PCodec 6.0 problem

[Keith.v]

I seem to have infected my computer with malware by downloading PCodec 6.0 software, I deleted the pcodec file from the program folder, but still have some problems. Also there is an icon in the taskbar (critical system error) that directs the browser to virus burst.com. I have followed instructions in tashi's post. here is the online anti virus scan log and hjt log.
I hope you can help with this problem as I am unable to resolve this on my own.

Thank you


Incident Status Location

Adware:adware/safetybar Not disinfected d:\documents and settings\all users\desktop\Online Security Guide.url
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Mediaplex Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected D:\Documents and Settings\Frogger\Application Data\Mozilla\Firefox\Profiles\8jtk6ftx.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@888[1].txt
Spyware:Cookie/888 Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@888[2].txt
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@adopt.hbmediapro[2].txt
Spyware:Cookie/Cassava Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@errorsafe[2].txt
Spyware:Cookie/Malwarewipe Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@malwarewipe[1].txt
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@stats1.reliablestats[1].txt
Spyware:Cookie/Tradedoubler Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@tradedoubler[2].txt
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@www.drivecleaner[1].txt
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Frogger\Cookies\frogger@yadro[1].txt
Potentially unwanted tool:Application/DriveCleaner Not disinfected D:\Documents and Settings\Frogger\Local Settings\Temporary Internet Files\Content.IE5\78YQRSW2\installdrivecleanerstart[1].exe


Logfile of HijackThis v1.99.1
Scan saved at 12:47:51, on 08/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/login/index.php?url=/commscentre/email/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - D:\Program Files\PCODEC\isaddon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - D:\Program Files\PCODEC\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE8052C4-98FA-4943-B9B2-6DD87845058F}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[steamwiz]

Hi

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

steam

 

[Keith.v]

Hi steamwiz

Thanks for your help, I didnt expect such a quick reply


SmitFraudFix v2.84

Scan done at 21:25:38.65, 08/09/2006
Run from D:\Documents and Settings\Frogger\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32

D:\WINDOWS\system32\gtpbx.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Frogger\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
D:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Frogger\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

D:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
D:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7fa55359-7223-410f-bc82-efb3e3ded07f}"="died"

[HKEY_CLASSES_ROOT\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="D:\WINDOWS\system32\gtpbx.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="D:\WINDOWS\system32\gtpbx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[steamwiz]

HI

1. Reboot into >>>safe mode
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steam

 

[Keith.v]

Hi steam

I've followed your instructions, here are the rapport.txt and hijackthis.log.

Thanks again for your help, icon in system tray has now disappeared

SmitFraudFix v2.84

Scan done at 19:25:37.50, 09/09/2006
Run from D:\Documents and Settings\Frogger\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7fa55359-7223-410f-bc82-efb3e3ded07f}"="died"

[HKEY_CLASSES_ROOT\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="D:\WINDOWS\system32\gtpbx.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="D:\WINDOWS\system32\gtpbx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

D:\WINDOWS\system32\gtpbx.dll -> Hoax.Win32.Renos.gen.d
D:\WINDOWS\system32\gtpbx.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

D:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
D:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
D:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of HijackThis v1.99.1
Scan saved at 19:37:19, on 09/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\dllhost.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - D:\Program Files\PCODEC\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157734607382
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[steamwiz]

Hi

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - D:\Program Files\PCODEC\iesplugin.dll (file missing)

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab


Then...

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want

it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows

Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently

used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will

need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

---
Download and install the 30 day trial of Ewido Anti-Spyware from HERE :-

http://www.ewido.net/en/download/

1. Download it to your desktop
2. Doubleclick the ewido icon to start the ewido setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close Ewido > Do not run the scan yet.

Boot your computer into Safemode

1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning

process

1. Launch Ewido-Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. Ewido will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close Ewido
10. Copy & paste the ewido report in your next post

steam

 

[Keith.v]

Hi steam

Thanks :laugh:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:12:27 10/09/2006

+ Scan result:



D:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
D:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
:mozilla.39:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.82:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.83:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.70:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.71:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.73:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.50:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
:mozilla.51:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
:mozilla.52:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@adviva[2].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@adviva[1].txt -> TrackingCookie.Adviva : Cleaned with backup (quarantined).
:mozilla.40:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
D:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.89:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.56:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
D:\Documents and Settings\LocalService\Cookies\c@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.15:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@doubleclick[3].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.103:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.104:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@gator[1].txt -> TrackingCookie.Gator : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@ehg-newsinternational.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@ehg-patheo.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.26:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.28:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.6:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.85:E:\c\Windows Profile\Application Data\Mozilla\Firefox\Profiles\ofhn6s9w.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
D:\Documents and Settings\LocalService\Cookies\c@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
E:\c\Windows Profile\Cookies\c@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
D:\Documents and Settings\T\Cookies\t@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end

 

[steamwiz]

Hi

Looks good

Are your problems resolved ?

steam

 

[Keith.v]

Problem solved

Hi

Everything seems good now, thanks for your help :bigthumb:

Where is the best place to find out how to avoid these problems? any advice would be appreciated.

Here is a new hijackthis.log just in case you need to check.

Many thanks

Keith.v

Logfile of HijackThis v1.99.1
Scan saved at 22:52:59, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Winamp\Winamp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157734607382
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE8052C4-98FA-4943-B9B2-6DD87845058F}: NameServer = 80.225.248.50 80.225.253.50
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[steamwiz]

Hi

Your log's clean

Where is the best place to find out how to avoid these problems? any advice would be appreciated.

Have a look here :-

So how did I get infected in the first place? By TonyKlein

http://forums.spybot.info/showthread.php?t=279

steam

 

[tashi]

As the problem appears to be resolved this topic has been archived. :bigthumb:

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.