Smitfraud.c and other Hijacks - log included

Unknown · April 2005

I need help with some hijacks. I got smitfraud.c and popuper.exe and many more. Ran Ad-aware and SS&D but it didn't fix these problems. Popuper.exe is annoying as it restarts automaticlaly when you kill the process so you can't delete it. Also my desktop was changed to a blue backround saying things like "fatal error" and "smitfraud.c", and I was wondering if that's a Windows thing or part of the trojan? Seems like I can't change backround (changed to black when I deleted wp.bmp and wp.exe. The desktop tab isn't there anymore). I also noticed that I have a program called Security iGuard, that's spyware too? Anyway here is my log, help is appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 14:43:07, on 2005-05-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Eset\nod32kui.exe
C:\Program\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {7D022A99-F211-465A-92E2-5B160BE03D6E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D022A99-F211-465A-92E2-5B160BE03D6E} - (no file) (HKCU)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100626505912
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EBD6DF-EE42-4F68-A856-EB538AB918E8}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Buckeye_Sam · April 2005

As you indicated, you have already deleted some of the files with this infection, but here is the standard fix. You will need to disable Spyware Guard before proceeding with this fix as it can interfer with Hijackthis.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {7D022A99-F211-465A-92E2-5B160BE03D6E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D022A99-F211-465A-92E2-5B160BE03D6E} - (no file) (HKCU)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Acti...iveLauncher.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Program Files\Security IGuard

Reboot your computer to go back to normal mode.

Once you have rebooted download the following reg file to your desktop by right clicking on the link, and selecting save as.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.

Reboot your computer and you should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

Reboot and post a new hijackthis log and let me know of any problems you experienced.

Kruxus · April 2005

Thanks! I can't believe how quick you guys reply!

All seems to be back to normal, at least what I can see. Found C:\Windows\popuper.pf which I read should be deleted too. Might be good to know for those with similar problems. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 16:40:12, on 2005-05-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Eset\nod32kui.exe
C:\Program\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\iPod\bin\iPodService.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100626505912
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EBD6DF-EE42-4F68-A856-EB538AB918E8}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Buckeye_Sam · April 2005

popuper.pf is a prefetch file that can be safely deleted along with all prefetch files.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

This is a good idea to do now and then, especially after you clean up an infection.

Your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Kruxus · May 2005

Hmm, since I had the virus my computer has been really slow. Starting the computer takes several times longer, and games are unplayable. Tried to defrag (while I sleep as it takes forever), but everytime the computer has been restarted before the defrag finished, waiting for a user to log in. I've turned off all screen- and power savers. Any idea what the problem could be (both the slow-down and the defrag problem)? Sorry if this is off topic.

Buckeye_Sam · May 2005

Let's double check to see if there's anything hiding.

Download mwav.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files

- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane.

Also post a new hijackthis log.

Kruxus · May 2005

mwav found quite a lot:

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\tattoopalace.exe.exe tagged as not-a-virus:RiskWare.Dialer.Intexdial.a. No Action Taken.
File C:\DOCUME~1\Kalle\LOKALA~1\Temp\temp.frEC21\sfbho.dll infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy17.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-414b1463.zip infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Lokala inställningar\Temp\temp.frEC21\sfbho.dll infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\Program\INSTAFINK\InstaFinderK_inst.exe infected by "not-a-virus:AdWare.ToolBar.404Search.h" Virus. Action Taken: No Action Taken.
File C:\Program\INSTAFINK\instafink.dll infected by "not-a-virus:AdWare.ToolBar.404Search.h" Virus. Action Taken: No Action Taken.
File C:\Program\Kazaa\TopSearch.dll infected by "not-a-virus:AdWare.Altnet.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Windows SyncroAd\CComm.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\Program Files\Windows SyncroAd\WinSync.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Config\loudcs.exe infected by "not-a-virus:AdWare.WinAD.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Config\pros.exe infected by "Trojan-Downloader.Win32.Small.qd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\tattoopalace.exe.exe tagged as not-a-virus:RiskWare.Dialer.Intexdial.a. No Action Taken.

and the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 15:43:19, on 2005-05-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\DOCUME~1\Kalle\LOKALA~1\Temp\mwavscan.com
C:\DOCUME~1\Kalle\LOKALA~1\Temp\kavss.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100626505912
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8EBD6DF-EE42-4F68-A856-EB538AB918E8}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{03F74413-4C33-4AEA-907E-B68A24934BB3}: NameServer = 81.26.226.3,81.26.229.3
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Buckeye_Sam · May 2005

Delete these files:

C:\WINDOWS\tattoopalace.exe.exe
C:\WINDOWS\Config\loudcs.exe
C:\WINDOWS\Config\pros.exe
C:\Program\INSTAFINK
C:\Program\Kazaa\TopSearch.dll
C:\Program Files\Windows SyncroAd

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/

Make sure you have the most current version of Java.
http://www.java.com/en/download/manual.jsp

Kruxus · May 2005

Thanks! CleanUp is a really nice program, freed 1.5 GB! Computer startup is much faster but other than that it's still pretty slow. I will do a new mwav scan a little later to see if i still got some viruses.

Kruxus · May 2005

Still it finds 17 viruses (20 last time):

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy17.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-414b1463.zip infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018861.exe tagged as not-a-virus:RiskWare.Dialer.Intexdial.a. No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018862.exe infected by "not-a-virus:AdWare.WinAD.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018863.exe infected by "Trojan-Downloader.Win32.Small.qd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018864.dll infected by "not-a-virus:AdWare.Altnet.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018866.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018867.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018868.exe infected by "not-a-virus:AdWare.ToolBar.404Search.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FFB89D63-1570-4CFF-9ABA-1ED39E864CFD}\RP29\A0018869.dll infected by "not-a-virus:AdWare.ToolBar.404Search.h" Virus. Action Taken: No Action Taken.

Buckeye_Sam · May 2005

Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.

Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.

Please follow these instructions to run Adware.

Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
1. Download Ad-Aware SE Personal 1.05:
  - Download Ad-Aware SE Personal 1.05.
  - Save aawsepersonal.exe to a convenient location.
2. Install Ad-Aware SE Personal 1.05:
  - Double-click on aawsepersonal.exe to install the program.
  - Follow the default settings for installation.
  - After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
3. Update Ad-Aware SE Personal 1.05:
  - Double-click the Ad-Aware SE Personal icon on your desktop.
  - Click "Check for updates now" then click "Connect".
  - It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
4. Configure Ad-Aware SE Personal 1.05:
  - Click on the Gear button at the top of the window.
  - Click "General" on the left hand side to display the General Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Automatically save logfile"
      - "Automatically quarantine objects prior to removal"
      - "Safe Mode (always request confirmation)"
      - "Prompt to update outdated definitions" - change to 7 days from the default 14.
  - Click "Scanning" on the left hand side to display the Scan Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Scan within archives"
      - "Select drives & folders to scan" - select your hard drive(s).
      - "Scan active processes"
      - "Scan registry"
      - "Deep-scan registry"
      - "Scan my IE favorites for banned URLs"
      - "Scan my Hosts file"
  - Click "Advanced" on the left hand side to display the Advanced Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Move deleted files to Recycle Bin"
      - "Include additional object information"
      - "Include negligible objects information"
      - "Include environment information"
  - Click "Defaults" on the left hand side to display the Default Settings box.
    - Make sure these items have your preferred settings in them.:
      - "Default homepage"
      - "Default searchpage"
  - Click "Tweak" on the left hand side to display the Tweak Settings box.
    - Click the + (plus) sign next to the Log Files section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Include basic Ad-Aware settings in log file"
      - "Include additional Ad-Aware settings in log file"
      - "Include reference summary in log file"
      - "Include alternate data stream details in log file"
    - Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Unload recognized processes & modules during scan"
      - "Scan registry for all users instead of current user only"
      - "Obtain command line of scanned processes"
    - Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Always try to unload modules before deletion"
      - "During removal, unload Explorer and IE if necessary"
      - "Let Windows remove files in use at next reboot"
      - "Delete quarantined objects after restoring"
  - Once you are done with these settings, click "Proceed" to save them.
  - This will take you back to the main screen.
5. Run Ad-Aware SE Personal 1.05:
  - Click the "Start" button.
  - Uncheck the "Search for negligible risk entries" entry.
  - Choose the "Use custom scanning options" scan mode.
  - Click the "Next" button.
  - Ad-Aware will begin to scan for malware residing on your computer.
  - Allow the scan to finish.
  - Right-click on any entry in the list and click "Select All" to select the whole list.
  - Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Please run at least two of these online scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There may be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scans.

Kruxus · May 2005

Here is the Panda scan.
I will do the other scans later tonight when I've got some time. I ran Adaware in with the settings you suggested but it didn't give me an option to save a log file I think. It found and cleared alexa and 3 tracker cockies though.
Anyway here's the Panda scan:

Incident                      Status                        Location                                                                                                                                                                                                                                                        

Spyware:Spyware/Cydoor        No disinfected                C:\WINDOWS\cdmxtras                                                                                                                                                                                                                                             
Adware:Adware/SaveNow         No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/CWS             No disinfected                C:\Documents and Settings\Kalle\Favoriter\Online Pharmacy                                                                                                                                                                                                       
Adware:Adware/SideFind        No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Twain-Tech      No disinfected                C:\WINDOWS\smdat32m.sys                                                                                                                                                                                                                                         
Adware:Adware/ExactSearch     No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Startpage.LH    No disinfected                C:\Documents and Settings\Kalle\Favoriter\Insurance\Auto Insurance.url                                                                                                                                                                                          
Adware:Adware/SearchRelevancy No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Popuper         No disinfected                C:\Documents and Settings\Kalle\Favoriter\Home Loan.url                                                                                                                                                                                                         
Adware:Adware/Virmaid         No disinfected                Windows Registry                                                                                                                                                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip[BlackBox.class]                                                                                                                     
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip[VB.class]                                                                                                                           
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip[Dummy.class]                                                                                                                        
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-47117d92-56a791de.zip[Beyond.class]                                                                                                                       
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip[GetAccess.class]                                                                                                                  
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip[InsecureClassLoader.class]                                                                                                        
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip[Dummy.class]                                                                                                                      
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Axel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-1c8eee8c.zip[Installer.class]                                                                                                                  
Adware:Adware/P2PNetworking   No disinfected                C:\Documents and Settings\Axel\Lokala inställningar\Temp\p2psetup.exe                                                                                                                                                                                           
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip[Mein.class]                                                                                                                        
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip[ProbeLoader.class]                                                                                                                 
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip[Dummy.class]                                                                                                                       
Virus:Trojan Horse            Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-440ad255-46498695.zip[Beyond.class]                                                                                                                      
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip[GetAccess.class]                                                                                                                 
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip[InsecureClassLoader.class]                                                                                                       
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip[Dummy.class]                                                                                                                     
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11cf1beb-48394d58.zip[Installer.class]                                                                                                                 
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-62e1c450.zip[BlackBox.class]                                                                                                                      
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-62e1c450.zip[VerifierBug.class]                                                                                                                   
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-62e1c450.zip[Dummy.class]                                                                                                                         
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-62e1c450.zip[Beyond.class]                                                                                                                        
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-51416499.zip[BlackBox.class]                                                                                                                      
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-51416499.zip[VerifierBug.class]                                                                                                                   
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-51416499.zip[Dummy.class]                                                                                                                         
Virus:Java/ByteVerify         Disinfected                   C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-51416499.zip[Beyond.class]                                                                                                                        
Spyware:Spyware/ISTbar        No disinfected                C:\Documents and Settings\Kalle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-414b1463.zip[InstallerApplet.class]                                                                                                       
Adware:Adware/Popuper         No disinfected                C:\Documents and Settings\Kalle\Favoriter\Home Loan.url                                                                                                                                                                                                         
Adware:Adware/Startpage.LH    No disinfected                C:\Documents and Settings\Kalle\Favoriter\Insurance\Auto Insurance.url                                                                                                                                                                                          
Adware:Adware/Startpage.LH    No disinfected                C:\Documents and Settings\Kalle\Favoriter\Insurance\Health Insurance.url                                                                                                                                                                                        
Adware:Adware/Startpage.LH    No disinfected                C:\Documents and Settings\Kalle\Favoriter\Insurance\Home Insurance.url                                                                                                                                                                                          
Adware:Adware/Startpage.LH    No disinfected                C:\Documents and Settings\Kalle\Favoriter\Insurance\Travel Insurance.url                                                                                                                                                                                        
Adware:Adware/Popuper         No disinfected                C:\Documents and Settings\Kalle\Favoriter\Need Money.url                                                                                                                                                                                                        
Adware:Adware/Twain-Tech      No disinfected                C:\WINDOWS\smdat32m.sys                                                                                                                                                                                                                                         
Virus:W32/Sdbot.ftp           Disinfected                   C:\WINDOWS\system32\o                                                                                                                                                                                                                                           
Adware:Adware/Virmaid         No disinfected                C:\WINDOWS\system32\perfcii.ini

Buckeye_Sam · May 2005

Delete these files:

C:\WINDOWS\system32\perfcii.ini
C:\WINDOWS\smdat32m.sys
C:\Documents and Settings\Kalle\Favoriter\Need Money.url
C:\Documents and Settings\Kalle\Favoriter\Home Loan.url
C:\Documents and Settings\Kalle\Favoriter\Insurance\Auto Insurance.url
C:\Documents and Settings\Kalle\Favoriter\Insurance\Health Insurance.url
C:\Documents and Settings\Kalle\Favoriter\Insurance\Home Insurance.url
C:\Documents and Settings\Kalle\Favoriter\Insurance\Travel Insurance.url
C:\Documents and Settings\Kalle\Favoriter\Need Money.url
C:\Documents and Settings\Kalle\Favoriter\Online Pharmacy
C:\Documents and Settings\Axel\Lokala inställningar\Temp\p2psetup.exe

Kruxus · May 2005

Thanks but I think I give up. Formatting is the only thing that will help now I guess. Problem I have no protection, I've decided that I need something, but I don't know what to buy. There is no anitvirus program that will keep my system completely clear, no? I would really appreciate some suggestions on what programs would be worth buying, antivirus, firewall and others. And also, do you have any experience with WinTasks 5?, it sounds pretty useful.

Edit: One more thing that might be worth trying before formatting: processes.
I've got four processes all called svchost.exe running; two of them labeled as SYSTEM, one LOCAL SERVICE and the last one NETWORK SERVICE. Feels a little suspicious. Then I have a SYSTEM process called lsass.exe which I've heard is a virus. Any idea how to remove any of these ?.

Buckeye_Sam · May 2005

As much looking and scanning as we have done there is nothing that should be slowing down your system. Everything that has been found is leftover remnants of old infections. There's nothing active. svchost.exe and lsass.exe are legitimate files for your operating system and for them to show up in your running processes as you've described is perfectly normal. They are only viruses when they are running from a different location. And the virus scans would have picked up on that if they were infected.

You can format if you want, but before taking that rather extreme step I would run a good Registry cleaner like Ace Utilities or Tune-up 2004. Then make sure you defrag your hard drive, especially after removing 1.5gb of temp files. Those two steps could help speed up your computer considerably.

As for protection, I recommend AVG(link in my sig) as a free program. If you are willing to spend a few bucks check out Panda, Trend Micro, Kasperky, or Nod32.

Kruxus · May 2005

Ok thanks, I will try all the things you mentioned before I format. I've been trying to defrag (at night while I sleep as it takes so long time) but every time the defrag has been cancelled and when I get back to the computer it's back at the log-in screen. I don't know why the computer is restarted every time, I've turned off power and screen savers. Any Idea what the problem could be?

Edit: Heard that defraging in safe mode is a good idea, will do that next time.

Edit2: Ace Utilities has a feature called "wipe deleted file data" is this recommended?

Buckeye_Sam · May 2005

I would recommend defragging in Safe Mode if you have problems with it finishing.

I can't comment on that feature in Ace as I have never used it. I would check their website for more info.

Smitfraud.c and other Hijacks - log included

Comments