LandzDown Forum

Hi,
this program seems to have entered my PC and keeps throwing up warning messages.
Also, every minute or so, IE window appears with Page cannot be loaded message ...i need to keep on closing it
If I leave my PC on and I am away for 2 hours, when I return, there are hundreds (maybe thousands) of these windows that have opened.
I have followed Corrines instructions (http://www.landzdown.com/index.php?PHPSESSID=519b6db9982d34a3a334b362b49d00e8&topic=423.msg3030#msg3030) and I am posting my logs 

Please HELP !!!!!
**************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 3:27:26 AM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Symantec Client Security\Symantec AntiVirus\VPC32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\mshearts.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Documents and Settings\temper.BL4-QLAB-D361\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - D:\Program Files\strCodec\iesplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFF200~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFF200~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwdb.ops.placeware.com/etc/place/DESK/VADpws-b3s/5.1.8.511/lib/quicksilver.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://home.ep.microsoft.com/NT/ASPX/msrdp.cab
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsm.wipro.com
O17 - HKLM\Software\..\Telephony: DomainName = wsm.wipro.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsm.wipro.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

Hi, samval.  Welcome to LandzDown Forum. 

I suggest you copy the instructions to your desktop or print them as you will not have access to the internet while conducting the cleanup.

A.  Please download/update the following:

• Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip .  Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsiri.urz.free.fr%2FFix%2FBitmaps%2FFolder.png&hash=17b5ae1fffedcc9de5634bbb6c6964768b7ac2f9)
  
• Download CCleaner v1.30.310 - Slim from http://www.ccleaner.com/download/builds.aspx  .  Install it but don't run it yet.
  
• Download ewido anti-spyware from HERE (http://www.ewido.net/en/download/).  Save the file to your desktop so  you can locate it.
  
  
  • Locate the ewido anti-spyware icon on the desktop.
    
  • Double-click the large yellow "e" ewido icon to launch the set up program. 
    
  • The installation will require a restart of the computer.
  Launch ewido to update to the latest definition files.
  
  
  • On the main screen select the "Update" icon
    
  • Click "Start Update".  The update will start and a progress bar will show the updates being installed.
    
  • If you have problems with the updater, you can use this link to manually update ewido --   ewido manual updates (http://www.ewido.net/en/download/updates/)
  ewido settings
  
  
  • Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    
  • In the Settings screen click "Recommended actions" and then select "Quarantine".
    
  • Under "Reports"
    
    
    • Select "Automatically generate report after every scan"
      
    • DE-Select "Only if threats were found"
      
    • close ewido

B.  During this process, please change your settings to show hidden files.  You can change the setting back when the cleanup is completed.

   
• Click Start.
     
• Open My Computer.
     
• Select the Tools menu and click Folder Options.
     
• Select the View Tab.
     
• Under the Hidden files and folders heading select Show hidden files and folders.
     
• Uncheck the Hide protected operating system files (recommended) option.
     
• Click Yes to confirm.
     
• Click OK.

C. Please uninstall the file shown below:

•   Click "start" on the taskbar and then click on the "Control Panel" icon
  
• Please double-click the "Add or Remove Programs" icon
  
• A list of programs installed will be "populated" this may take a bit of time.
  
• In this list please find C:\Program Files\Viewpoint and C:\Program Files\PCODEC
  
• A wizard should then open, which will guide you through the uninstallation.
  
• Delete the folders if not removed.

D.  Please reboot your computer in SafeMode by doing the following:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  
• Instead of Windows loading as normal, a menu should appear
  
• Select the first option, to run Windows in Safe Mode.

E.  Run CCleaner:

• Close all open programs, including Internet Explorer, Fire Fox and any instances of Windows Explorer.
  
• Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
  
• A pop up box will appear advising this process will permanently delete files from your system.
  
• To protect logon cookies that you wish to retain, under Options > Cookies.  Select and using the arrow move those cookies to the "Cookies to keep" column.
  
• Then select the following items
  
  
  • In the Windows Tab:
    
    
    • Clean all entries in the "Internet Explorer" section.
      
    • Clean all the entries in the "Windows Explorer" section.
      
    • Clean all entries in the "System" section except Windows Log Files.
      
  • In the Applications Tab:
    
    
    • Clean all in the Firefox/Mozilla section if you use it.
      
    • Clean all in the Opera section if you use it.
      
    • Clean Sun Java in the Internet Section.
      
    • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
      
• Click the "Run Cleaner" button and it will scan and clean your system.
  
• Click exit. 
  

F.  Scanning and system cleaning with ewido. 

• Lauch ewido-anti-spyware by double-clicking the icon on the desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  
• ewido will now begin the scanning process.  Be patient as this may take a little time.
  
• While scanning, ewido will list any infections found on the left side.
  
• When the scan is completed, the recommended action should be set to Quarantine.  If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
  
• Close ewido.
  

G.  Open the SmitfraudFix folder

• Double-click smitfraudfix.cmd file to start the tool.
  
• Select option #2 - Clean by typing 2 and press Enter.
  Warning : running option #2 on a uninfected computer will remove your Desktop background.
  
• Wait for the tool to complete and disk cleanup to finish.
  
• You will be prompted : "Registry cleaning - Do you want to clean the registry?"
  
  
  • Answer Yes by typing Y
    
  • Hit Enter.
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsiri.urz.free.fr%2FFix%2FBitmaps%2FFix02b.jpg&hash=1ab5a6f4691a5ee5e17959d6a36a299876c5c485)
  
• The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
  
  
  • Answer Yes to the question "Replace infected file?" by typing Y
    
  • Hit Enter.
• A reboot may be needed to finish the cleaning process.  If your computer does not restart automatically please do it yourself manually.
• Restart in Safe Mode as instructed above.
  
• The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

H. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":

O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - D:\Program Files\strCodec\iesplugin.dll


I've seen where mshearts is valid but there's not much on it.  Do you have the game "hearts" on your computer?  If not, remove this also:

D:\WINDOWS\system32\mshearts.exe



I. Restart in Normal Mode and double-click the HijackThis icon on your desktop.  Choose "Do a system scan and save logfile". 

J.  Post a reply with the following logs:

• C:\rapport.txt
  
• ewido log
  
• HijackThis log
  

Please let us know how things are now.  :rose: