257;Trojan.Fakealert.182;Deleted.;
A0048678.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP258;Trojan.Fakealert.182;Deleted.;
A0048714.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP259;Trojan.Fakealert.182;Deleted.;
A0049543.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP260;Trojan.Fakealert.182;Deleted.;
A0049557.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP261;Trojan.Fakealert.182;Deleted.;
A0049586.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP262;Trojan.Fakealert.182;Deleted.;
A0049743.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP263;Trojan.Fakealert.182;Deleted.;
A0049822.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP264;Trojan.Fakealert.182;Deleted.;
A0050039.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP267;Trojan.Fakealert.181;Deleted.;
A0050040.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP267;Trojan.Fakealert;Deleted.;
A0050047.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP268;Trojan.Fakealert.182;Deleted.;
A0050211.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP269;Trojan.Fakealert.182;Deleted.;
A0050466.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.Fakealert.182;Deleted.;
A0050475.dll;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.Fakealert.182;Deleted.;
A0050488.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050489.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050490.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050491.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050492.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050493.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.9572;Deleted.;
A0050494.exe;C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP270;Trojan.DownLoader.10424;Deleted.;0 -
Is this the full log? It just seems to end abruptly...0
-
yes, is that ok?0
-
Yes that's fine, just delete this folder now please:
C:\Documents and Settings\All Users\Application Data\Zylom
How's the machine running now?0 -
i cannot see C:\Documents and Settings\All Users\Application Data\Zylom ?
the machine is running alot better!
is there some software to to see all the programmes on my pc so i can clean them off, i have used the application in control panel but am not sure all the software is listed?
i also have lots of programmes loading when i start up, is there away i can stop them form starting?
thanks again!0 -
It's ok, the main file has been deleted anyway.
Installation files from old programs can usually be found in your C:\Program Files folder so have a look in there for any old ones that aren't listed in Add/Remove Programs in your Windows Control Panel. Be careful though, don't go deleting things willy nilly just because you don't recognise something.
As far as your startup programs are concerned, you could improve the startup time and overall performance of your machine by disabling the vast majority of your 04 HijackThis startup entries. Most of them aren't necessary at startup and can be accessed when needed via the Start > All Programs menu.
A handy little utility for controlling your startup programs is Startup Inspector:
http://www.windowsstartup.com/
Alternatively, you can disable which ones you don't need by going to Start > Run and typing msconfig. Click the Startup tab and uncheck any programs listed you don't want running at Startup.
You can check out what each 04 startup entry relates to (and whether it's needed at startup) by pasting either the name in [brackets] or the process name at the end of each entry in your HijackThis log into the search fields of either of these online databases:
http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
Just make sure you leave your Anti-Virus, firewall and Windows Defender entries alone.
Everything appears to be in order so I guess we can wrap things up for the time being.
Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.
Re-Enable Your Protection
Please rehide your hidden system files and folders by reversing the steps here.
Disable and Re-enable System Restore to Flush Infected Restore Points
If you are using Windows ME or XP, you should disable and re-enable system restore to make sure there are no infected files found in your restore points.
Click Start > Right click My Computer> Properties> System Restore and place a check next to the "Turn off System Restore" box.
Restart the machine to flush the restore points and then re-enable System Restore by removing the check from the "Turn off System Restore" box.
Then go to Start> All Programs> Accessories> System Tools> System Restore and create a new Restore Point.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:
How can I protect myself on the Internet?
Safe Surfing
Alfonso
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards