Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Smitfraud-C/Zlobdownloader.vcd Infestation

  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    9

    Default Smitfraud-C/Zlobdownloader.vcd Infestation

    I have had for several days an infestation of the above. Spybot -- S & D (runnng normally) shows them being removed but they are there again when you run it a second time. In the safe mode, they don't show up the second time, but reappear when in the normal mode. It seems to be morphing. I always have three entries for Smitfraud-C, but what they are changes. Just today, I have an ugly red desktop wall paper hawking "privacy protection software".

    I downloaded SmitFraudFix v 2.274 a few days ago and ran "Search Only".

    I have followed the steps in http://forums.spybot.info/showthread.php?t=288 with the following results. Hope someone can give me some guidance with getting rid of this abomination.

    (a) HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:29:09, on 30-Dec-07
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/William%20K.%20Alverson/My%20Documents/My%20Webs/WKAHomeP/index.html
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193087558250
    O21 - SSODL: xcvwer - {DC22B0EA-AA42-4F3A-AA6A-878D3A467FC3} - C:\WINNT\xcvwer.dll
    O21 - SSODL: hjoqor - {43E0E204-AAAA-4BE3-8924-99EE63A8F905} - C:\WINNT\hjoqor.dll (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5060 bytes

    (b) Kaspersky log report

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Saturday, 29 December, 2007 15:18:01
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 29/12/2007
    Kaspersky Anti-Virus database records: 499999
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    B:\
    C:\
    D:\
    E:\
    F:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 69943
    Number of viruses found: 7
    Number of infected objects: 55
    Number of suspicious objects: 370
    Duration of the scan process: 01:56:52


    Hmmm! It wouldn't take the full thing showing that there were a total of 216,777 characters as compared to 20,000 characters max. I guess that would take a total of 22 separate posts to do. Suggestions? Anyhow, that is the beginning of the Kaspersky log.

  2. #2
    Retired Security Volunteer
    Join Date
    Nov 2007
    Posts
    69

    Default

    Hello, and welcome to the forum.

    My name is Simon V., and I'll be glad to help you with your computer problems.

    Can you please post the SmitfraudFix report? It can be found here: C:\rapport.txt.

    Let's try this to make the Kaspersky Online Scan report shorter:

    Please download FixEdit.

    • Double-click on FixEdit.exe to open the program.
    • Go to File > Open, select the Kaspersky Online Scan report and click on Open.
    • Click on the Make Global Changes tab.
    • In the upper part (red lines), select Does NOT Contain the Test Key anywhere.
    • In the Test Key Text box, enter the text in the quotebox below:

      Code:
      Object is locked skipped
    • Make sure Retain only the lines that pass the Test Parameter, Discard the Rest is checked.
    • Click OK.
    • Now, click on the Show/Edit Current Text tab. Your Kaspersky Online Scan report should be a lot shorter now. Go to File > SaveAs and save the file to your desktop.
    • Please post the contents of that file in your next reply, along with the SmitfraudFix report (C:\rapport.txt) and a new HijackThis log.

  3. #3
    Junior Member
    Join Date
    Dec 2007
    Posts
    9

    Default smitfraudfix log

    Thanks, the smitfraudfix log is posted below. This is several days old by now.

    I will work on the other instructions in you last and post again with the results.

    SmitFraudFix v2.274

    Scan done at 20:08:15.48, Sun 30-12-2007
    Run from C:\Buffer1\SmitfraudFix
    OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINNT\system32\cmd.exe

    hosts

    hosts file corrupted !

    127.0.0.1 legal-at-spybot.info
    127.0.0.1 www.legal-at-spybot.info

    C:\


    C:\WINNT

    C:\WINNT\binret.exe FOUND !
    C:\WINNT\ttvbon???.dll FOUND !
    C:\WINNT\xcvwer.dll FOUND !

    C:\WINNT\system


    C:\WINNT\Web


    C:\WINNT\system32


    C:\Documents and Settings\William K. Alverson


    C:\Documents and Settings\William K. Alverson\Application Data


    Start Menu


    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1

    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Spyware?Malware Protection.url FOUND !

    Desktop

    C:\DOCUME~1\WILLIA~1.ALV\Desktop\Spyware?Malware Protection.url FOUND !

    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix.exe by S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: VIA VT6105 Rhine III Fast Ethernet Adapter
    DNS Server Search Order: 192.168.254.254
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1


    Scanning for wininet.dll infection


    End

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    9

    Default Edited Kasperski

    I am having trouble getting the FixEdit to work. If I follow the instructions and save the results as a .txt file (or alternatively cut and paste to Notepad and do the same) I get a file that is no longer readable, but seems to be nothing but zeros.

    Also, looking at the original smitfraudfix log which I had saved as a .txt file, I see that the phrase
    "Object is locked[tab]skipped" rather than
    "Object is locked skipped" appears often and is not removed after specifying the latter. The difference appears to be a tab character rather than space.

    On originally loading the file, I get "file contains UniCode or Database Null character. Use Fixedit to open in plain text with the nulls removed?" and the only choice is yes or cancel.

    ??

  5. #5
    Retired Security Volunteer
    Join Date
    Nov 2007
    Posts
    69

    Default

    Did you save the initial Kasperksy log as a .txt file?

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    9

    Default

    Yes, it was, in fact, saved as a .txt file. It shows up quite readable into fix edit when I open it. And it is readable after I get through the Global changes. It is only after I save the edited version and then go back and reopen it that the problem occurs. I have tried saving it in Fixedit (I give a name with the extension .txt -- it doesn't give me any file types to select from) or copying and pasting into notepad and saving as a text file. I got the same results both ways.

    I can't remember exactly what I did to save the original, uneditied, file, but the instructions show that the program gives the choice to "save as text" and thus I must have done it that way instead of cutting and pasting into notepad and saving as a text file (in the latter case, I might have missed an opening or closing character if I didn't use select all.)

    I guess I could run the Kasperski again. It takes a bloody long time, but I guess this time I won't have to go through all the down load time again.

    How about the tab versus space thing?

    Bill

  7. #7
    Retired Security Volunteer
    Join Date
    Nov 2007
    Posts
    69

    Default

    Let's do it differently. I might have to revise my FixEdit instructions, but in order to do that I'll need the original Kasperksy rapport. Please upload it to Rapidshare and give me the link where I can download it.

  8. #8
    Retired Security Volunteer
    Join Date
    Nov 2007
    Posts
    69

    Default

    Hi

    Note: Kaspersky report received through PM.

    Step 1

    Please disable TeaTimer, as it may interfere with the fix. This is done in two steps:

    First step: Right-click the Spybot icon in your system tray (looks like a blue and white calendar with a padlock symbol).

    • For version 1.5: Click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the system tray should now be colorless.
    • For version 1.4: Click on Exit Spybot S&D Resident.


    Second step: Open Spybot Search & Destroy.

    • Click Mode, choose Advanced Mode. When prompted, answer Yes.
    • Go to the bottom of the vertical panel to the left, click Tools.
    • Click Resident (a white and red shield, located in the panel to the left).
    • If your firewall gives you a warning, allow it.
    • Uncheck the box labeled Resident "Tea-Timer" (Protection of over-all system settings) active.
    • OK any prompts.
    • Go to File > Exit to close Spybot Search & Destroy.
    • Reboot your computer for the changes to take effect.


    Note: Be sure to enable TeaTimer when you are clean!

    Step 2

    Please download and install AVG Anti-Spyware.

    After the installation, open AVG Anti-Spyware and do the following:

    • Under Status, click on Change state, next to Resident shield (this will change from Active to Inactive)
    • Under the Update tab, click on Start update.
    • Under Scanner, click on the Settings tab:

      • Under How to act?, click on Recommended actions, and select Quarantine.
      • Under Reports, select Do not automatically generate reports.


    Close AVG Anti-Spyware. Do not let it scan yet.

    Note: If you have problems getting the update, you can download an installer for the full database here. Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed, then double-click on avgas-signatures-full-current.exe to install the database.

    Step 3

    Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

    • Under the Main tab, put a check next to Select All.
      Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
    • If you use the Firefox browser:
      Click on Firefox at the top and put a check next to Select All.
      If you would like to keep your saved passwords, click No at the prompt.
      Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
    • If you use the Opera browser:
      Click on Opera at the top and put a check next to Select All.
      If you would like to keep your saved passwords, click No at the prompt.
      Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)


    Step 4

    Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

    Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking).

    Log in to your usual account.

    Step 5

    Double-click on Smifraudfix.exe.

    • A screen will pop up. Select Option 2 (Clean) by typing 2 and hit Enter.
    • You will be prompted: Registry Cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file; answer Yes by typing Y and hit Enter.
    • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart Windows into Safe Mode.
    • A text file will appear onscreen, with results from the cleaning process; please save it to a convenient location. The report can also be found at C:\rapport.txt.


    Note: running Option 2 (Clean) on a computer that is not infected will remove your desktop background.

    Step 6

    Please open AVG Anti-Spyware.

    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • After the scan, do the following:

      • Important: Don't click on the Save Scan Report button before you hit the Apply all Actions button.
      • Make sure that Set all elements to: shows Quarantine (1). If not, click on the link and select Quarantine from the popup menu (2).
      • At the bottom of the window click on the Apply all Actions button (3).
      • When done, click the Save Report (4) button, and save the file to your desktop.




    Reboot into Normal Mode.

    Step 7

    Open HijackThis.

    • Click on the Config button.
    • Click on the Misc Tools button.
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.


    Step 8

    In your next reply, please post:

    • the SmitfraudFix report (C:\rapport.txt)
    • the AVG Anti-Spyware report
    • the Uninstall List (uinstall_list.txt)
    • a new HijackThis log

  9. #9
    Junior Member
    Join Date
    Dec 2007
    Posts
    9

    Default

    There was some sort of problems with smitfraudfix. In doing the temporary file removal it evidently called Window's Disk Cleanup which seemed to be running simultaneously. smitfraudfix finished and wrote the file with Disk Cleanup continuing to run but never finishing. This is a long running program anyhow, but I left it on long enough to make it sure it had acutally locked up.


    I left my computer on (to hibernate after the time out period) last night rather than sending it into hibernation directly. So far this morning I haven't seen anything amiss, but I guess I need to run it a few more days to make sure.

    I ran Spybot S&D and found Smitfraud-C.MSVP
    SBI $6FE8300C Text File C:\WINNT\data.txt

    but let S S&D fix it and in two subsequent runs (separated by a couple of hours) it didn't reappear.

    SmitFraudFix v2.274

    Scan done at 20:08:15.48, Sun 30-12-2007
    Run from C:\Buffer1\SmitfraudFix
    OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINNT\system32\cmd.exe

    hosts

    hosts file corrupted !

    127.0.0.1 legal-at-spybot.info
    127.0.0.1 www.legal-at-spybot.info

    C:\


    C:\WINNT

    C:\WINNT\binret.exe FOUND !
    C:\WINNT\ttvbon???.dll FOUND !
    C:\WINNT\xcvwer.dll FOUND !

    C:\WINNT\system


    C:\WINNT\Web


    C:\WINNT\system32


    C:\Documents and Settings\William K. Alverson


    C:\Documents and Settings\William K. Alverson\Application Data


    Start Menu


    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1

    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Spyware?Malware Protection.url FOUND !

    Desktop

    C:\DOCUME~1\WILLIA~1.ALV\Desktop\Spyware?Malware Protection.url FOUND !

    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix.exe by S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    Rustock



    DNS

    Description: VIA VT6105 Rhine III Fast Ethernet Adapter
    DNS Server Search Order: 192.168.254.254
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1


    Scanning for wininet.dll infection


    End






    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 20:23:26 06-Jan-08

    + Scan result:



    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1645522239-2146965837-839522115-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
    E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).


    ::Report end




    uinstall_list.txt follows



    Adobe Flash Player ActiveX
    Adobe Reader 8.1.1
    Antioch
    AutoCAD LT 97
    AVG Anti-Spyware 7.5
    DePopper 2.x
    Easy CD & DVD Creator 6
    Eudora
    Family Tree Maker 8.0
    F-PROT Antivirus for Windows
    Google Earth
    HijackThis 2.0.2
    Hotfix for MDAC 2.81 (KB927779)
    Image Data Converter SR
    IrfanView (remove only)
    Jasc Paint Shop Pro 9
    Jasc Paint Shop Pro 9 GDI+ Patch
    Jasc Paint Shop Pro 9.01 Patch
    Kaspersky Online Scanner
    Lotus NotesSQL 3.01 driver
    Lotus SmartSuite - English
    Memorex exPressit Label Design Studio
    Microsoft AutoRoute 2006
    Microsoft FrontPage 2000 SR-1
    Microsoft Internet Explorer 6 SP1
    Microsoft Office Converter Pack
    Microsoft Streets and Trips 2004
    Microsoft Word 2000 SR-1
    Personal Ancestral File 5
    PGPfreeware 6.5.8
    ProSavage and Utilities
    S3Display
    S3Gamma2
    S3Overlay
    Savings Bond Wizard
    Security Update for CAPICOM (KB931906)
    Security Update for CAPICOM (KB931906)
    Security Update for DirectX 8 (KB941568)
    Security Update for DirectX 9 (KB941568)
    Security Update for Windows 2000 (KB923689)
    Security Update for Windows 2000 (KB941569)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 6.4 (KB925398)
    Sony Picture Utility
    Sony USB Driver
    Spybot - Search & Destroy
    SpywareBlaster v3.5.1
    Steel Panthers World At War v8.20
    Update Rollup 1 for Windows 2000 SP4
    VIA Audio Driver Setup Program
    WavePad Uninstall
    Windows 2000 Hotfix - KB842773
    Windows 2000 Hotfix - KB893756
    Windows 2000 Hotfix - KB896358
    Windows 2000 Hotfix - KB896422
    Windows 2000 Hotfix - KB896423
    Windows 2000 Hotfix - KB899587
    Windows 2000 Hotfix - KB899589
    Windows 2000 Hotfix - KB900725
    Windows 2000 Hotfix - KB901017
    Windows 2000 Hotfix - KB901214
    Windows 2000 Hotfix - KB905414
    Windows 2000 Hotfix - KB905495
    Windows 2000 Hotfix - KB905749
    Windows 2000 Hotfix - KB908519
    Windows 2000 Hotfix - KB908531
    Windows 2000 Hotfix - KB911280
    Windows 2000 Hotfix - KB913580
    Windows 2000 Hotfix - KB914388
    Windows 2000 Hotfix - KB914389
    Windows 2000 Hotfix - KB917008
    Windows 2000 Hotfix - KB917344
    Windows 2000 Hotfix - KB917953
    Windows 2000 Hotfix - KB918118
    Windows 2000 Hotfix - KB920213
    Windows 2000 Hotfix - KB920670
    Windows 2000 Hotfix - KB920683
    Windows 2000 Hotfix - KB920685
    Windows 2000 Hotfix - KB921398
    Windows 2000 Hotfix - KB921503
    Windows 2000 Hotfix - KB922582
    Windows 2000 Hotfix - KB923191
    Windows 2000 Hotfix - KB923414
    Windows 2000 Hotfix - KB923810
    Windows 2000 Hotfix - KB923980
    Windows 2000 Hotfix - KB924270
    Windows 2000 Hotfix - KB924667
    Windows 2000 Hotfix - KB925902
    Windows 2000 Hotfix - KB926122
    Windows 2000 Hotfix - KB926436
    Windows 2000 Hotfix - KB927891
    Windows 2000 Hotfix - KB928843
    Windows 2000 Hotfix - KB930178
    Windows 2000 Hotfix - KB931784
    Windows 2000 Hotfix - KB933729
    Windows 2000 Hotfix - KB935839
    Windows 2000 Hotfix - KB935840
    Windows 2000 Hotfix - KB936021
    Windows 2000 Hotfix - KB937894
    Windows 2000 Hotfix - KB938127
    Windows 2000 Hotfix - KB938827
    Windows 2000 Hotfix - KB938829
    Windows 2000 Hotfix - KB939653
    Windows 2000 Hotfix - KB941202
    Windows 2000 Hotfix - KB942615
    Windows Installer 3.1 (KB893803)
    Windows Media Player Hotfix [See Q828026 for more information]
    WinZip 11.1
    ZoneAlarm




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:38:21, on 06-Jan-08
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: BDEX System - {7F719D62-623C-4F70-9244-8CAEC58B041B} - C:\WINNT\ttvbonfwt.dll (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193087558250
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4914 bytes

    Hopefully this does it. Do you see anything remaining?

  10. #10
    Retired Security Volunteer
    Join Date
    Nov 2007
    Posts
    69

    Default

    Hi

    We'll make sure nothing is left by running an Online Scan.

    Step 1

    Open HijackThis, perform a scan and put a check next to the following items (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O2 - BHO: BDEX System - {7F719D62-623C-4F70-9244-8CAEC58B041B} - C:\WINNT\ttvbonfwt.dll (file missing)


    Close all programs except HijackThis and click on Fix checked.

    Step 2

    Please visit TotalScan.

    • Under Scan Now click the Full Scan button.
    • Follow the prompts to install the Active X if necessary.
    • It will take a while, let it run unhindered.
    • When the scan is finished, a report will be generated.
    • Next to Scan Details click the small Save button and save the report to your desktop.


    Step 3

    In your next reply, please post:

    • the TotalScan report
    • a new HijackThis log
    • How is your computer currently running?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •