19 replies to this topic

[snowcoca]

My desktop has been taken over by a spyware ad. Below is my log. Please help.... Logfile of HijackThis v1.99.1 Scan saved at 8:46:56 PM, on 11/13/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\rundll32.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Citrix\ICA Client\pnagent.exe C:\WINDOWS\System32\NotifyPhoneBook.exe C:\WINDOWS\System32\atievxx.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Programs\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45" O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe O4 - Global Startup: OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[g2i2r4]

Welcome snowcoca to Tom Coyote Forums.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows
You will need to allow the popups for this site!

Run the Free use Panda Active Scan.

• Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
• A new window will open
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on my computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

[snowcoca]

Below are all the scan reports.

Panda scan

Incident Status Location
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\SHDOCSVC.EXE
Possible Virus. No disinfected C:\WINDOWS\system32\shdocsvc.exe
Virus:W32/Smitfraud.D Disinfected Operating system
Possible Virus. No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\desktop.html
Adware:adware/psguard No disinfected C:\WINDOWS\warnhp.html
Possible Virus. No disinfected C:\WINDOWS\system32\shdocsvc.exe
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\FF.tmp
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\html.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013345.com
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013347.com
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013432.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013434.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013440.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013441.exe
Adware:Adware/SAHAgent No disinfected C:\Recycled\NPROTECT\00001744.inf
Possible Virus. No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\WHO\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4c2073ff.zip[VerifierBug.class]


Hikack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:27:04 PM, on 11/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\shdocsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsvc.dll/blank.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [FHStart] C:\WINDOWS\system32\shdocsvc.exe home
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Smitfiles[b]


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 11/14/2005
The current time is: 22:25:58.31

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html
desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html
desktop.html


~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll is missing!!


[b]

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:57:10 PM, 11/14/2005
+ Report-Checksum: 838389E4

+ Scan result:

C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013448.exe -> Spyware.Raze : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013449.exe -> TrojanDropper.Agent.ri : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013450.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013451.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013452.DLL -> TrojanDownloader.IstBar.gu : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013453.DLL -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013454.EXE -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013455.exe -> TrojanDownloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013456.exe -> Trojan.LowZones.cu : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013460.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013461.dll -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\WHO\Cookies\who@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup


::Report End

P.S. I used Ad aware Professional ver6 instead of the SE 1.06. Is that a problem?

[g2i2r4]

Click here
Apply the update to SP1a and rerun Runthis.bat.

If it doesn't work:
Download this file
Unzip it and place the wininet.dll file in this folder:
C:\WINDOWS\system32\

Post me the new smitfiles.txt please

[snowcoca]

smitRem © log file version 2.7 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Tue 11/15/2005 The current time is: 21:47:37.24 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ warnhp.html desktop.html ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ warnhp.html desktop.html ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ wininet.dll is missing!!

[g2i2r4]

not nice. I was hoping for a different message in the smitfiles.txt

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Enter the directory to search"
  • Enter Drive eg.. C:\
• In the box labeled "Enter the file to search"
  • Enter wininet.dll
• Now click on the "Find" button
• Once the utility has found the files click on "Export"
• This will save a text file to your C:\ drive as "Export.txt"
• Double click on Export.txt, copy and paste this information in your next post

[snowcoca]

Is it bad? Here's the search result C:\WINDOWS\system32\WININET.DLL - 585216 Bytes C:\WINDOWS\system32\dllcache\WININET.DLL - 585216 Bytes C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll - 593920 Bytes

[g2i2r4]

No not bad, just unexpected. Can you rerun the runthis.bat and post me the new smitfiles.txt?

[snowcoca]

smitRem © log file version 2.7 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Tue 11/15/2005 The current time is: 22:00:09.28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ warnhp.html desktop.html ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ warnhp.html desktop.html ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ wininet.dll is missing!!

[g2i2r4]

the tool says wininet is missing, you say it's there.

It might be Spyware doctor keeping us from cleaning.

Just to be sure:
Upload and scan that C:\Windows\system32\wininet.dll on the next site to make sure this one is clean:

http://virusscan.jotti.org/

let it scan and post the results in your next reply.

***

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:

• Click the Spyware Doctor icon in the System Tray.
• Click Settings.
• Click Startup Settings under Pick a Category.
• Uncheck Run at Windows startup.
• Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

***

Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\shdocsvc.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Let's rerun Runthis (again, sorry).

***

Open HijackThis and put a check to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsvc.dll/blank.html

O4 - HKLM\..\Run: [FHStart] C:\WINDOWS\system32\shdocsvc.exe home

press 'fix checked'.

***

Reboot back to normal mode.

Please post me the smitfiles.txt and a fresh HijackThis log.

[snowcoca]

This is the result of the online scan

Service load: 0% 100%

File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 6626545292428ae1ed5b4237404b346a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Smitfiles


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 11/15/2005
The current time is: 22:34:22.57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html
desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html
desktop.html


~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll is missing!!




Logfile of HijackThis v1.99.1
Scan saved at 10:44:09 PM, on 11/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[g2i2r4]

Let's clean up manually.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\desktop.html
C:\WINDOWS\warnhp.html
C:\WINDOWS\system32\FF.tmp
C:\WINDOWS\Downloaded Program Files\html.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Can you rerun Panda and post me the report please?

[snowcoca]

Incident Status Location Virus:Trj/Downloader.FZS Disinfected Operating system Virus:Trj/Downloader.FZS Disinfected C:\WINDOWS\system32\shdocsvc.exe Virus:Trj/Downloader.FZS Disinfected C:\WINDOWS\system32\shdocsvc.dll Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP151\A0014157.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP151\A0014187.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP151\A0014173.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP151\A0014198.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP151\A0014199.dll Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013345.com Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP139\A0013347.com Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013431.dll Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013432.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013434.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013437.dll Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013439.dll Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013440.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013441.exe Virus:Trj/Downloader.FZS Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013442.dll Virus:W32/Smitfraud.D Disinfected C:\System Volume Information\_restore{278F9886-8148-4190-BD76-A203A3173F43}\RP140\A0013512.DLL Adware:Adware/SAHAgent No disinfected C:\Recycled\NPROTECT\00001744.inf Virus:Trj/Downloader.FZS Disinfected C:\!KillBox\shdocsvc.exe Virus:Trj/Downloader.FZS Disinfected C:\!KillBox\html.exe I am getting an error message Runtime error 5 at 004046ED when I boot up.

[g2i2r4]

Please read this very carefully:

• Download the FxNetsky.exe file from: http://securityrespo...er/FxNetsky.exe.
• Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
• Close all the running programs before running the tool.
• If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
• Disable System Restore.
• Double-click the FxNetsky.exe file to start the removal tool.
• Click Start to begin the process, and then allow the tool to run.
• Restart the computer.
• Run the removal tool again to ensure that the system is clean.
• Re-enable System Restore.

let me know what happens.

[snowcoca]

Hi, I receive the message W32 Netsky was not found on your computer.