Here is my HJT Log :)

pelquin · #1 (**permalink**) 29-04-2006, 06:30 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:28:19 PM, on 4/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.comcast.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.3/g_bin/eng/solitaire_2_0_0_20.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_67.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1145672701796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...49/mcfscan.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

spybot found alexa @ C:\WINDOWS\Web\related which is a HTML doc:

VopThis · #2 (**permalink**) 29-04-2006, 03:00 PM

What specific problems are you experiencing, if any? There are no obvious issues showing in your HijackThis log.

You could do some of the following scans if you haven't already done so:

Please do an online scan (scan only tool) with Kaspersky WebScanner

[Internet Explorer required]
Go to Kaspersky website: www.kaspersky.com/virusscanner and click on the Kaspersky Online Scanner BUTTON/BOX.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

You might also want to run this scan as an added check:

[Internet Explorer required]
Place a shortcut to Panda ActiveScan on your desktop (FREE Version is mostly a scan only tool) .

Run the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post a Panda log back here, if anything is reported.

pelquin · #3 (**permalink**) 29-04-2006, 11:31 PM

Quote:

Originally Posted by VopThis

What specific problems are you experiencing, if any? There are no obvious issues showing in your HijackThis log.

You could do some of the following scans if you haven't already done so:

Please do an online scan (scan only tool) with Kaspersky WebScanner

[Internet Explorer required]
Go to Kaspersky website: www.kaspersky.com/virusscanner and click on the Kaspersky Online Scanner BUTTON/BOX.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 29, 2006 3:54:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 29/04/2006
Kaspersky Anti-Virus database records: 190652
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 53685
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:55:43

Infected Object Name / Virus Name / Last Action
E:\System Volume Information\_restore{579A7A78-6451-4AD4-914C-439B5803F11C}\RP37\A0037277.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\System Volume Information\_restore{579A7A78-6451-4AD4-914C-439B5803F11C}\RP37\A0037277.exe/WISE0023.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped
E:\System Volume Information\_restore{579A7A78-6451-4AD4-914C-439B5803F11C}\RP37\A0037277.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
E:\System Volume Information\_restore{579A7A78-6451-4AD4-914C-439B5803F11C}\RP37\A0037277.exe WiseSFX: infected - 3 skipped

Scan process completed.

You might also want to run this scan as an added check:

[Internet Explorer required]
Place a shortcut to Panda ActiveScan on your desktop (FREE Version is mostly a scan only tool) .

Run the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post a Panda log back here, if anything is reported.

Incident Status Location

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Admiistrator\Cookies\admiistrator@ads.poi ntroll[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Admiistrator\Cookies\admiistrator@casalem edia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Admiistrator\Cookies\admiistrator@server. iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Admiistrator\Cookies\admiistrator@statcou nter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Admiistrator\Cookies\admiistrator@tribalf usion[2].txt
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smit\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smit\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smitRem\Process.exe

pelquin · #4 (**permalink**) 29-04-2006, 11:34 PM

If hard to understand i will format better..Back problems and I am feeling the pain right now

Thanks A Million

pelquin · #5 (**permalink**) 30-04-2006, 01:28 AM

E:\System Volume Information\_restore{579A7A78-6451-4AD4-914C-439B5803F11C}\RP37\A0037277.exe WiseSFX: infected - 3 skipped

[jeffige & Central]pop ups and trojans, oh my! - Page 2 - Safer ...
EXE WiseSFX: infected - 1 skipped C:\System Volume Information\_restore{A3DAEE03-35CE-4260-BD4C-64466AAA5DE4}\RP694\A0072395.EXE WiseSFX Dropper: infected ...
http://forums.spybot.info/showthread.php?t=3340&page=2 - 93k - Cached - Similar pages

i do not know if this will help but it is similar to the one I have
right?

i'll let you tell me what to do..

thought I would try to help.

VopThis · #6 (**permalink**) 30-04-2006, 04:09 AM

Entries in C:\System Volume Information\_restore FOLDER can generally be addressesd as a last step in the cleanup process.

I see you have used the smitrem fix tool - it is no longer being updated and may now be out-of-date for what has infected your PC.

Please run the following tool instead:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL I ASK YOU TO.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Meanwhile you can delete the following FILES or FOLDERS:

C:\Documents and Settings\Admiistrator\Cookies\admiistrator@ads.poi ntroll[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@casalem edia[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@server. iad.liveperson[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@statcou nter[2].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@tribalf usion[2].txt
E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smit
E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smitRem

pelquin · #7 (**permalink**) 03-05-2006, 09:00 AM

Quote:

Originally Posted by VopThis

Entries in C:\System Volume Information\_restore FOLDER can generally be addressesd as a last step in the cleanup process.

I see you have used the smitrem fix tool - it is no longer being updated and may now be out-of-date for what has infected your PC.

Please run the following tool instead:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL I ASK YOU TO.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Meanwhile you can delete the following FILES or FOLDERS:

C:\Documents and Settings\Admiistrator\Cookies\admiistrator@ads.poi ntroll[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@casalem edia[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@server. iad.liveperson[1].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@statcou nter[2].txt
C:\Documents and Settings\Admiistrator\Cookies\admiistrator@tribalf usion[2].txt
E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smit
E:\Documents and Settings12\Jeige\My Documents\hear\4u\fuk\smitRem

SmitFraudFix v2.37

Scan done at 1:44:01.25, Wed 05/03/2006
Run from C:\Documents and Settings\Admiistrator\Local Settings\Temporary Internet Files\Content.IE5\PJGIK3ZD\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admiistrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMIIS~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.sawayalaw.com/Includes/Templates/Active/images/bt_pa-social-security-o.jpg"
"SubscribedURL"="http://www.sawayalaw.com/Includes/Templates/Active/images/bt_pa-social-security-o.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

VopThis · #8 (**permalink**) 03-05-2006, 04:55 PM

SmitFraudFix shows as clean.

If there are no further issues apparent, you can proceed as follows:

To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.

ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Accordingly and of further note; it is very unsafe to run with admin rights on any PC that you browse the Internet with.

(Windows XP)

Quote:

FOLDER LOCATION: c:\System Volume Information\_restore….

To Turn OFF System Restore.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
Click Apply.

REBOOT.

To Turn ON System Restore.

Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
Create new System Restore points.

(Windows ME)

Quote:

FOLDER LOCATION: c:\_RESTORE\TEMP\….

See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
- http://www.securityfocus.com/news/11273
  If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
In addition to using Ad-aware, consider using another free malware scanning/removal program :
Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
Microsoft Windows Defender beta 2 : http://www.download.com/Microsoft-Wi...ml?tag=lst-0-1
Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
*** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
  http://www.spywarewarrior.com/uiuc/resource.htm

A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:

Run the HiJackThis tool and select ‘Open the Misc Tools section’.
Next select ‘Open host file manager’ button.
Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.

Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

EXCERPT:

Quote:

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
.
.
.
#end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:
Keep all of these programs up-to-date, and

Use them on a regular basis.