Jump to content
Sign in to follow this  
d-money

horrid virus

Recommended Posts

i've got this virus smitfraud and it's killing me. gives me 2 popups every 30 seconds and its doing a bunch of other stuff. I looked it up and someone showed how to fix it for one individual but the part where you delete the stuff from the hijackthis log was specific to his log. This guy said to download and run Killbox and delete things that way.

The things he said to delte for the one guy were :

wp.exe

wp.bmp

bsw.exe

\WINDOWS/sites.ini

Windows\popuper.exe

\system32\hhk.dll

\system32\wldr.dll

\system32\helper.exe

there were more system32 files but you get the point. I don't know how to recognize which ones to delete from my log so will someone show me please. I know this isn't the hijack forum but this is a virus so i'll post my log here just this time.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:43:50 PM, on 6/19/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\COMMON~1\AOL\110351~1\EE\AOLHOS~1.EXE

C:\PROGRA~1\COMMON~1\AOL\110351~1\EE\AOLServiceHost.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\DOWNLO~1\MONOPO~1.EXE

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\new user\Desktop\Ipod\crack_Tunebite_v1_0_0_6_Incl_KeyGen-PARADOX.exe

C:\WINDOWS\sys2347.exe

C:\WINDOWS\sys5437.exe

C:\WINDOWS\sys2540.exe

C:\WINDOWS\sys5637.exe

C:\WINDOWS\sys5728.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\Rar$EX00.375\KillBox.exe

C:\WINDOWS\sys2734.exe

C:\WINDOWS\sys2816.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\new user\Desktop\De Smet papers\intro\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=135343

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start_pa...ype=start_page2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe init32ym.exe

F3 - REG:win.ini: load=?????? ??????????

F3 - REG:win.ini: run= ?????? ?????????? ?????? ??????????

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\new user\Application Data\Mozilla\Profiles\default\v242990j.slt\prefs.js)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {77D457C5-0134-306F-8350-0D79EAE4EF7B} - C:\WINDOWS\System32\eoildwym.dll (file missing)

O2 - BHO: (no name) - {B81D988D-272A-421C-DC4C-5EE3D3A2A531} - C:\WINDOWS\System32\icxkqcms.dll (file missing)

O2 - BHO: (no name) - {DDF27077-9175-A5E5-D8C8-971171B04D33} - C:\WINDOWS\System32\vtvzshmi.dll (file missing)

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)

O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ZeroAdsLAS] C:\Program Files\FBM Software\ZeroAds\LAS0Ads.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103517107\EE\AOLHostManager.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sys201] C:\WINDOWS\System32\sys209.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbarcm.dll"

O4 - HKCU\..\Run: [ZeroAds] 0

O4 - HKCU\..\Run: [Monopoly3.exe] C:\DOWNLO~1\MONOPO~1.EXE /r

O4 - HKCU\..\Run: [Ghohl] C:\WINDOWS\System32\m?iexec.exe

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Support - {525B3AD3-5962-4D2E-85FC-A04EC444D353} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O12 - Plugin for .wma: C:\Program Files\Compaq\Netscape Custom NA XP\PLUGINS\npdsplay.dll

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.124.130 (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4FCE7460-D289-4037-A570-4E4DED74ADC9} (WebTrackOCXX4.WebTrackOCX4) - http://www.mediatechnics.net/np5cd/files/WebTrackOCX4.CAB

O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01cd8f1aecc7eaf0a218/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: zkyethubfgtl (whatnibk6) - Unknown owner - C:\WINDOWS\System32\betdlisg6.exe

Edited by d-money

Share this post


Link to post
Share on other sites

Yes, others have recently received help with this smitfraud.c problem.

 

Please understand that we do not respond to HJT logs in Spyware/Virus/Adware Forum.

 

You can, however, post your log for assistance in the HJT Forum.

 

Read the pinned post at the top of the HJT Forum for instructions. Here's the link

http://pcpitstop.invisionzone.com/index.php?showtopic=36065

 

Best Regards

 

By the way, you currently have your HJT saved in a Desktop Folder.

<<C:\Documents and Settings\new user\Desktop\De Smet papers\intro\HijackThis.exe>>

 

Please be sure to create a New Folder.... for example the following

C:\New Folder

then rename it...

C:\HighJackThis Folder

then put your HJT program into it...

C:\HighJackThis Folder\hjt.exe

 

That way when you run HJT, it will be able to SAVE the log as a backup for your future use in the event you need it later on during the fix.

 

Best Regards

 

EDIT: Whoops, looks like Y Kawika "moved" your post while I was typing, so you got over here where you need to be.

 

Still put HJT in a Folder as noted above

Edited by dough

Share this post


Link to post
Share on other sites

ok thanks i made a new folder... thanks for pointing that out i didn't even realize it myself. Anyone have any ideas about this smitfraud.c virus? I just came to my PC and had 175 mozilla windows open from the pop ups. I have edited the registry to remove the virus but nothing changes

Edited by d-money

Share this post


Link to post
Share on other sites

Save these instructions to text where you can access them in safe mode.

 

Please download the attached smitRem.zip file, saving it to your desktop. Right click the file and extract it to it's own folder on the desktop.

 

Check for updates to Spybot.

If you don't have Ad-aware 1.06 installed, please install it and check for updates.

 

http://www.lavasoft.de/support/download/

 

 

Place a shortcut to Panda Activescan on your desktop.

 

Download the DelDomains.inf file to your desktop.

 

Please download the trial version of ewido security suite. Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.

 

Either reboot and repeatedly tap F8 to enable the start menu then select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

 

 

Scan again with HijackThis, place a chech next to the following entries, close all other windows and click fix.

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=135343

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start_pa...ype=start_page2

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe init32ym.exe

F3 - REG:win.ini: load=??? ??? ??? ? ? ?????

F3 - REG:win.ini: run= ??? ??? ??? ? ? ????? ??? ??? ??? ? ? ?????

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: (no name) - {77D457C5-0134-306F-8350-0D79EAE4EF7B} - C:\WINDOWS\System32\eoildwym.dll (file missing)

O2 - BHO: (no name) - {B81D988D-272A-421C-DC4C-5EE3D3A2A531} - C:\WINDOWS\System32\icxkqcms.dll (file missing)

O2 - BHO: (no name) - {DDF27077-9175-A5E5-D8C8-971171B04D33} - C:\WINDOWS\System32\vtvzshmi.dll (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)

O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [sys201] C:\WINDOWS\System32\sys209.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbarcm.dll"

O4 - HKCU\..\Run: [ZeroAds] 0

O4 - HKCU\..\Run: [Monopoly3.exe] C:\DOWNLO~1\MONOPO~1.EXE /r

O4 - HKCU\..\Run: [Ghohl] C:\WINDOWS\System32\m?iexec.exe

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.124.130 (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O23 - Service: zkyethubfgtl (whatnibk6) - Unknown owner - C:\WINDOWS\System32\betdlisg6.exe

 

After clicking fix and before closing HijackThis, click the config button, then the Delete an NT Service button. Paste or type in whatnibk6 then click OK. Do NOT allow a reboot! Close HijackThis.

 

 

Click start>run and type cmd to open a command prompt window. Open these saved instructions and copy the first command below, then paste it in the command window and click OK. Then do the others one at a time. Close the command window when done.

 

attrib -h -r -s c:\windows\system32\init32ym.exe

 

del c:\windows\system32\init32ym.exe

 

attrib -h -r -s c:\windows\system32\m?iexec.exe

 

del c:\windows\system32\m?iexec.exe

 

attrib -h -r -s c:\windows\system32\betdlisg6.exe

 

del c:\windows\system32\betdlisg6.exe

 

attrib -h -r -s c:\windows\system32\sys209.exe

 

del c:\windows\system32\sys209.exe

 

attrib -h -r -s c:\windows\sys2*.exe

 

del c:\windows\sys2*.exe

 

attrib -h -r -s c:\windows\sys5*.exe

 

del c:\windows\sys5*.exe

 

 

Delete the folder Internet Optimizer in C:\Program Files

 

 

Right-click on the deldomains.inf file and select Install.

 

Open the control panel, then the Java Plug-in. Click the cache tab then clear. Click OK and close the Java console.

 

 

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

 

 

Open Spybot and run a scan. Fix all it finds.

Run Ad-aware in full scan mode. Fix all it finds.

 

 

Open Ewido Security Suite

  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

 

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

  • Click Save report
  • Save the report to your desktop
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

 

Reboot back into Windows and click the Panda Activescan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log.

 

Open Add/Remove programs in the control panel, then uninstall Jave Runtime Environment (JRE). Go to the Sun Java Website and update your JRE. Current is 1.4.2_08

 

 

Post the ActiveScan log, the Ewido log and a new HijackThis log. Let us know if any problems persist.

Edited by noahdfear

Share this post


Link to post
Share on other sites

thanks for the help... now i can't right click, use shortcuts, or access the file menu to print the instructions and i cant save it to the desktop. lol

Share this post


Link to post
Share on other sites

Can you left click and drag to highlight the instructions, then press Ctrl+C to copy, open notepad and press Ctrl+V to paste, then close and save? I would also be happy to email the instructions, then you can save the email to the desktop or where ever you want with easy access in safe mode. The downloads should remain on the desktop. Double click the zip file to begin extraction. Just add Panda ActiveScan to your Favorites and you can access it from the start menu. If still unable to right click and install the DelDomains.inf in safe mode, try again after running all the fixes.

Share this post


Link to post
Share on other sites

I still have the bloodhound.W32.EP which won't go away but everything else is better i think. Thanks for the help.

 

Logfile of HijackThis v1.99.1

Scan saved at 12:37:26 AM, on 6/22/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\110351~1\EE\AOLHOS~1.EXE

C:\PROGRA~1\COMMON~1\AOL\110351~1\EE\AOLServiceHost.exe

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\new user\Application Data\Mozilla\Profiles\default\v242990j.slt\prefs.js)

O2 - BHO: (no name) - {77D457C5-0134-306F-8350-0D79EAE4EF7B} - (no file)

O2 - BHO: (no name) - {B81D988D-272A-421C-DC4C-5EE3D3A2A531} - (no file)

O2 - BHO: (no name) - {DDF27077-9175-A5E5-D8C8-971171B04D33} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103517107\EE\AOLHostManager.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Support - {525B3AD3-5962-4D2E-85FC-A04EC444D353} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O12 - Plugin for .wma: C:\Program Files\Compaq\Netscape Custom NA XP\PLUGINS\npdsplay.dll

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4FCE7460-D289-4037-A570-4E4DED74ADC9} (WebTrackOCXX4.WebTrackOCX4) - http://www.mediatechnics.net/np5cd/files/WebTrackOCX4.CAB

O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01cd8f1aecc7eaf0a218/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\System32\msiexec.exe (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: zkyethubfgtl (whatnibk6) - Unknown owner - C:\WINDOWS\System32\betdlisg6.exe (file missing)

Share this post


Link to post
Share on other sites

heres the other scan report... the panda didn't show anything but i forgot to save it.

 

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 9:13:48 PM, 6/21/2005

+ Report-Checksum: CA08B4EC

 

+ Date of database: 6/21/2005

+ Version of scan engine: v3.0

 

+ Duration: 170 min

+ Scanned Files: 93049

+ Speed: 9.07 Files/Second

+ Infected files: 115

+ Removed files: 115

+ Files put in quarantine: 115

+ Files that could not be opened: 0

+ Files that could not be cleaned: 0

 

+ Binder: Yes

+ Crypter: Yes

+ Archives: Yes

 

+ Scanned items:

C:\

D:\

 

+ Scan result:

C:\Program Files\COMPAQ\Netscape Custom NA XP\Plugins\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\390E28F0-831D-44CB-A8C0-1FF1C3\6D643719-5D68-419A-AB8F-92C4E3 -> TrojanDownloader.IstBar -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\3C1E1872-06D9-4AEC-92F9-D350D7\07D00B84-BEFC-4521-BC4F-D17F01 -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\4BA7692D-0419-4526-A805-1C57C5\77C964BB-2ACE-42E4-9546-B80575 -> Spyware.IBISToolbar -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\4BA7692D-0419-4526-A805-1C57C5\F714BC2D-0A3B-4028-9242-B41153 -> Spyware.IBISToolbar -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\4D292AF4-6CA9-478F-A735-213310\C617A1DE-39FC-44D9-A2E9-BE506E -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\4D292AF4-6CA9-478F-A735-213310\F46292D6-70F4-473C-B893-C7172A -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\846B3733-0C61-4CB5-8973-A04262\3E7AE87E-09E3-4522-B316-ED2557 -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\846B3733-0C61-4CB5-8973-A04262\9E5E3ECE-404C-4E45-94C9-D08BBB -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\86B2B565-AA50-48DB-8ADC-602A4C\3A4C1D13-81F7-4FD1-A85C-F8EC90 -> TrojanDownloader.QDown.l -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\8952C247-70A7-4225-A434-971DC0\3BE04348-F9C5-490B-9B6F-8D8A1D -> TrojanDownloader.IstBar.gi -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\A2595B47-DA84-44AB-BF6B-C518C9\5A166552-CB01-496E-B340-F61BC7 -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\B2F5B35D-406A-4E1B-B333-386064\0893526D-9BF2-445A-AFE5-C83A0C -> TrojanDownloader.IstBar.gi -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\BC6F4FE3-8958-4422-8580-1434DC\9422E228-1218-4211-A59F-1CF1ED -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\BC6F4FE3-8958-4422-8580-1434DC\D031069B-EE9A-4662-BC4D-300724 -> TrojanDownloader.IstBar.jm -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\BEDCF97F-A9E9-4EEE-A5B9-1A8E8A\BB3A10A6-27F8-4223-91DC-196167 -> Spyware.Toolbar3 -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\E5807BBE-22D7-4CCE-B3B9-BA2730\CB592B0B-E562-4A00-AAA0-1728B4 -> TrojanDownloader.IstBar -> Cleaned with backup

C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\E69CBF6E-5AA8-483D-8A46-1B0D1E\7B70C398-7764-4D7B-A86B-BE36A0 -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\Living Beaches.scr -> Spyware.VX2 -> Cleaned with backup

C:\WINDOWS\sys013.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys014.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys018.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys020.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys033.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys034.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys035.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys1026.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys1028.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1032.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys1036.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys110.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1114.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1118.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys1122.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys119.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys122.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys127.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1343.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1511.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1519.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1531.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1559.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys161.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys163.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys165.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys1726.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1745.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys1849.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys194.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys30.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3025.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3026.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3027.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys303.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3038.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys304.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3044.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3045.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3046.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys305.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3056.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys306.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3135.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3147.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys322.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3229.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3243.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys325.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys326.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3348.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3417.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys344.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3442.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3541.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3558.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3731.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3739.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3820.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys3853.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys3855.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4013.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys4016.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4046.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys405.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys4050.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4053.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys4057.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys409.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4215.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4243.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4455.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys454.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4540.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys4543.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4545.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4826.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys489.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4929.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys4949.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys60.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys643.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys651.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys67.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys925.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys943.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\sys946.exe -> Trojan.Agent.eo -> Cleaned with backup

C:\WINDOWS\sys950.exe -> TrojanDownloader.IstBar -> Cleaned with backup

C:\WINDOWS\system32\chktrust.exe -> Spyware.Bargainbuddy -> Cleaned with backup

C:\WINDOWS\system32\consys98.exe -> Spyware.Small.an -> Cleaned with backup

C:\WINDOWS\system32\consys99.exe -> TrojanDownloader.Small.amr -> Cleaned with backup

C:\WINDOWS\system32\ezStubx.exe -> Spyware.EZula.a -> Cleaned with backup

C:\WINDOWS\system32\ljgaeems.exe -> TrojanProxy.Agent.l -> Cleaned with backup

C:\WINDOWS\system32\NLNP13.dll -> Spyware.IGetNet -> Cleaned with backup

C:\WINDOWS\system32\secupd1203.exe -> TrojanDownloader.Esepor.e -> Cleaned with backup

C:\WINDOWS\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup

 

 

::Report End

Share this post


Link to post
Share on other sites

The wininet was infected by one of the smitfraud variants. The Bloodhound.W32.EP notice is Norton's way of saying it's heuristic scanning has detected an unknown virus. It may well be the wininet.dll it's flagging.

 

Copy the bold text below to notepad on two lines, just as it appears.

 

dir %Systemdrive%\wininet.dll /a h /s > files.txt

start notepad files.txt

 

Close, saving it to your desktop as;

 

Filename: wininet.bat

Save as type: All Files

 

Double click to run. It will open files.txt and place a copy on the desktop. Please post the contents.

 

Then go to Windows Update and install Service Pack 2. It contains an updated wininet.dll and should replace the infected one. When done and rebooted, delete the files.txt and run the wininet.bat again, then post the new log. We'll continue with some other scans when done.

 

Is there a file in C:\Windows\system32 named Bloodhound.W32.EP?

Share this post


Link to post
Share on other sites

Forgot to add, please create srvchk.bat from the text in the quote box below, save to the desktop and run it, then post the log.

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_zkyethubfgtl" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_zkyethubfgtl" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zkyethubfgtl" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zkyethubfgtl" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_whatnibk6" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_whatnibk6" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\whatnibk6" /s >>servchk.txt

 

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\whatnibk6" /s >>servchk.txt

 

start notepad servchk.txt

 

cls

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...