tippoff

Virus Acuired Through Msn.[RESOLVED]

Recommended Posts

...it was the link in msn that i clicked.

it was something like 'i hope this isn't you:[link]'.

so now my computer:

-keeps sending the link to everyone in my contacts list every time i log onto msn.

-won't let me system restore.

-can't access sites like symantec or online scans

-antivirus program (norton) can't find it

-won't let me uninstall msn

-keeps changing back settings every time i try to view hidden files and folders

help, please?

anyway, here's what i got (ran in safe mode):

Logfile of HijackThis v1.99.1

Scan saved at 8:04:45 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s.....amp;N=EM&O= I

F3 - REG:win.ini: load=C:\WINDOWS\system32\qobizxnts\winlogon.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\qobizxnts\winlogon.exe

O1 - Hosts: 1.1.1.1 f-secure.com

O1 - Hosts: 1.1.1.1 www.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.sophos.com

O1 - Hosts: 1.1.1.1 liveupdate.symantec.com

O1 - Hosts: 1.1.1.1 customer.symantec.com

O1 - Hosts: 1.1.1.1 dispatch.mcafee.com

O1 - Hosts: 1.1.1.1 download.mcafee.com

O1 - Hosts: 1.1.1.1 rads.mcafee.com

O1 - Hosts: 1.1.1.1 mast.mcafee.com

O1 - Hosts: 1.1.1.1 my-etrust.com

O1 - Hosts: 1.1.1.1 www.my-etrust.com

O1 - Hosts: 1.1.1.1 nai.com

O1 - Hosts: 1.1.1.1 www.nai.com

O1 - Hosts: 1.1.1.1 networkassociates.com

O1 - Hosts: 1.1.1.1 secure.nai.com

O1 - Hosts: 1.1.1.1 securityresponse.symantec.com

O1 - Hosts: 1.1.1.1 service1.symantec.com

O1 - Hosts: 1.1.1.1 sophos.com

O1 - Hosts: 1.1.1.1 www.sophos.com

O1 - Hosts: 1.1.1.1 support.microsoft.com

O1 - Hosts: 1.1.1.1 symantec.com

O1 - Hosts: 1.1.1.1 www.symantec.com

O1 - Hosts: 1.1.1.1 update.symantec.com

O1 - Hosts: 1.1.1.1 updates.symantec.com

O1 - Hosts: 1.1.1.1 us.mcafee.com

O1 - Hosts: 1.1.1.1 vil.nai.com

O1 - Hosts: 1.1.1.1 viruslist.com

O1 - Hosts: 1.1.1.1 www.viruslist.com

O1 - Hosts: 1.1.1.1 grisoft.com

O1 - Hosts: 1.1.1.1 www.grisoft.com

O1 - Hosts: 1.1.1.1 free.grisoft.com

O1 - Hosts: 1.1.1.1 trendmicro.com

O1 - Hosts: 1.1.1.1 housecall.trendmicro.com

O1 - Hosts: 1.1.1.1 www.trendmicro.com

O1 - Hosts: 1.1.1.1 pandasoftware.com

O1 - Hosts: 1.1.1.1 www.pandasoftware.com

O1 - Hosts: 1.1.1.1 usa.kaspersky.com

O1 - Hosts: 1.1.1.1 ewido.net

O1 - Hosts: 1.1.1.1 www.ewido.net

O1 - Hosts: 1.1.1.1 zonelabs.com

O1 - Hosts: 1.1.1.1 www.zonelabs.com

O1 - Hosts: 1.1.1.1 bitdefender.com

O1 - Hosts: 1.1.1.1 www.bitdefender.com

O1 - Hosts: 1.1.1.1 download.bitdefender.com

O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com

O1 - Hosts: 1.1.1.1 spywareinfo.com

O1 - Hosts: 1.1.1.1 www.spywareinfo.com

O1 - Hosts: 1.1.1.1 merijn.org

O1 - Hosts: 1.1.1.1 www.merijn.org

O1 - Hosts: 1.1.1.1 sysinternals.com

O1 - Hosts: 1.1.1.1 www.sysinternals.com

O1 - Hosts: 1.1.1.1 onguardonline.gov

O1 - Hosts: 1.1.1.1 www.onguardonline.gov

O1 - Hosts: 1.1.1.1 avast.com

O1 - Hosts: 1.1.1.1 www.avast.com

O1 - Hosts: 1.1.1.1 safety.live.com

O1 - Hosts: 1.1.1.1 www.paretologic.com

O1 - Hosts: 1.1.1.1 paretologic.com

O1 - Hosts: 1.1.1.1 virusscan.jotti.org

O1 - Hosts: 1.1.1.1 services.google.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2C4F57F2-7633-42E3-8D33-529F0491ABFC} - C:\WINDOWS\system32\fccaw.dll (file missing)

O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: winlogon.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {9B14B03A-B482-45C3-BE37-5B7CAA8B0B5D} (QBH Control) - http://hsearch.nayio.com/download/QBH.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: fccaw - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: winpcn32 - winpcn32.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

Hi tippoff, welcome to Besttechie! I'm Ryan, and I'll be helping you clean your computer.

You will want to print out a copy of these instructions to follow while you complete this procedure.

1. Please download hosts.zip

  • Extract the contents of hosts.zip by doing the following
    1. Right-click on hosts.zip and select Extract All. The Extraction Wizard will open.
    2. Click Next, followed by Next again.
    3. When it has finished extracting (should take one or two seconds), click on Finish.

    A folder with the extracted items will open.

    [*]Double-click on mvps.bat to run it. A black box will suddenly open and close; this is normal.

    [*]If any windows open alerting you of a change in your hosts file, please allow them; this is expected.

Note:If you have added any custom entries to your HOSTS file, you will need to add them again.

2. Please Download MsnVirRem.exe to your desktop from one of the following mirrors.

[*]First close any other programs you have running as this will require a reboot

[*]Double click MsnVirRem.exe to run it

[*]Once open, click the button labelled "Search and Destroy"

<<Your computer will now be scanned for Infected Files>>

[*]When scanning is finished you will be prompted to reboot only if infected, Click OK

[*]Now click the "REBOOT" Button.

[*]After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.

[*]A Message should popup from MsnVirRem if not, double click the program again and it will finish

3.Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

In your next reply, please post the SmitFraudFix report, the report from MsnVirRem (found at C:\msnvirrem.log), and a new HiJackThis log.

-Ryan

Share this post


Link to post
Share on other sites

SmitFraud report:

SmitFraudFix v2.137

Scan done at 22:30:46.83, Sat 01/27/2007

Run from C:\Documents and Settings\janine\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

C:\WINDOWS\system32\components\flx?.dll FOUND !

C:\WINDOWS\system32\components\flx??.dll FOUND !

C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\janine

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\janine\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\janine\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

MsnVirRem report:

MsnVirRem Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\janine\Desktop

1/27/2007

10:26:07 PM

---Infection Files Found---

C:\WINDOWS\system32\taskkill.com

C:\WINDOWS\system32\netstat.com

Rebooting...

Fixing Registry Permissions...

Editing Registry...

Fixing Host File...

**Fix Complete!**

New HiJackThis log:

Logfile of HijackThis v1.99.1

Scan saved at 10:32:47 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;N=EM&O=I

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2C4F57F2-7633-42E3-8D33-529F0491ABFC} - C:\WINDOWS\system32\fccaw.dll (file missing)

O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: winlogon.lnk = ?

O4 - Global Startup: MsnVirRem.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {9B14B03A-B482-45C3-BE37-5B7CAA8B0B5D} (QBH Control) - http://hsearch.nayio.com/download/QBH.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: fccaw - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: winpcn32 - winpcn32.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

OK, it looks like it took care of the MSN issue, but there is still a few things left to do.

You will want to print out a copy of these instructions to follow while you complete this procedure.

1. Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

2. Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post the contents of the SmitFraudFix report, the results of vundoFix (found at C:\vundofix.txt) and a new HiJackThis log.

-Ryan

Share this post


Link to post
Share on other sites

SmitFraudFix report:

SmitFraudFix v2.137

Scan done at 22:48:00.69, Sat 01/27/2007

Run from C:\Documents and Settings\janine\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted

C:\WINDOWS\system32\components\flx?.dll Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

vundoFix results:

VundoFix V6.3.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 10:54:35 PM 1/27/2007

Listing files found while scanning....

C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\WINDOWS\system32\fccaw.dll

C:\WINDOWS\system32\waccf.bak2

C:\WINDOWS\system32\waccf.ini

C:\WINDOWS\system32\waccf.ini2

C:\WINDOWS\system32\waccf.tmp

Beginning removal...

Attempting to delete C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt

C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt

C:\Documents and settings\janine\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\WINDOWS\system32\waccf.bak2

C:\WINDOWS\system32\waccf.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\waccf.ini

C:\WINDOWS\system32\waccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\waccf.ini2

C:\WINDOWS\system32\waccf.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\waccf.tmp

C:\WINDOWS\system32\waccf.tmp Has been deleted!

Performing Repairs to the registry.

Done!

New HiJackThis Log:

Logfile of HijackThis v1.99.1

Scan saved at 11:16:34 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;N=EM&O=I

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2C4F57F2-7633-42E3-8D33-529F0491ABFC} - C:\WINDOWS\system32\fccaw.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: winlogon.lnk = ?

O4 - Global Startup: MsnVirRem.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {9B14B03A-B482-45C3-BE37-5B7CAA8B0B5D} (QBH Control) - http://hsearch.nayio.com/download/QBH.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: fccaw - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: winpcn32 - winpcn32.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

-Ryan

Share this post


Link to post
Share on other sites

Report.txt:

SDFix: Version 1.63

Sat 01/27/2007 - 23:36:17.84

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\janine\Desktop\SDFix\SDFix

Safe Mode:

Checking Services:

Name:

Path:

Restoring Windows Registry Entries

Restoring Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\janine\Start Menu\Programs\Startup\winlogon.lnk - Deleted

C:\WINDOWS\system32\NeroCheck.exe - Deleted

ADS Check:

C:\WINDOWS\system32

No streams found.

Final Check:

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:

---------------

Backups Folder: - C:\DOCUME~1\janine\Desktop\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\ntdetect.com

C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000

C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest

C:\WINDOWS\SYSTEM32\logonui.exe.manifest

C:\WINDOWS\SYSTEM32\qobizxnts\winlogon.exe

C:\IO.SYS

C:\MSDOS.SYS

C:\WINDOWS\All Users\DRM\Cache\Indiv01.tmp

C:\WINDOWS\SYSTEM32\vwisnrcn.tmp

Finished

New HiJackThis Log:

Logfile of HijackThis v1.99.1

Scan saved at 11:45:49 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SYSTEM32\notepad.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;N=EM&O=I

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2C4F57F2-7633-42E3-8D33-529F0491ABFC} - C:\WINDOWS\system32\fccaw.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: MsnVirRem.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {9B14B03A-B482-45C3-BE37-5B7CAA8B0B5D} (QBH Control) - http://hsearch.nayio.com/download/QBH.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: fccaw - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: winpcn32 - winpcn32.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

1. Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O2 - BHO: (no name) - {2C4F57F2-7633-42E3-8D33-529F0491ABFC} - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: fccaw - C:\WINDOWS\system32\fccaw.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: winpcn32 - winpcn32.dll (file missing)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.

2. Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

If you would please rescan with HijackThis and post a fresh log, along with the results from the Panda ActiveScan in this same topic, and let us know how your system's working. :)

-Ryan

Share this post


Link to post
Share on other sites

My system's working fine now, thanks!

New HiJackThis Log:

Logfile of HijackThis v1.99.1

Scan saved at 1:39:08 AM, on 1/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\SYSTEM32\SOL.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;N=EM&O=I

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: MsnVirRem.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9B14B03A-B482-45C3-BE37-5B7CAA8B0B5D} (QBH Control) - http://hsearch.nayio.com/download/QBH.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Panda ActiveScan Results:

Incident Status Location

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[media.fastclick.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.zedo.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.overture.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[www.burstbeacon.com/]

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.burstnet.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\enterprise\Application Data\Mozilla\Firefox\Profiles\5ze3aggt.default\cookies.txt[.advertising.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][1].txt

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][1].txt

Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][1].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\enterprise\Cookies\[email protected][2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.burstnet.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.2o7.net/]

Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.ads.addynamix.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.ehg.hitbox.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.hitbox.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.ehg.hitbox.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.247realmedia.com/]

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.toplist.cz/]

Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.gostats.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.com.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.zedo.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.atwola.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.xiti.com/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.overture.com/]

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.clickbank.net/]

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.adtech.de/]

Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[citi.bridgetrack.com/]

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.bravenet.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.888.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\janine\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\cookies.txt[.bs.serving-sys.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\janine\Cookies\[email protected][2].txt

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\janine\Cookies\[email protected][1].txt

Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\janine\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Desktop\SDFix\SDFix\apps\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Desktop\SDFix.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Desktop\SmitfraudFix.zip[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Local Settings\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\Cache\633285D9d01[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\janine\Local Settings\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\Cache\DD0DBD66d01[C:\Documents and Settings\janine\Local Settings\Application Data\Mozilla\Firefox\Profiles\dlsnnmdw.default\Cache\DD0DBD66d01][sDFix\ap

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Meness\Application Data\Mozilla\Firefox\Profiles\nbu3nc1x.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Meness\Application Data\Mozilla\Firefox\Profiles\nbu3nc1x.default\cookies.txt[.advertising.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Meness\Application Data\Mozilla\Firefox\Profiles\nbu3nc1x.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Meness\Application Data\Mozilla\Firefox\Profiles\nbu3nc1x.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Meness\Application Data\Mozilla\Firefox\Profiles\nbu3nc1x.default\cookies.txt[.casalemedia.com/]

Virus:Trj/Killav.FD Disinfected C:\WINDOWS\SYSTEM32\qobizxnts\winlogon.exe

Share this post


Link to post
Share on other sites

Congratulations, your log is CLEAN :thumbsup:

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

  • * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View tab.
    * Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
    * CHECK the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Next, let's set a new restore point, and clear the old ones:

  • Step #1 - Create a New Restore Point
    Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
    Step #2 - Flush All Previous Points
    Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 2 free ones available for personal use:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly.

And to keep your system clean run these free malware scanners weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.

-Ryan

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.