We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Real hassle from virus/spyware
Comments
-
The hijack this uninstall list
1st Page 2000 2.00 Free
ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.8
AOL Broadband Check-Up
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Connectivity Services
AOL UK (Choose which version to remove)
AOL You've Got Pictures Screensaver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
BT Voyager 105 ADSL Modem
BT Voyager Modem AOL Test
CA eTrust Antivirus
CCleaner (remove only)
Chessmaster Challenge (remove only)
Civilization III
Civilization III: Conquests 1.02 Update
CM4
C-Media 3D Audio
Cossacks 2 - Demo
Encyclopaedia Britannica Concise Edition CD
EPSON PhotoQuicker3.5
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Web-To-Page
ESC64 Reference Guide
ESC64 Software Guide
ESC66 Reference Guide
ESC66 Software Guide
ewido anti-spyware 4.0
GoldWave v5.10
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Home Cinema
Informations about your PC
Learn2 Player (Uninstall Only)
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee Personal Firewall Plus
Medi@Show
Medion Flash XL 2.0
Microsoft .NET Framework 1.1
Microsoft Age of Empires
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft AutoRoute v11.0
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Money
Microsoft Money System Pack
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Premium
Microsoft Office PowerPoint Viewer 2003
Microsoft PhotoDraw 2000 V2
Microsoft Picture It! Photo Standard 9
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSN Messenger 7.5
MSN Search Toolbar
MUSICMATCH® Jukebox
Nero Media Player
Nero OEM
NeroVision Express 2
Panda ActiveScan
PCFriendly
Photodex Presenter
PIF DESIGNER2.1
Pocket RAR documentation
PowerCinema 2.5
PowerDirector
PowerDVD
PowerProducer
QuickTime
Quizfish
RealOne Player
Remove DivX Codec
Roguescanfix 1.5
Satori PhotoXL v2.29
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
Shogun Total War - Battle Trainer Test
Skype 2.5
Slim U2 TA
Smart Manager
Spybot - Search & Destroy 1.3
StarOffice 5.2
The GIMP 1.2.3-20020101
Theory Interactive
True BASIC Bronze Edition Demo
Ulead Photo Express 4.0 My Custom Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB Wireless Keyboard Driver
videon
Viewpoint Media Player
Visual Basic 5.0 Control Creation Edition
W83L518D
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
X10 Hardware(TM)
Yahoo! Toolbar
Zoner Draw 30 -
....and the latest hijack this log ( scanned when on Michael's account - dont know if this makes any difference)
Logfile of HijackThis v1.99.1
Scan saved at 15:50:41, on 26/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\Twain_32\SlimU2TA\HotKey.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-gb\msn_sl.exe
C:\Documents and Settings\Michael\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
O2 - BHO: Yahoo! Companion BHO - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2TA\HotKey.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?48c090484a4c49a3ab33d9c14fc53230
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?48c090484a4c49a3ab33d9c14fc53230
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: !!193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: !!39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: !!4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe0 -
Please continue to login into Michael's account. It does make a difference yes.
Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.
Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
========
Now open the SmitfraudFix folder on Michael's desktop and double-click smitfraudfix.cmd
Select option #2 - "Clean" by typing 2 and pressing "Enter" to delete the infected files.
You will then receive the following prompt:
"Registry cleaning - Do you want to clean the registry ? (y/n)"
Type Y for yes and press "Enter" to remove the Desktop background and clean the associated registry keys for this infection.
The tool will then check if the file wininet.dll is infected.
You may be prompted to replace the infected file with another copy from your machine (if found):
"Replace infected file ? (y/n)"
Type Y for yes and press "Enter" to restore a clean copy of the file on your machine.
Restart your computer to complete the removal process.
(A log file of the fix can be found at the root of your system drive, usually at C:\rapport.txt)
=========
Then update Ewido Anti-Spyware with the latest definitions.
Restart into Safe Mode (Michael's account) and run a full system scan with Ewido. Quarantine everything found and save the log file for posting.
=========
Post C:\rapport.txt and the Ewido results in your next reply please. 0 -
Did all the above and seems to have worked fine- ewido log showed a couple of tracking cookies only. ( It says no action taken but I did get rid after copying the report).
However... I did a Panda scan after all that ( from Michael's account ) and have got two completely new things :mad: - a tool and a dialer. Could you suggest how they might have got in? I have highlighted them in bold on the scan results below. ( Edited to add - when I did a panda scan on my account, it did not have these on them )
The only things I can think of are
a) After keeping getting prompts I decided to allow access to Skype, but another message from McAfee flashed up this morning on my account saying spooler subsystem app had changed ( C:\WINDOWS\system32\spoolsv.exe ) which I ignored - it hasn't come up again. Also on another account a McAfee welcome window is showing everytime the account is opened, saying to click it as part of the final set up - we've had MacAfee for ages and it has never done this before. Is this all anything to do with the new things or am I just getting concerned about nothing here?
b) My son watched a short video on his local football team's official website ( but didn't involve downloading anything else and he has done this lots of times before )
Here are the reports:
SmitFraudFix v2.100
Scan done at 9:05:00.00, 27/09/2006
Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\Michael\Desktop\Virus-Burst.lnk Deleted
C:\DOCUME~1\Michael\STARTM~1\Programs\Virus-Burst Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
The Ewido report:
+ Created at: 10:40:46 27/09/2006
+ Scan result:
C:\Documents and Settings\Michael\Cookies\michael@aoluk.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Ros\Cookies\ros@aoluk.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
::Report end
The Panda Scan
Incident Status Location
Spyware:spyware/web3000 Not disinfected c:\windows\hh.ico
Adware:adware/ncase Not disinfected c:\windows\180Solutions
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:application/mediapipe Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B3E19860-0CD5-4991-A066-4FCA2704DE59}
Dialer:dialer.du Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\!!7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000148.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000153.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0000154.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002940.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002947.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\A0002948.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc12.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Dc8.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\oozeobj.bk!
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process0.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ros\DoctorWeb\Quarantine\Process1.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe0 -
They're only orphaned registry keys by the looks of it.
RIGHT-CLICK HERE and choose "Save Target as". Save the reg file (Rosy.reg) to your desktop.
Then double-click Rosy.reg and confirm you wish to merge the contents with your registry when prompted.
That will delete the two registry keys for you.
You can then delete these two manually as well:
c:\windows\hh.ico <--file
c:\windows\180Solutions <--folder
The spoolsv.exe message is in a legitimate location. There's a fair bit on google about similar problems so can I suggest you google "spooler subsystem app has changed" (with quotes) or similar phrases and work your way through the myriad of possibilities. Either way, I don't think it's connected to the malware problems.0 -
Have done this and the hh.ico and 180 solutions have been deleted. The Panda scan won't work for me tonight to confirm but everything else on the PC says all is fine!
I feel like I have finished a marathon! Thank you to all who have helped me out and especially a huge thanks to Alfonso :T :T :T - Alfonso, your explanations were spot on, really clear and easy to follow, and I really felt encouraged to keep going to the end. You are clearly extremely knowledgeable which makes your patience with me even more remarkable, given your obvious level of expertise. I never once got the feeling that I was being a nuisance though this must have taken hours of your time. I had visions of having to reformat everything at the start of this and now my PC has never been so clean - and I have a sense of achievement at having done this myself ( obviously would have been impossible without the huge input I have had from here though!! )
Thank you again:j0 -
You're very welcome, I'm glad everything is looking....well...rosey again!
Most of us who help out with malware problems started with an infection of our own. I dare say we had a similar level of experience with computers as yourself as well when we started. It's a certainly a great way to learn about computers.
Everything appears to be in order so I guess we can wrap things up for the time being. Just give me a shout if the problems return.
In the meantime, please follow these simple steps to keep yourself safe and secure in the future.
Re-Hide your System Files
Please rehide your hidden system files and folders by reversing the steps here.
Keep Sun Java Updated
There are numerous infections which take advantage of exploits present in older Sun Java installations. Ensure you are running the latest version by reading this.
Disable and Re-enable System Restore to Flush Infected Restore Points
Disable and re-enable System Restore to ensure there are no infected files found in your restore points.
Click Start > Right click My Computer> Properties> System Restore and place a check next to the "Turn off System Restore" box.
Restart the machine to flush the restore points and then re-enable System Restore by removing the check from the "Turn off System Restore" box.
Then go to Start> All Programs> Accessories> System Tools> System Restore and create a new Restore Point.
Protect Yourself in the Future!!
Click on the following tutorial and follow each step listed there:
How can I protect myself on the Internet?
And finally...Fancy joining the crusade against malware??
Click here for details on where to get anti-malware free training!!
Safe Surfing
AS
Ps. Thanks for the extra kinds words via pm. 0 -
Agreed....nice work.0
-
pity i missed those extra infections in the first place !!
apologies
well done alfonso ! Ex forum ambassador
Long term forum member0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 349.7K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 453K Spending & Discounts
- 242.7K Work, Benefits & Business
- 619.4K Mortgages, Homes & Bills
- 176.3K Life & Family
- 255.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards