PLEASE HELP!!!! - topsecuritysite.net/ has taken over my web browser!!

[bold]Please help!!!!![/bold]
I'm completely lost as to what I can do to rid my browser of topsecuritysite.net

I was originally infected with spywarequake (managed to remove this) but at the same time got infected with topsecuritysite.net I'm very new to all this, if anyone has the patience to help, it would be much appreciated!

Is there a correlation between spywarequake & topsecurity.net??

I have adaware installed on my computer and zone alarm

[bold] PLEASE HELP!! THANK YOU!![/bold]

 

Hi, please post a HijackThis log to here and we'll get you cleaned.

Intructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

 

Hi JapK!

Thanks so much for your help
Since my last entry somehow topsecuritysite.net has dissapeared from my browser. I am still infected by a number of popups and error messages that seem to be related to the original infection of spywarequake and topsecurity.net.

I have done as requested, please see the logs below
I also ran a spysweeper scan and I have also posted the log below, hope it helps!

ThankS again for all your help!

[bold]SPYSWEEPER RESULTS[/bold]
Adware found: virtumonde
Trojan Horse found: trojan agent winlogonhook
Adware found: security2k hijacker
Adware found: popuper
Spy Cookie found: atlas dmt cookie
Trojan Horse found: trojan-downloader-aux
Full Sweep has completed. Elapsed time 00:37:12
Traces Found: 35

[bold]HIJACKTHIS LOG[/bold]
Logfile of HijackThis v1.99.1
Scan saved at 2:07:07 PM, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\lxbucoms.exe
D:\Program Files\Spy Sweeper\SpySweeper.exe
D:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O1 - Hosts: AmsServer
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byxywvu.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142063360078
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40AB8E10-22BE-47AA-8F24-4E3D30C2E158}: NameServer = 203.50.2.71 139.130.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{40AB8E10-22BE-47AA-8F24-4E3D30C2E158}: NameServer = 203.50.2.71 139.130.4.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxywvu - C:\WINDOWS\SYSTEM32\byxywvu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


[bold]SMITFRAUDFIX LOG[/bold]
SmitFraudFix v2.61

Scan done at 13:55:52.35, Sat 17/06/2006
Run from C:\Documents and Settings\Debbie\Desktop\smithfraud
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Debbie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DEBBIE\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[BOLD]THANKS AGAIN!![/BOLD]
[BOLD]BOUZIOS[/BOLD]

 

Hi again bouzios, lets get you cleaned...

You're using the ZoneAlarm version that includes an antivirus, rigth ?

Cleaning instructions:

Disable SpySweeper realtime protections because it my hinder the cleaning, instructions -> http://wiki.castlecops.com/Malware_...able_Real_Time_Monitoring_Programs#SpySweeper

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these files (if found):
C:\WINDOWS\SYSTEM32\winzoa32.dll

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log

 

[bold]Hi JaPk[/bold]

Thanks for your very clear instructions! I followed them and have posted the logs below

I had a small problem deleting the file [bold]winzoa32.dll[/bold] from System32 directory, it gave me an error "access denied due to file in use by a program" or something along those lines. Anyhow, I right clicked on it and did a scan with ewido and it removed the file. Hope that is ok! I have attached the small log generated when i did this

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:25:33 PM, 17/06/2006
+ Report-Checksum: 909A6FE0

+ Scan result:

C:\WINDOWS\system32\winzoa32.dll -> Trojan.Agent.qt : Cleaned with backup


::Report End

Below are the logs you requested...

Do you think I have finally rid myself of the problem?

[bold]Thanks so much for your time and help![/bold]
Bouzios


[bold]HIJACKTHIS[/bold]
Logfile of HijackThis v1.99.1
Scan saved at 9:25:35 PM, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\eWIDO\ewido anti-malware\ewidoctrl.exe
D:\Program Files\eWIDO\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\lxbucoms.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O1 - Hosts: AmsServer
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142063360078
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzoa32 - winzoa32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\eWIDO\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\eWIDO\ewido anti-malware\ewidoguard.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


[bold]EWIDO LOG[/bold]
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:16:21 PM, 17/06/2006
+ Report-Checksum: F0DA1220

+ Scan result:

HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
[276] C:\WINDOWS\system32\winzoa32.dll -> Trojan.Agent.qt : Error during cleaning
[1092] C:\WINDOWS\TEMP\winA.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\system32\f1c56988.exe -> Downloader.Obfuscated.a : Cleaned with backup
C:\WINDOWS\system32\byxywvu.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__winzoa32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\WINDOWS\Temp\winA.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winF.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win10.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win19.tmp.exe -> Downloader.Small.cvw : Cleaned with backup
C:\WINDOWS\Temp\win1F.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\Debbie\Local Settings\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\Cache\E3DD20ABd01 -> Trojan.Agent.vg : Cleaned with backup
C:\Documents and Settings\Debbie\Local Settings\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\Cache\C7D61483d01 -> Trojan.Agent.vg : Cleaned with backup
C:\Documents and Settings\Debbie\Local Settings\Application Data\f1c56988.exe -> Downloader.Obfuscated.a : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\v3f7rlqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Alexis\Local Settings\Temporary Internet Files\Content.IE5\KL2NKXQN\srvewh[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\Alexis\Local Settings\Temporary Internet Files\Content.IE5\K0F7VW5G\srvnup[1].exe -> Trojan.Dialer.oy : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Alexis\Application Data\Mozilla\Firefox\Profiles\32ttfb9n.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Program Files\Cowabanga\Cowabanga.exe -> Adware.MediaTicket : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP89\A0022936.exe -> Downloader.Zlob.sr : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP90\A0023239.dll -> Not-A-Virus.Hoax.Win32.Renos.dp : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP92\A0023425.exe -> Downloader.Zlob.td : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP92\A0023426.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP93\A0023685.exe -> Trojan.Agent.vg : Cleaned with backup
C:\System Volume Information\_restore{C6174862-F908-49C1-A35C-2FA1940B5F23}\RP93\A0023689.exe -> Trojan.Agent.vg : Cleaned with backup

::Report End

 

JaPk

...I forgot to mention that ZONE ALARM is the antivirus and antispyware version - Security Suite!

Thanks
Bouzios

 

Ok looking quite good...

Fix this entry with HijackThis:

O20 - Winlogon Notify: winzoa32 - winzoa32.dll (file missing)

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Run ATF Cleaner -> Check select all -> Press Empty selected

Reboot your computer.

Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)


Post the following logs to here:
-> a fresh HjT log
-> blacklights log
-> contents of C:\vundofix.txt

 

Hi JaPk

ok...here are the logs you requested

Good news (...I think!) no hidden files where found when I ran the scan on Blacklights

Thanks for your prompt replies!

[bold] HjT LOG [/bold]

Logfile of HijackThis v1.99.1
Scan saved at 11:12:02 PM, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\eWIDO\ewido anti-malware\ewidoctrl.exe
D:\Program Files\eWIDO\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\lxbucoms.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O1 - Hosts: AmsServer
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142063360078
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\eWIDO\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\eWIDO\ewido anti-malware\ewidoguard.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


[bold]BLACKLIGHTS LOG[/bold]

06/17/06 23:06:39 [Info]: BlackLight Engine 1.0.37 initialized
06/17/06 23:06:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/17/06 23:06:39 [Note]: 7019 4
06/17/06 23:06:39 [Note]: 7005 0
06/17/06 23:06:53 [Note]: 7006 0
06/17/06 23:06:53 [Note]: 7011 1628
06/17/06 23:06:53 [Note]: 7026 0
06/17/06 23:06:53 [Note]: 7026 0
06/17/06 23:07:02 [Note]: FSRAW library version 1.7.1015
06/17/06 23:07:20 [Note]: 2000 1006
06/17/06 23:07:50 [Note]: 7007 0

[bold]VUNDOFIX TEXT[/bold]

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 5:12:05 PM 17/06/2006

Listing files found while scanning....

C:\WINDOWS\system32\byxywvu.dll

Attempting to delete C:\WINDOWS\system32\byxywvu.dll
C:\WINDOWS\system32\byxywvu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

 

Hi bouzios, you're clean now

Now that you're clean, here are some tips how to stay clean.

-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.

-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.

-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean

 

Hi JaPk

Thanks for all your help and very prompt replies! Couldn't have done it without you and best of all...i've learnt so much about it all

I will take on board your advice and have already begun using modzilla as my browser! It's great

I will endeavour to stay clean!

Cheers & thanks again
Bouzios

 

You're welcome