I am helping my uncle remove some ungodly amounts of virus',spyware,bho's etc etc....I have already ran AVG and Spybot and installed Zone Alarm. I know its still infected! There is a program that keeps popping up telling that your computer is infected and then promptly takes you to a web site to buy a bucnh of ant-spyware/antivrus stff....try goin to another site, I dare you. You will end back up where you began! I belive the program is 09e01f9c.exe but I couldn't find much info! There is probly more I'm not aware of. Anyway here is my Hijackthis log file...
Logfile of HijackThis v1.99.1
Scan saved at 9:51:15 AM, on 7/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\09e01f9c.exe
C:\WINDOWS\System32\ismon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
E:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win TaskLoader] msgmr.exe
O4 - HKLM\..\Run: [09e01f9c.exe] C:\WINDOWS\System32\09e01f9c.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Win TaskLoader] msgmr.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [09e01f9c.exe] C:\Documents and Settings\kesler young\Local Settings\Application Data\09e01f9c.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [Win TaskLoader] msgmr.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\msmngrs.exe (file missing)
Thanks in advance!
Full Version: I'm infected and know I am...Hijackthis log!
SpywareQuake and SpyFalcon belong to the Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and are a goad to have you buy the commercial version of this software. This version is slightly different than the previous variants (SpywareStrike, SpyAxe,etc.) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. An example of this alert is below:
Other Smitfraud variants include:
Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
RazeSpyware
SpyAxe
SpySheriff
SpywareStrike
WinHound
SpywareQuake/SpyFalcon/Smitfraud Removal
Note: These instructions are only for Windows 2000, XP Home, XP Pro, & 2003.
The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
3. Windows 2000/XP/2003 (includes Ewido)
Download, install, and update Ewido AntiMalware (get the free trial version)
http://www.ewido.net/en/download/
a. Install Ewido AntiMalware
b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.
c. The program will prompt you to update click the OK button
d. The program will now go to the main screen
e. On the left hand side of the main screen click on Update
f. Click on Start. The update will start and a progress bar will show the updates being installed.
g. Do not scan yet. We'll do that later in SAFE MODE
4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
5. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
6. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
7. Once in safe mode, start Ewido AntiMalware
a. Click on scanner
b. Click on *complete system scan*
c. Let the program scan the machine.
d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)
Click OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
........................
For Win98/ME users, please scan with Adaware (full system scan) and let it remove any infected files found.
8. Exit the program and reboot back to normal mode.
9. Get a free online AV scan at Panda's ActiveScan
Let it remove any infected files found, and when it finishes save the log at the end to post back here. Y
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)
10. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier and the Panda report. We will also need the log from Smitrem: The tool will create a log named rapport/txte in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Ewido Scan report
Panda ActiveScan report
Fresh HijackThis log
Other Smitfraud variants include:
Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
RazeSpyware
SpyAxe
SpySheriff
SpywareStrike
WinHound
SpywareQuake/SpyFalcon/Smitfraud Removal
Note: These instructions are only for Windows 2000, XP Home, XP Pro, & 2003.
The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
3. Windows 2000/XP/2003 (includes Ewido)
Download, install, and update Ewido AntiMalware (get the free trial version)
http://www.ewido.net/en/download/
a. Install Ewido AntiMalware
b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.
c. The program will prompt you to update click the OK button
d. The program will now go to the main screen
e. On the left hand side of the main screen click on Update
f. Click on Start. The update will start and a progress bar will show the updates being installed.
g. Do not scan yet. We'll do that later in SAFE MODE
4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
5. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
6. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
7. Once in safe mode, start Ewido AntiMalware
a. Click on scanner
b. Click on *complete system scan*
c. Let the program scan the machine.
d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)
Click OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
........................
For Win98/ME users, please scan with Adaware (full system scan) and let it remove any infected files found.
8. Exit the program and reboot back to normal mode.
9. Get a free online AV scan at Panda's ActiveScan
Let it remove any infected files found, and when it finishes save the log at the end to post back here. Y
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)
10. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier and the Panda report. We will also need the log from Smitrem: The tool will create a log named rapport/txte in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Ewido Scan report
Panda ActiveScan report
Fresh HijackThis log
This is what I suspected! I wasnt sure though...I thought it could possibly be a combo of a BHO and somthing else. Until I knew for sure I simply removed IE and replaced it with Firefox (uncles computer). I told him there were no garanties becuase I wasn't sure. Anyway thanks again, I will give you a heads up when I can get back over there and start the process. I'm assuming by your post that there is no one sure fire way to maybe delete the stupid thing from your registry or somthing...Thanks again! I WILL be back. And on a side note his variant was identical to your pic execpt with a red background and was called SpywareQuake. I had my friend, and fellow computer tech. look up their site as I was running some stuff and he assured me that it was a legit promgram but I KNEW BETTER! 
Thanks again 
!
Thanks again !
Well...I couldn't get around to it for a bit but I did nonetheless....here is the txt file that the txt file asked me to post! Step 1 complete....many more to go....I HATE Wares!
SmitFraudFix v2.76
Scan done at 20:43:52.76, Mon 07/31/2006
Run from C:\Documents and Settings\kesler young\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\kesler young\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KESLER~1\FAVORI~1
C:\DOCUME~1\KESLER~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpyQuake2.com\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Perhaps I misunderstood and should not have posted this
? Not sure, kinda confused on what they wanted me to do. If I'm a big idiot just tell me to complete the steps as instructed. There ya' go! :(
SmitFraudFix v2.76
Scan done at 20:43:52.76, Mon 07/31/2006
Run from C:\Documents and Settings\kesler young\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\kesler young\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KESLER~1\FAVORI~1
C:\DOCUME~1\KESLER~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpyQuake2.com\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Perhaps I misunderstood and should not have posted this
? Not sure, kinda confused on what they wanted me to do. If I'm a big idiot just tell me to complete the steps as instructed. There ya' go! :(
Could I please get some help on this....I just quit getting replies! I need to know what to do next. This is driving me nuts Thanks in advanced!
Thanks in advanced!
Sorry, I don't remember seeing the reply notice.
Pleas run HiJackTHis again, and post a new log in this thread, then we can continue.
Pleas run HiJackTHis again, and post a new log in this thread, then we can continue.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.