Avast! tells me that my PC has a Win32:Zlob-BN infection but is unable to remove it. Zonealarm tells me that gdnFR2218.exe keeps trying to access the internet - destination IP 207.226.177.100:HTTP Please help me remove this malware. Below I have posted the HijackThis v1.99.1 Logfile and the SmitFraudFix v2.61 rapport.txt file. Thanks, Ben. =============== Logfile of HijackThis v1.99.1 Scan saved at 22:17:59, on 16/06/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Security\Avast4\aswUpdSv.exe C:\Program Files\Security\Avast4\ashServ.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Security\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Navigator Mouse\moffice.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Navigator Mouse\MOUSE32A.DAT C:\Program Files\Security\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINNT\system32\internat.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\WINNT\system32\dcomcfg.exe C:\Program Files\Security\Avast4\ashMaiSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINNT\system32\hp100.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\Avast4\ashDisp.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Navigator Mouse\moffice.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Security\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O16 - DPF: {01646B0A-A89F-071D-1394-79AB5216331B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {049DDF22-C1CF-1C3A-BA03-290D0C4B7979} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {04DCBC7F-FB6A-4D4F-4041-53C663D2AFE1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {080FA756-3717-3676-5B21-4E8D424D8CBF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0D685D55-5609-3880-713B-75A27D69F272} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0E6EB687-6AF9-1857-53A8-7C472DC3E03B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0F24DF64-DD0D-0A14-E71A-688F41C876DF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {124F4AC9-0815-683E-4B75-0901623862DA} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {13A145F3-F6AB-6EF4-3A77-3FBC5E8B1C00} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {13C7B206-B5B7-390B-35F0-6B3C27797481} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {177F568D-CAC1-0A48-6A27-5F265CDE7D70} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {1B014A0C-D63E-7ADA-4CA7-21586DD84B95} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {1DC4D46F-D5FB-02B8-B034-3BE343D014D5} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {20CC6DA2-5509-453E-F80B-68B1263EF9EE} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {21F96F99-5392-55D4-1A84-31375DBB3D08} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2497FB97-A73E-037C-EA5E-7D972FDAA0F9} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {25DD802C-B498-4C07-ECDC-61C751C593D3} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {28EC9BCF-BC52-2DB3-20AE-4DB715818A56} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {29E6A309-77D0-0F3A-E286-6AF90EB6A6E6} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2A087A7B-ED38-3515-83CF-627577E9103E} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {2D88BCE8-8795-4413-09F6-164602F1F8F7} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2D986652-3037-5BBD-6A80-5DBE40F93C27} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {32E71B8D-2F1F-1510-F8E6-2AAA3E5A403A} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3327B3A8-D69F-5352-93A9-118611E43AED} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {34D61ED8-F222-6E4F-8D7C-73407BC0BC87} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3D293E2E-1CBE-7C40-5C4F-60DA43883650} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3D4217C1-204F-6744-B03F-6CE650A0510A} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {421097F7-046F-1B24-972C-334866DB2338} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {434003B9-8AED-536F-D372-04927B45DA38} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {475CE4D9-1403-66BD-6D73-017568C22E1E} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4A11E64E-E2BD-6DF4-5316-03BE3DC8DEC1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4C7E925C-7967-1ED9-CD1E-264176A2B6ED} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4C997C28-FD00-6A61-AF86-76D6710B78A1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4FF3E0DC-CBAB-678A-133F-66391CC4DEEB} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {527F5534-E203-135E-396C-78ED1464BE36} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {53320E56-E5F5-539F-66F4-1F7E265BA8CB} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {54E97A32-36CB-5FD2-E20C-77CB01E263A2} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {581E2C86-0348-122D-F9C3-25953B6EA36C} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {589D1D1C-6BD9-02E7-733A-7A26188ACCC0} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {59B9A677-C49B-31C8-5431-1755136CF6F1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {5FBAD680-5E1D-5B6D-B460-34941ED7BF53} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {62891EA9-1166-288A-A75F-660C0B4ECC84} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {63856EE3-316A-68F0-5EDE-587D5309306B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {64AF3094-76E3-5912-B58D-4AE70BB12EBF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {660F34D7-6905-4B6B-387D-348B0C87AAE4} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {66729FFC-3BD2-149A-1EF8-3D804CBAB71F} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {6B4ECAEF-DE69-4627-0C06-520B42478EAA} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {6E0CEA27-E34D-4F6C-12A9-35BA6E19070C} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {735D1EA0-45CB-0003-A2B3-359C1222DEAF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {7CACFCCF-7C28-6C25-635E-545628332004} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Security\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Security\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe SmitFraudFix v2.61 Scan done at 22:37:23.49, Fri 16/06/2006 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 C:\WINNT\system32\dcomcfg.exe FOUND ! C:\WINNT\system32\hp???.tmp FOUND ! C:\WINNT\system32\hp????.tmp FOUND ! C:\WINNT\system32\ld????.tmp FOUND ! C:\WINNT\system32\ot.ico FOUND ! C:\WINNT\system32\regperf.exe FOUND ! C:\WINNT\system32\simpole.tlb FOUND ! C:\WINNT\system32\stdole3.tlb FOUND ! C:\WINNT\system32\ts.ico FOUND ! C:\WINNT\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1 C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Hi bencon Fix with HjT (do a system scan only, checkmark these and press fix checked): O16 - DPF: {01646B0A-A89F-071D-1394-79AB5216331B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {049DDF22-C1CF-1C3A-BA03-290D0C4B7979} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {04DCBC7F-FB6A-4D4F-4041-53C663D2AFE1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {080FA756-3717-3676-5B21-4E8D424D8CBF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0D685D55-5609-3880-713B-75A27D69F272} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0E6EB687-6AF9-1857-53A8-7C472DC3E03B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {0F24DF64-DD0D-0A14-E71A-688F41C876DF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {124F4AC9-0815-683E-4B75-0901623862DA} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {13A145F3-F6AB-6EF4-3A77-3FBC5E8B1C00} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {13C7B206-B5B7-390B-35F0-6B3C27797481} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {177F568D-CAC1-0A48-6A27-5F265CDE7D70} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {1B014A0C-D63E-7ADA-4CA7-21586DD84B95} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {1DC4D46F-D5FB-02B8-B034-3BE343D014D5} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {20CC6DA2-5509-453E-F80B-68B1263EF9EE} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {21F96F99-5392-55D4-1A84-31375DBB3D08} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2497FB97-A73E-037C-EA5E-7D972FDAA0F9} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {25DD802C-B498-4C07-ECDC-61C751C593D3} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {28EC9BCF-BC52-2DB3-20AE-4DB715818A56} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {29E6A309-77D0-0F3A-E286-6AF90EB6A6E6} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2A087A7B-ED38-3515-83CF-627577E9103E} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2D88BCE8-8795-4413-09F6-164602F1F8F7} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {2D986652-3037-5BBD-6A80-5DBE40F93C27} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {32E71B8D-2F1F-1510-F8E6-2AAA3E5A403A} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3327B3A8-D69F-5352-93A9-118611E43AED} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {34D61ED8-F222-6E4F-8D7C-73407BC0BC87} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3D293E2E-1CBE-7C40-5C4F-60DA43883650} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {3D4217C1-204F-6744-B03F-6CE650A0510A} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {421097F7-046F-1B24-972C-334866DB2338} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {434003B9-8AED-536F-D372-04927B45DA38} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {475CE4D9-1403-66BD-6D73-017568C22E1E} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4A11E64E-E2BD-6DF4-5316-03BE3DC8DEC1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4C7E925C-7967-1ED9-CD1E-264176A2B6ED} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4C997C28-FD00-6A61-AF86-76D6710B78A1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {4FF3E0DC-CBAB-678A-133F-66391CC4DEEB} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {527F5534-E203-135E-396C-78ED1464BE36} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {53320E56-E5F5-539F-66F4-1F7E265BA8CB} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {54E97A32-36CB-5FD2-E20C-77CB01E263A2} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {581E2C86-0348-122D-F9C3-25953B6EA36C} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {589D1D1C-6BD9-02E7-733A-7A26188ACCC0} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {59B9A677-C49B-31C8-5431-1755136CF6F1} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {5FBAD680-5E1D-5B6D-B460-34941ED7BF53} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {62891EA9-1166-288A-A75F-660C0B4ECC84} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {63856EE3-316A-68F0-5EDE-587D5309306B} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {64AF3094-76E3-5912-B58D-4AE70BB12EBF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {660F34D7-6905-4B6B-387D-348B0C87AAE4} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {66729FFC-3BD2-149A-1EF8-3D804CBAB71F} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {6B4ECAEF-DE69-4627-0C06-520B42478EAA} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {6E0CEA27-E34D-4F6C-12A9-35BA6E19070C} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {735D1EA0-45CB-0003-A2B3-359C1222DEAF} - http://85.255.113.214/1/gdnFR2218.exe O16 - DPF: {7CACFCCF-7C28-6C25-635E-545628332004} - http://85.255.113.214/1/gdnFR2218.exe Please download ewido anti-malware it is a free version of the program -> http://www.ewido.net/en/download/ 1. Install ewido anti-malware 2. When installing, under "Additional Options" uncheck.. * Install background guard * Install scan via context menu 3. Launch ewido, there should be an icon on your desktop, double-click it. 4. The program will now open to the main screen. 5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. 6. You will need to update ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates -> http://download.ewido.net/ewido-signatures-full-current.exe Make sure to close Ewido before installing the update. Once the updates are installed do the following: Reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. * Double-click smitfraudfix.cmd * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt Then launch ewido: * Click on scanner * Click on Complete System Scan and the scan will begin. * You will be prompted to clean the first infection. * Select "Perform action on all infections", then proceed. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. Reboot back to normal mode Send ewido report, a fresh HjT log and contents of c:\rapport.txt
HI kemisti, Thanks for taking the time to read my logs and post a set of instructions. Here is the output. Is the PC now clean? Ben --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 15:18:52, 17/06/2006 + Report-Checksum: 809E1BE8 + Scan result: No infected objects found. ::Report End ========== Logfile of HijackThis v1.99.1 Scan saved at 15:26:17, on 17/06/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Security\Avast4\aswUpdSv.exe C:\Program Files\Security\Avast4\ashServ.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ewido anti-malware\ewidoctrl.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\Security\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Navigator Mouse\moffice.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Security\ZoneAlarm\zlclient.exe C:\Program Files\Navigator Mouse\MOUSE32A.DAT C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINNT\system32\internat.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Security\Avast4\ashMaiSv.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\Avast4\ashDisp.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Navigator Mouse\moffice.exe O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Security\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Security\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Security\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe ========== SmitFraudFix v2.61 Scan done at 14:23:38.80, Sat 17/06/2006 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ==========
Looking good, yes. Java update is needed, though: Go http://java.sun.com/j2se/1.5.0/download.jsp here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 1.
Hi kemisti, Many thanks for your help my friend. My computer is behaving itself once again. Thanks also for the tip about the JRE update which I've now installed. I also added the 'NoScript' plug-in to Firefox. Keep up the good work. Regards, Ben
