I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread. The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've noticed that you are using an old version of Hijack This, please download and install the latest version (v1.99.1) from http://www.spywareinfo.com/~merijn/downloads.html. Install it into your existing Hijack This folder.
Close all other windows, run Hijack This, click on "Scan" and save the log. Post this fresh log as your next reply post.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1 Download
SmitfraudFix from
http://siri.urz.free.fr/Fix/SmitfraudFix.zip and save the file to your desktop. Extract the content (a folder named
SmitfraudFix) to your Desktop.
Step 2 Open the
SmitfraudFix folder created in step 1 and double-click "
smitfraudfix.cmd". Please do not try to use any of the other files in the folder until instructed.
Select option "
1 - Search" by typing "
1" and pressing "
Enter" on the keyboard.
A text file will appear, which lists infected files (if present). We are only generating a report at this stage, not cleaning yet.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See
http://www.beyondlogic.org/consulting/proc...processutil.htm
Please copy/paste the content of the report generated into your next reply. The report can be found at the root of the system drive, usually at
C:\rapport.txt.
I'll check the report and get back to you with the next stage of the fix.
Hey, thanks for the response, but I'm having trouble with your instructions. I downloaded SmitfraudFix, but when I unzip it, it says process.exe file is missing. I tried to move the file from the zipped folder to the other one manually, but it didn't work. Any ideas?
Hey, so I restarted in Safe Mode and it worked fine. Here's the report:
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\hp???.tmp FOUND ! C:\WINDOWS\system32\hp????.tmp FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! C:\WINDOWS\system32\ts.ico FOUND ! C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Roy\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ROY\FAVORI~1
C:\DOCUME~1\ROY\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Security Toolbar\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll
Again, before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions. You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1 Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
The next part of this fix will be carried out in Safe Mode.
Step 2 Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option "2 - Clean" by typing "2" and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; type "Y" and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); type "Y" and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, reboot as normal.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt
Step 3 Download, install, and update the free version of Ewido Anti Malware from http://www.ewido.net/en/download/. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run Ewido for the first time, you will get a warning "Database could not be found!". Click "OK". From the main Ewido screen, click on "update" in the left menu, then click "Start update". After the update finishes, the status bar at the bottom will display "Update successful"
Click Scanner > Complete System Scan, and choose "Remove" then click "OK" for everything found. Beware of false positives, so check each item found before choosing to remove. At the end of the scan, click "Save Report". Please copy this log into your next post.
Step 4 Run Hijack This, "Scan" and post the log, together with a copy of the SmitFraudFix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
Scan done at 10:57:23.98, Sun 06/04/2006 Run from C:\Documents and Settings\Roy\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll
+ Created on: 12:55:36 PM, 6/4/2006 + Report-Checksum: 3D94564E
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup C:\Program Files\IncrediFind -> Adware.Incredifind : Cleaned with backup C:\Program Files\IncrediFind\BHO -> Adware.Incredifind : Cleaned with backup C:\Program Files\IncrediFind\BHO\date.txt -> Adware.Incredifind : Cleaned with backup C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@com[1].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup C:\Documents and Settings\Roy\Cookies\roy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\FOUND.028\FILE0200.CHK -> Trojan.Lmir.acq : Cleaned with backup
Thanks for the logs. I've now got some more instructions for you to follow.
Again, before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions. You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1 Run Hijack This, don't have any other programs open, and click "Scan". In the scan results, click on the check box for all of the following lines that are present. O4 - HKLM\..\Run: by TreeHugger, > C:\DOCUME~1\Roy\LOCALS~1\Temp\4.tmp.exe O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Run ATF Cleaner. Click on the check box to select the following options: Windows Temp All Users Temp Temporary Internet Files Click "Empty Selected". Exit when finished.
Step 3 Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Your new log is clean. please post a reply to this thread on any problems you may still have with your pc.
Please also follow these instructions to keep your computer clean.
Step 1 - Microsoft Windows Update Keep Windows up to date. Click Start > All Programs > Windows Update. This will take you to the Windows Update site. Follow the instructions to download and install all of the latest critical updates. Repeat this as many times as necessary, until there are no more updates available. Reboot whenever instructed. Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.
Step 2 - Hide System Files Click Start > My Computer > Tools > Folder Options > View Tab. Un-check "Show hidden files and folders" in the Hidden files and folders section, and Select "Hide protected operating system files (recommended)" option. Click Yes > OK.
Step 3 Create a clean system restore point Click Start > Control Panel > System > System Restore Tab and click to put a tick in the "Turn off System Restore" check box, then click "Apply".
Reboot, then click Start > Control Panel > System > System Restore Tab and click to remove the tick in the "Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.
Step 4 - Make your Internet Explorer more secure Open Internet Explorer click Tools > Options > Security tab >Internet icon to highlight >Custom Level, then select the following options:- Change "Download signed ActiveX controls" to "Prompt" Change "Download unsigned ActiveX controls" to "Disable" Change "Initialise and script ActiveX controls not marked as safe" to "Disable" Change "Installation of desktop items" to "Prompt" Change "Launching programs and files in an IFRAME" to "Prompt" Change "Navigate sub-frames across different domains" to "Prompt" Click "OK", then Apply > OK to exit the Internet Properties page.
Step 5 - Anti Virus Software It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.
You have McAfee so make sure it is updated at least weekly, preferably daily. If your anti-virus is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use. Grisoft AVG http://free.grisoft.com/doc/1 Avast http://www.avast.com/
Step 6 - Firewall XP SP2 includes the Windows Firewall which is enabled by default. You need to use this as a minimum, it is a very basic firewall, so you would be better off using one of these, both of which have a free version for home, non-networked, single user use. ZoneAlarm http://www.zonelabs.com/store/content/home.jsp Kerio http://www.sunbelt-software.com/Kerio.cfm
Step 8 - Spybot Search & Destroy You have Spybot Search & Destroy from http://www.safer-networking.org/en/download/index.html Enable both the TeaTimer and SD Helper options. Update this and scan your PC on a weekly basis.
Step 9 - SpywareBlaster Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html When installed, run SpywareBlaster, click "Enable All Protection", then "Download Latest Protection Updates" and follow the instructions to download and enable the latest update. SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.
Step 10 - Java Update Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7. Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop. Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install. Once you have it installed, click Start > Run, type in "appwiz.cpl" (without the quotes), and click "Enter". From the list, uninstall "J2SE Runtime Environment 5.0 Update 6".
Hopefully these will help keep your computer clean, glad I could be of assistance,
Bod99
561 Posts
0
May 30th, 2006 15:00
Hi,
I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread. The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've noticed that you are using an old version of Hijack This, please download and install the latest version (v1.99.1) from http://www.spywareinfo.com/~merijn/downloads.html. Install it into your existing Hijack This folder.
Close all other windows, run Hijack This, click on "Scan" and save the log. Post this fresh log as your next reply post.
Thanks,
Bod
Message Edited by Bod99 on 05-30-200611:28 AM
GrayRayn
10 Posts
0
May 30th, 2006 18:00
Logfile of HijackThis v1.99.1
Scan saved at 11:54:06 AM, on 5/30/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roy\My Documents\Hospital\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp103.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Roy\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeBod99
561 Posts
0
May 31st, 2006 10:00
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1
Download SmitfraudFix from http://siri.urz.free.fr/Fix/SmitfraudFix.zip and save the file to your desktop. Extract the content (a folder named SmitfraudFix) to your Desktop.
Step 2
Open the SmitfraudFix folder created in step 1 and double-click " smitfraudfix.cmd". Please do not try to use any of the other files in the folder until instructed.
Select option " 1 - Search" by typing " 1" and pressing " Enter" on the keyboard.
A text file will appear, which lists infected files (if present). We are only generating a report at this stage, not cleaning yet.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See http://www.beyondlogic.org/consulting/proc...processutil.htm
Please copy/paste the content of the report generated into your next reply. The report can be found at the root of the system drive, usually at C:\rapport.txt.
I'll check the report and get back to you with the next stage of the fix.
Thanks,
Bod
Bod99
561 Posts
0
June 1st, 2006 19:00
Hi,
Maybe the download was corrupted. Try downloading it again.
The main site is http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Mirror site http://siri.geekstogo.com/SmitfraudFix.zip
Bod
GrayRayn
10 Posts
0
June 1st, 2006 19:00
GrayRayn
10 Posts
0
June 3rd, 2006 22:00
Hey, so I restarted in Safe Mode and it worked fine. Here's the report:
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Roy\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ROY\FAVORI~1
C:\DOCUME~1\ROY\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Security Toolbar\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Thanks again!
Bod99
561 Posts
0
June 4th, 2006 14:00
Hi again,
Next stage of the fix.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
The next part of this fix will be carried out in Safe Mode.
Step 2
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option "2 - Clean" by typing "2" and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; type "Y" and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); type "Y" and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, reboot as normal.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Step 3
Download, install, and update the free version of Ewido Anti Malware from http://www.ewido.net/en/download/.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click "OK". From the main Ewido screen, click on "update" in the left menu, then click "Start update".
After the update finishes, the status bar at the bottom will display "Update successful"
Click Scanner > Complete System Scan, and choose "Remove" then click "OK" for everything found. Beware of false positives, so check each item found before choosing to remove.
At the end of the scan, click "Save Report".
Please copy this log into your next post.
Step 4
Run Hijack This, "Scan" and post the log, together with a copy of the SmitFraudFix and Ewido logs, as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
GrayRayn
10 Posts
0
June 4th, 2006 19:00
Here are my new logs:
SmitFraudFix v2.53
Scan done at 10:57:23.98, Sun 06/04/2006
Run from C:\Documents and Settings\Roy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ROY\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:55:36 PM, 6/4/2006
+ Report-Checksum: 3D94564E
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup
C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup
C:\Program Files\IncrediFind -> Adware.Incredifind : Cleaned with backup
C:\Program Files\IncrediFind\BHO -> Adware.Incredifind : Cleaned with backup
C:\Program Files\IncrediFind\BHO\date.txt -> Adware.Incredifind : Cleaned with backup
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Roy\Cookies\roy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\FOUND.028\FILE0200.CHK -> Trojan.Lmir.acq : Cleaned with backup
::Report End
Logfile of HijackThis v1.98.2
Scan saved at 12:57:00 PM, on 6/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Roy\My Documents\Hospital\Hijack this!\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Roy\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
Thanks again!
Bod99
561 Posts
0
June 4th, 2006 21:00
GrayRayn
10 Posts
0
June 4th, 2006 22:00
Hey, sorry about that.
Logfile of HijackThis v1.99.1
Scan saved at 4:23:26 PM, on 6/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roy\My Documents\Hospital\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Roy\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Bod99
561 Posts
0
June 5th, 2006 14:00
Hi again,
Thanks for the logs. I've now got some more instructions for you to follow.
Again, before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1
Run Hijack This, don't have any other programs open, and click "Scan".
In the scan results, click on the check box for all of the following lines that are present.
O4 - HKLM\..\Run: by TreeHugger, > C:\DOCUME~1\Roy\LOCALS~1\Temp\4.tmp.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Click on "Fix checked".
Step 2
Download ATF Cleaner from http://www.atribune.org/ccount/click.php?id=1
Run ATF Cleaner. Click on the check box to select the following options:
Windows Temp
All Users Temp
Temporary Internet Files
Click "Empty Selected". Exit when finished.
Step 3
Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
GrayRayn
10 Posts
0
June 5th, 2006 21:00
Okay, I followed your steps and here's my new log:
Logfile of HijackThis v1.99.1
Scan saved at 3:23:45 PM, on 6/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roy\My Documents\Hospital\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB002" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeBod99
561 Posts
0
June 7th, 2006 07:00
Hi,
Your new log is clean. please post a reply to this thread on any problems you may still have with your pc.
Please also follow these instructions to keep your computer clean.
Step 1 - Microsoft Windows Update
Keep Windows up to date.
Click Start > All Programs > Windows Update. This will take you to the Windows Update site. Follow the instructions to download and install all of the latest critical updates. Repeat this as many times as necessary, until there are no more updates available. Reboot whenever instructed.
Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.
Step 2 - Hide System Files
Click Start > My Computer > Tools > Folder Options > View Tab. Un-check "Show hidden files and folders" in the Hidden files and folders section, and Select "Hide protected operating system files (recommended)" option. Click Yes > OK.
Step 3 Create a clean system restore point
Click Start > Control Panel > System > System Restore Tab and click to put a tick in the "Turn off System Restore" check box, then click "Apply".
Reboot, then click Start > Control Panel > System > System Restore Tab and click to remove the tick in the "Turn off System Restore" check box, and then click Apply > OK to create a new restore point and then close Control Panel.
Step 4 - Make your Internet Explorer more secure
Open Internet Explorer click Tools > Options > Security tab >Internet icon to highlight >Custom Level, then select the following options:-
Change "Download signed ActiveX controls" to "Prompt"
Change "Download unsigned ActiveX controls" to "Disable"
Change "Initialise and script ActiveX controls not marked as safe" to "Disable"
Change "Installation of desktop items" to "Prompt"
Change "Launching programs and files in an IFRAME" to "Prompt"
Change "Navigate sub-frames across different domains" to "Prompt"
Click "OK", then Apply > OK to exit the Internet Properties page.
Step 5 - Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.
You have McAfee so make sure it is updated at least weekly, preferably daily. If your anti-virus is a trial copy or your subscription has expired, you can use one of these, both of which have a free version for home, non-networked, single user use.
Grisoft AVG http://free.grisoft.com/doc/1
Avast http://www.avast.com/
For more information on anti-virus programs see http://forum.malwareremoval.com/viewtopic.php?p=53#53
Step 6 - Firewall
XP SP2 includes the Windows Firewall which is enabled by default. You need to use this as a minimum, it is a very basic firewall, so you would be better off using one of these, both of which have a free version for home, non-networked, single user use.
ZoneAlarm http://www.zonelabs.com/store/content/home.jsp
Kerio http://www.sunbelt-software.com/Kerio.cfm
For more information on firewalls see http://forum.malwareremoval.com/viewtopic.php?p=56#56
Step 7 - Windows Defender
Download and install Windows Defender from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Step 8 - Spybot Search & Destroy
You have Spybot Search & Destroy from http://www.safer-networking.org/en/download/index.html
Enable both the TeaTimer and SD Helper options. Update this and scan your PC on a weekly basis.
Step 9 - SpywareBlaster
Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html When installed, run SpywareBlaster, click "Enable All Protection", then "Download Latest Protection Updates" and follow the instructions to download and enable the latest update.
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.
Step 10 - Java Update
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7.
Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install.
Once you have it installed, click Start > Run, type in "appwiz.cpl" (without the quotes), and click "Enter".
From the list, uninstall "J2SE Runtime Environment 5.0 Update 6".
Hopefully these will help keep your computer clean, glad I could be of assistance,
Bod