Fake Alert D
I've seen several posts on various forums about this but all suggestions have so far failed.
Blue wallpaper with white writing stating Warning! Spyware threat detected on your PC!
From what I've discovered it's a known virus / trojan called Fake Alert D.
AD-aware, Spybot and AVG all up to date and all run in safe mode with system restore disabled and files and folders unhidden including system files.
HJT log is as follow:-
Logfile of HijackThis v1.99.1
Scan saved at 18:42:12, on 06/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\sumsw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Utilities and drivers\EXE\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130590289203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130590280703
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Would appreciate help folks, and great site by the way, 1st time I've seen it and wish I'd known about it a long time ago!!
Blue wallpaper with white writing stating Warning! Spyware threat detected on your PC!
From what I've discovered it's a known virus / trojan called Fake Alert D.
AD-aware, Spybot and AVG all up to date and all run in safe mode with system restore disabled and files and folders unhidden including system files.
HJT log is as follow:-
Logfile of HijackThis v1.99.1
Scan saved at 18:42:12, on 06/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\sumsw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Utilities and drivers\EXE\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130590289203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130590280703
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Would appreciate help folks, and great site by the way, 1st time I've seen it and wish I'd known about it a long time ago!!
0
Comments
Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
SmitFraudFix v2.104
Scan done at 20:17:37.20, 06/10/2006
Run from C:\Documents and Settings\Special Brew\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\yod.htm FOUND !
C:\WINDOWS\ZServ.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\sumsw32.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Special Brew
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Special Brew\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SPECIA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
HJT log is as follows:-
Logfile of HijackThis v1.99.1
Scan saved at 13:27:29, on 07/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Utilities and drivers\EXE\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~4\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130590289203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130590280703
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~4\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Rapport txt is :-
SmitFraudFix v2.104
Scan done at 13:23:11.51, 07/10/2006
Run from C:\Documents and Settings\Special Brew\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\yod.htm Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\bridge.dll Deleted
C:\WINDOWS\system32\dailytoolbar.dll Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\sumsw32.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\wstart.dll Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
If you're ever in Guildford m8 I owe you a pint or two
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need to run ewido and update the definition files.
- On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware and reboot your computer into Safe Mode.IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Report is :-
AVG Anti-Spyware - Scan Report
+ Created at: 16:33:32 08/10/2006
+ Scan result:
HKU\S-1-5-21-527237240-1993962763-725345543-1003\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Ned\Local Settings\Temp\ddxgb.sys -> Backdoor.Genlot.DX : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mxzevorr.exe -> Downloader.VB.anw : Cleaned with backup (quarantined).
:mozilla.270:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.171:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.172:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.173:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.174:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.175:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.177:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.178:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.179:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.40:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.41:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.42:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.43:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.44:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.45:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.46:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.47:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.48:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.238:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.239:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.147:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.148:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.14:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.201:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.204:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.205:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.15:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.144:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.81:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.133:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.285:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.93:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.82:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.84:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.85:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.31:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.222:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.223:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.33:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Ned\Cookies\ned@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.23:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.195:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.150:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.151:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.212:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.74:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.75:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.8:C:\Documents and Settings\Administrator.SKI-K1J1180WR0V.004\Application Data\Mozilla\Firefox\Profiles\mz3plwsw.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.99:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Special Brew\Cookies\special [email]brew@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.100:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.95:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.96:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.97:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.98:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.292:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.49:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Special Brew\Cookies\special [email]brew@tribalfusion[1].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.20:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.21:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.198:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.197:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.208:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.209:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.210:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.211:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.165:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.26:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.27:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Ned\Cookies\ned@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.29:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.30:C:\Documents and Settings\Ned\Application Data\Mozilla\Firefox\Profiles\lun8j09k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end
Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols3.shtml
Scanning Report
Sunday, October 08, 2006 19:10:35 - 20:22:28
Computer name: NEDSTARL
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 5 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
Statistics
Scanned:
Files: 62156
System: 4130
Not scanned: 422
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
x¢@Ä%cuments and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternet1.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternet2.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternet3.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\ABetterInternet4.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess1.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess2.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess3.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess4.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess5.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess6.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess7.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess8.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Admess9.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa1.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa10.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa11.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa12.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa13.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa14.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa15.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa16.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa17.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa18.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa19.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search & Destroy\Recovery\Alexa2.zip\sbRecovery.reg
C:\Documents and Settings\Special Brew\Application Data\Spybot - Search &bRecî®õ
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-06
F-Secure Libra: 2.4.1, 2006-10-06
F-Secure Orion: 1.2.37, 2006-10-08
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Scan inside archives
Use Advanced heuristics
You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please attach the bdscan.html file to your next post along with a new hijackthis log