Help! zlob downloader and smitfraud won't go away

[pskelley]

Thanks for the feedback, sorry about not spotting that right away. Let's see what else we have, will comment on HJT logs starting with the one you just posted.

Scan saved at 6:49:25 AM, on 1/9/2008
Some advice first, I suggest you purchase games so you can look at the eula or play them online. When you download "free" games they rarely are, often bundled with adware and worse.
This log appears to be clean of malware.

Chris: Scan saved at 6:46:04 AM, on 1/9/2008
Appears clean of malware

Roger: Scan saved at 6:41:41 AM, on 1/9/2008
I see no "malware"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
http://www.castlecops.com/startuplist-4801.html
While the program may not be bad, some of the files that are shared are dangerous and even illegal. I also suggest this never run all of the time and be started and turned off when finished with the program. See this information:
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm

Logan: Scan saved at 6:43:49 AM, on 1/9/2008
I see no "malware"
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Logan\My Documents\Ares\Ares.exe" -h
same as Roger

Since I am seeing no malware, and the other issues are for you to consider, let's have Kaspersky check for anything hidden and then I can get you on your way.

Remove Smifraudfix, SDFix and Fixwareout from your computer if you have not done so.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< empty the Tecovery folder
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

We have System Restore to clean yet, so expect some infected items, please use these settings.

Check for any updates

* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks...Phil

 

[Sue Blue]

I am a little confused about some of these instructions, so I thought I had better clear that up before proceeding.
By the way, thanks for catching the Ares stuff on the scans for the other users - I thought my sons had deleted those, but I guess not.

Here are my questions,..am I to just remove the Recovery folder from S&D? (As described in the Purge Selected Items instructions from http://ict.cas.psu.edu/training/howt...vespybot.htm#1) Or am I to follow all the instructions from this link and remove S&D and re-install?

Later on in your instructions, you said to check for any updates and then you give me instructions on what to do next - I assume these are all instructions for Kapersky, is that correct?

Thanks!!

 

[pskelley]

1) Nope, just dump the stuff in the Recovery folder. "Recovery" In Spybot S&D is like a quarantine folder. In ten years of using Spybot S&D I have never had to restore an item removed in error, but Spybot S&D does make the backups in the unlikely event you need them.

Purge Selected Items

NOTE: If Spybot has found and removed Spyware from your computer, it maintains a list of these items in a Recovery section. These items should be deleted prior to uninstalling SpyBot.

Open Spybot.
If you have a shortcut on your desktop, double click it.
or
Click Start, then All Programs, then Spybot - Search & Destroy and then Spybot - Search & Destroy.
On the left side, click "Recovery".

NOTE: If this window is empty, you may skip the remaining steps. Exit Spybot. Go to the next section.


Select (place a check) beside ALL the backup files that contain quarantined items.
Click on the Purge Selected Items button.
A dialog will appear, stating that the backup will be removed. Click Yes.
When the Recovery window is empty, Exit Spybot.

2) I am sorry I was a little confusing, I started here:
let's have Kaspersky check for anything hidden and then I can get you on your way.

and then went through instructions preceeding actually running the scan, including to:
Check for any updates
because the data bases update often and you ran the first scan a few days ago. The balance of the instructions are the setting to use, which may be the same as the first time, just check them please.

Thanks for checking with me and never hesitate to ask questions if you are unsure about something.

Thanks

 

[Sue Blue]

Thanks for the clarification.
I'll do this tonight when I get home from work.
You've been a lifesaver...THANKS!

 

[Sue Blue]

Thanks for the clarification.
I'll do this tonight when I get home from work.
You've been a lifesaver...THANKS!

 

[Sue Blue]

Here's the Kaspersky log - down to one virus.

I would like to get rid of the Ares files that you suggested in your post earlier today. I tried to find the files to delete them, but couldn't - the program is not loaded on the computer anymore. How do I find them to remove them.....thru HJT?

Sue

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 09, 2008 10:57:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/01/2008
Kaspersky Anti-Virus database records: 472743
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 160343
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:09:27

Infected Object Name / Virus Name / Last Action
C:\9a55c34bcbdb2c804304df\update\update.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\aa75ebed54378047725afebe5645ec89_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\c74c6f795ada87022536668c055d2c0e_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9fb6aa263cee3351af77214da239be26_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f33095886242d27cfedaaf5e241be4cf_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080109_Time-202337843_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080109_Time-202337843_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_THONEFAMILY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_THONEFAMILY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Logan\Start Menu\Programs\Startup\PowerReg Scheduler.exe Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sue\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Sue\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Sue\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Sue\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Sue\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\AOL OCP\AIM\Storage\data\buddha10385\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\SupportSoft\DellSupportCenter\Sue\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Application Data\SupportSoft\HelpCenter\Sue\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\History\History.IE5\MSHist012008010920080110\index.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\BIT422.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\~DF548A.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\~DF913A.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\~DF9147.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temp\~DFB665.tmp Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Sue\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sue\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sue\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MediaSupplyCodec\MediaSupplyCodec.ocx Infected: Trojan.Win32.Agent.dpv skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP654\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{75088384-0FE4-4D3E-84E2-2AAED23F9045}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8A9899C3-DEDD-4106-B6D2-961BC9689C81}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[pskelley]

I would like a look at your uninstall list, HJT will probably remove the p2p program, but it is best to uninstall it if possible, will give me a chance to look for anything else that should not be there.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

KASPERSKY ONLINE SCANNER REPORT Wednesday, January 09, 2008 10:57:24 PM

C:\Program Files\MediaSupplyCodec\MediaSupplyCodec.ocx <<< Look in Add Remove programs and uninstall that item if there. If not, delete it manually and you may have to do that in safe mode?
(Trojan.Win32.Agent.dpv)

See this: http://forums.spybot.info/showthread.php?t=282

all I need is the uninstall list

Thanks

 

[Sue Blue]

Here's the uninstall list. I see the MediaSupplyCodec on it, so I'll try the uninstall.
Thanks

Ad-Aware 2007
Adobe ActiveShare 1.3.1
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
AGEIA PhysX v2.4.4
AIM 6
Andrea VoiceCenter
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
AVG Anti-Spyware 7.5
BellSouth Toolbar 1.0
BellSouth® FastAccess® DSL Help Center 4.0
Cabela's Big Game Hunter - Alaskan Adventures
Cabela's Trophy Bucks
Calendar Creator 7.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 1.0
Canon MP610 series
Canon MP610 series User Registration
Canon My Printer
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
Canon Utilities PhotoStitch 3.1
Canon Utilities Solution Menu
Canon ZoomBrowser EX (E)
Civilization III
Civilization III Play the World
Classic PhoneTools
CleanUp!
Command & Conquer Generals
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support Center
DellSupport
Digital Content Portal
Digital Line Detect
EarthLink setup files
Easy-WebPrint
EducateU
ELIcon
ESPNMotion
Get High Speed Internet!
Google
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
IL-2 Sturmovik
Incredible Ink
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
MasterCook 6: Complete Suite
McAfee VirusScan Enterprise
MCU
Medal of Honor Allied Assault
Media Supply Codec v1.6
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
NetWaiting
NetZeroInstallers
NYKO Gamepad Mapping Tools 2.0.0
Otto
OverDrive Media Console
Pacific Fighters
Panda ActiveScan
Panda ActiveScan Pro
PhotoFantasy 2000
Polar Golfer
Quicken 2007
QuickTime
RealPlayer Basic
Roll
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Sansa Media Converter
ScanSoft OmniPage SE 4
ShootOutClient Version 1.0
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
The General 4.0
Trellix Web
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
URL Assistant
Virtools 3D Life Player
WebCyberCoach 3.2 Dell
WexTech AnswerWorks
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
WONswap
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

 

[pskelley]

Thanks for the uninstall list, here is what I see. I will not know all programs, take a look yourself to make sure nothing is there you are not aware of.

AVG Anti-Spyware 7.5
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Java(TM) 6 Update 2 <<< uninstall
Java(TM) 6 Update 3 <<< keep this one
Java(TM) SE Runtime Environment 6 Update 1 <<< uninstall
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2

Panda ActiveScan Pro <<< you run McAfee, why is this installed? If you do not own it uninstall it. If you own it make sure it does not run with McAfee.

Spybot - Search & Destroy 1.4 <<< as soon as all else is squared away, I would update to 1.5 were I you.
http://www.safer-networking.org/en/spybotsd15/index.html

TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Is this program still applicable to 2007?

Media Supply Codec v1.6 <<< Wherever this came from, a trojan came with it. "Free" rarely is!

For your information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

 

[Sue Blue]

Thanks for your advice on this and for all your help...and for the links for the info to stay clean and safe. I certainly think I need to tighten the reins on my teenaged son's computer usage....I suspect that that lead to many of the problems.

You don't know how much I appreciate all your time and attention to my problems. You perform a very valuable service to us computer novices. I'll be making a donation to help keep you guys going!!

Sue