Hi all,

I'm new to this forum. I ran across this place searching for a cure to my PC problem. This forum looks like a great place to learn and find help, so kudos to the creators.

Here's my problem.

I'm haveing the same problem that calamity jane was decribing in her post about SpwareQuake/SpyFalcon. Everything she decribes is what is happening to my PC. However, I followed the steps closely and these pests are still on my PC. The only thing I was successful at was recovering my IE homepage. Her is my log from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 02:51:01 AM, on 07/06/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CachemanXP\CachemanXP.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Raxco\PerfectDisk\PDSched.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\WgaTray.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\Jamie\LOCALS~1\Temp\Rar$EX01.422\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.108.134.137
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - F:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [KAVPersonal50] "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "F:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Registry Cleaner] "F:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - F:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\Program Files\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: fairydom - {5839511e-ec1b-4f91-ace3-fb88e52f5239} - F:\WINDOWS\system32\jevtxpg.dll
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - F:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - F:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


My log from ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:59:32 AM 07/06/06

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{8A406068-D45C-40B9-A096-38AC717FB608} -> Adware.WebDir : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A406068-D45C-40B9-A096-38AC717FB608} -> Adware.WebDir : Cleaned.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A406068-D45C-40B9-A096-38AC717FB608} -> Adware.WebDir : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A406068-D45C-40B9-A096-38AC717FB608} -> Adware.WebDir : Cleaned.
HKU\S-1-5-21-1275210071-1659004503-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A406068-D45C-40B9-A096-38AC717FB608} -> Adware.WebDir : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@cs.-- The nicest hobby on Earth ;) --counter[2].txt -> TrackingCookie.-- The nicest hobby on Earth ;) --counter : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
F:\Documents and Settings\Jamie\Cookies\jamie@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end


Panda Activescan did not give me a report.

Maybe I did something wrong

Any help would be much appreciated

Let me know if you need more info,

thanks a bunch

jq

Hi jqpsu39,

Let's take a look at it.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

You have a proxy set to Cox Communications. Is that correct?

yes, cox comm.

also, I did the procedure with smitfraud fix and it still didn't get rid of the problem

thanks again

jq

Ok...

This is only the information gathering phase of the fix... Please do as I asked and post the log it creates, that way we can continue fixing the system.