Smitfraud-c.gp Removal Help - Guild Wars Guru archive powered by Guild Wars Legacy

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

15 Oct 2008 at 23:16 - 1

Today I noticed that my university mail (we use B-Mail, it's a version of Gmail for my University) was going very slow. I couldn't really compose mail or read mail. It took it forever to do anything on it. So I ran my virus scanners and on Spybot the virus Smitfraud-c.gp appeared. I ran the smitfraud-c remover in safe mode and everything but it seems to still be there. So I have read other forums and they have all said something about combofix but to never use it without proper instructions. Is there anyone someone knows how to get rid of this virus? All the ways are above me as I am not extremely good at computer problems. So any help would be awesome.

Also I have not downloaded anything or opened any mail that was from someone I didn't know. It just appeared today and like I said I haven't downloaded anything. Thanks in advance for the help.

Here is the Malwarebytes' Anti-Malware log

Quote:

Malwarebytes' Anti-Malware 1.28
Database version: 1274
Windows 5.1.2600 Service Pack 3

10/15/2008 6:49:23 PM
mbam-log-2008-10-15 (18-49-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 134470
Time elapsed: 53 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 6

Memory Processes Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.browserwatcher. 1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.pornpro_bho.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowser host (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingenhancer.precachebrowser host.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{40b2127e-cc18-37d0-43ca-afa158c64001} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\browsingenhancer (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BrowsingEnhancer.DLL (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BrowsingEnhancer (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingEnhancer (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

Files Infected:
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP719\A0091394.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingEnhancer\pcre3.dll (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingEnhancer\uninstall.exe (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

16 Oct 2008 at 00:30 - 2

Please download my Anti-Malware Toolkit and get the Professional package. Then follow the directions in the PC Cleanup guide.

Post a HijackThis log when you finish.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

16 Oct 2008 at 05:17 - 3

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:30 AM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16315
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.e xe" /StartupJobs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479MLUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab53083.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab53083.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab53083.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165609791921
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab53852.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab53083.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11556 bytes

HijackThisLog. Hope it helps.

Lord Sojar

The Fallen One

Join Date: Dec 2005

Oblivion

Irrelevant

Mo/Me

16 Oct 2008 at 23:58 - 4

Alrighty, approved the posts out on both threads for hijackthis. System appears to flag them as possibly malicious.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

17 Oct 2008 at 00:47 - 5

Uninstall the following:

Ask toolbar
Java and install the latest. Use JavaRa to clean out the old, leftover versions.
Viewpoint
Windows Defender
Advanced Registry Optimizer

Did SUPERAntiSpyware find items that MBAM missed?

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

17 Oct 2008 at 02:53 - 6

Uninstalled those components and downloaded the neweste Java.

I think SUPER find something MBAM missed but I don't remember exactly what it was. Both find C:\WINDOWS\svchost.exe (Trojan.Agent) and says they remove it but it doesn't seem to fix the problem.

On another note, I can't run FireFox, it won't open. I can run IE, only mail doesn't work, and Opera works, mail works fine there. But I can't run FireFox for some reason.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

17 Oct 2008 at 04:57 - 7

Try Firefox Safe Mode, in case you have a bad extension.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

17 Oct 2008 at 05:23 - 8

I can open FireFox in safe mode.

Also my Symantec is picking up a Hacktool.Rootkit in my C:\WINDOWS\Temp folder. It is under the name Pandrv.sys and Symantec says that it is Clean Security Risk. But it is no longer in the folder, I deleted it and emptied my recycle bin. Symantec still says it is there though.

EDIT: I can get FireFox to open but as soon as it does it closes.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

17 Oct 2008 at 15:28 - 9

If you paid for Symantec, call them and ask for a refund; if they ask why, tell them their product sucks and slowed performance on your computer.

You may want to switch to Avast or AntiVir

As for Firefox, it stays open in safe mode, or closes minutes after opening?

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

17 Oct 2008 at 16:12 - 10

Symantec is free, provided by my University but I am thinking of switching since it really doesn't do anything. Never detects anything on its scans but the other scanners do.

FireFox stays open in safe mode.

I keep being told that my Svchost.exe in C:\Windows is corrupted.

Pariah

Lion's Arch Merchant

Join Date: May 2005

Lords of Cabal

N/

17 Oct 2008 at 16:25 - 11

Free is too much to pay for Symantec. It is a bloated system hog that isn't even reliable.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

17 Oct 2008 at 16:55 - 12

Quote:

Originally Posted by I pwnd U

Symantec is free, provided by my University but I am thinking of switching since it really doesn't do anything. Never detects anything on its scans but the other scanners do.

FireFox stays open in safe mode.

I keep being told that my Svchost.exe in C:\Windows is corrupted.

Okay so you have a bad extension that's causing you trouble. When you do Firefox safe mode you should have the option to create a new profile.I'd recommend doing so. Keep the old profile so you can retrieve your bookmarks in case you can't get them from safe mode.

As far as Symantec > SymNRT

For the problematic svchost. Start > Run > sfc /scannow
Or, you can run SFC scannow from within Dial-a-fix which makes it a lot easier.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

17 Oct 2008 at 23:13 - 13

Okay so now FireFox is working. I am currently posting this through FireFox.

Removed Symantec. Downloaded avast! and it foudn a Win32:Trojan-gen{Other} iin my C:\WINDOWS\svchost.exe. Running the sfc scannow.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

19 Oct 2008 at 17:55 - 14

sfc scannow didn't really say anything, just ran and then closed.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

19 Oct 2008 at 19:42 - 15

When it runs it will replace files from the dllcache folder. All of this is done silently. If the file is not found in the dllcache to will be prompted for your XP cd.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

19 Oct 2008 at 22:14 - 16

I keep getting told I still have the virus. Is there anyway to delete the Svchost.exe and then run that and reinstall it without losing any of my files are screwing up my computer even more?

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

20 Oct 2008 at 03:00 - 17

You can do a sfc /purgecache and if you're using avast, run a boot time scan. That way you reboot after emptying the cache and avast can scan and remove all viruses found.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

20 Oct 2008 at 16:09 - 18

Tried but the virus is still there.

absolutcrobi

Lion's Arch Merchant

Join Date: Jul 2006

Naked Pagans

Rt/Me

20 Oct 2008 at 16:43 - 19

Have you turned off the windows system restore? VIruses love to hide there

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

20 Oct 2008 at 17:41 - 20

You don't need to turn off System Restore. I advise against it because if you need to use a restore point, disabling it will remove them all.

Did the avast boot scan find anything?

Malwarebytes recently updated to 1.29, so you may want to rescan with the new version and also with SUPERAntiSpyware. Do complete scans with both programs.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

20 Oct 2008 at 17:42 - 21

You don't need to turn off System Restore. I advise against it because if you need to use a restore point, disabling it will remove them all.

Did the avast boot scan find anything?

Malwarebytes recently updated to 1.29, so you may want to rescan with the new version and also with SUPERAntiSpyware. Do complete scans with both programs.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

20 Oct 2008 at 18:07 - 22

Ya it found the virus in the Windows folder but could not delete, repair, or move it to the chest.

Updated Malwarebytes and scanning now. Will scan with SUPERAntiSpyware after that.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

20 Oct 2008 at 19:11 - 23

Malwarebytes log

Quote:

Malwarebytes' Anti-Malware 1.29
Database version: 1298
Windows 5.1.2600 Service Pack 3

10/20/2008 2:09:05 PM
mbam-log-2008-10-20 (14-09-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138363
Time elapsed: 58 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Scanning with SUPER now to see if it really got rid of it or not.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

20 Oct 2008 at 19:26 - 24

Since that one is in Windows and not system32, I can recommend that you use Unlocker on it to try and delete it too.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

20 Oct 2008 at 19:28 - 25

Unlocker? Sorry, not sure what that is.

EDIT: NVM, searched it on google. Downloaded it and am waiting for SUPER to finish scanning before I try to delete it.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 01:43 - 26

Super found it and it is still there. Trying to delete it now with the Unlocker. Also found the same virus in C:\RECYCLER\S-1-5-21-115661142-etc.

Unlocker says it deleted it but it is still there.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

21 Oct 2008 at 02:09 - 27

Use Safe Mode and Unlocker or FileAssassin (built into MBAM) to try and get rid of the file.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 03:16 - 28

Okay so apparently my recycle bin is now also infected. One of the files in that stores the deleted files is infected with it. Can I safely delete it without causing any harm to my computer?

Checked in Safe mode for the Svchost.exe in the Windows folder and it not there. Even searched for it. So I guess that one is gone.

In regular windows it still says it is there but I can't find it in the Windows folder. Found it in search and when scanned with AVast! it says there is a virus, when scanned with Malwarebytes it says it is not infected.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

21 Oct 2008 at 04:18 - 29

You can safely empty it from your Recycle Bin or you can use CCleaner to get rid of it.

I'd like to recommend that you go through your installed programs and look for anything suspicious.

You can also make a new System Restore point and then purge the older points safely using the Disk Cleanup.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 04:25 - 30

Well it is still there. I tried to delete the Svchost.exe from Windows but it won't delete. The recycle bin is infected as well, though I think I actually got rid of that one. Haven't had that warning pop up again.

My brother and I are going to reformat my computer tomorrow after we back up my Program Files, Document and Settings, and school work.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

21 Oct 2008 at 04:48 - 31

I honestly wish I could work on this computer and see this virus first hand.

If you can, please put it into a zip file and upload it to VirusTotal. I wouldn't mind getting a copy to test on a box here at home. If you could host it on a file sharing service and send me the link I would appreciate it.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 04:56 - 32

If you explain to me exactly how to do that I would gladly do this for you Tarun. Thanks again for all the help you have given me.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

21 Oct 2008 at 16:10 - 33

Since this virus is residing in C:\Windows it should be easy to do.

For VirusTotal:
Click Browse and then navigate to your Windows directory and find the svchost.exe file. Select it and click Open. Next, in your browser click Submit.

Navigate to your Windows directory and find the svchost.exe file. Pack it into a zip archive. After that, move the zip to your desktop and go to a file sharing host like Rapidshare. Upload the file and copy the link provided. You can then PM me the link and I'll let you know if it worked.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 21:27 - 34

PM sent to you Tarun.

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

21 Oct 2008 at 22:10 - 35

Here's the virustotal results.

http://www.virustotal.com/analisis/0...d0bd3df16531ef

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

21 Oct 2008 at 22:55 - 36

So from the looks of it the ones that detected it detected it as a Trojan virus. So I assume that is what it is infected?

Tarun

Technician's Corner Moderator

Join Date: Jan 2006

The TARDIS

http://www.lunarsoft.net/ http://forums.lunarsoft.net/

22 Oct 2008 at 00:24 - 37

Indeed. Seems it's more a keylogger/password stealer. An offline cleaning (Internet unplugged) may help to stop it and remove it properly.

I pwnd U

God of Spammers

Join Date: Oct 2005

in the middle of a burning cornfield...

Scars Meadows [SMS] (Officer)

22 Oct 2008 at 00:44 - 38

Ah, good thing I never logged into Guild Wars than.