Clean or not??

My own fault; on a 'youtube'-type site, clicked a video clip, asked to install 'setup.exe', dubious as ever but after downloading checked it with my antivirus (panda) and told it was clean.
As if. Ended up with a right cocktail of mess including smitfraud-C, deepdive, antispyware (fake). Panda finally picked up that antispyware was a PUP, and Resident in Spybot S&D blocked a whole batch of registry changes.
Spybot picked up much of it, and smitfraudfix seemed to get most of the rest, though didn't complete properly (seemed to hang on a black screen finally).
Since then have been running the various additional tools suggested on places such as this including MBAM (whcih picked up a load of stuff including trojan zlob entries) and ad-aware (says I'm clean bar a couple of privacy objects (my recent places log?). Have applied all the fixes and corrections they recommend.
The one that isn't currently convinced is Kaspersky. I know I can ignore the process file it picks up in Smitfraudfix, but it also tells me I've got C:\WINDOWS\system32\ShellExt\d.EXE Infected: Trojan.Win32.Delf.bg 1
Now that's supposed to be delf.K in the panda library (and panda says I'm fine). I've found shellext\d.exe with search and scanned it again with panda and spybot which say it's clean.
What do I do next....would hate to miss a potentially major key-logger/trojan, but don't understand the only instructions I've found about removal (talking about deleting bits of MD5?).
Any help gratefully received...and am working my way through your list of security fixes and suggestions. I'll replace Panda with AVG and zonealarm, though have also been using webwasher for some time for popup blocking - find it very helpful.
HJT log attached; many thanks
Logfile of HijackThis v1.99.1
Scan saved at 21:54:51, on 24/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WebWasher\wwasher.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ESPSER~1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Garmin\gStart.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\ESP\bin\ESPUI.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Harman Kardon\Remote Control\HarmonyClient.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David&Becky\My Documents\programs\HijackThis1.99.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WebWasher] C:\Program Files\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - Startup: Memeo AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: ESPUI.lnk = C:\Program Files\ESP\bin\ESPUI.EXE
O4 - Global Startup: Harman Kardon TC 30 Remote.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109281814794
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165255598598
O18 - Protocol: emistp - {0EFAEA2E-11C9-11D3-88E3-0000E867A001} - C:\WINDOWS\system32\EmisAPP.dll
O20 - AppInit_DLLs: PAVWAIT.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ESP Service V2 (ESPServiceVersion2) - EMIS - C:\WINDOWS\system32\ESPSER~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

Hi daveroyt
Welcome to Windowsbbs.

I'm not seeing any other signs of Win32.Delf infection in the log.

I would just delete the file..
C:\WINDOWS\system32\ShellExt\d.EXE

It can be tramsmitted through e-mail so I would empty all your email folders

Reboot your computer.

Then run another Kaspersky scan to see if it is gone.

Let me know
Geri

 

Geri
Thanks for prompt reply. Strangely, having loaded the IEHosts protection I no longer seem to be able to get on the forums (blocks after loading lhs toolbar and just sits there awaiting the forum text) so am on the laptop.
Have shredded d.exe.
Will reboot and rescan....doesn't kaspersky check email folders? I use a remote hosting solution that synchs with outlook 2003 on my main but accesses via the net on work and blackberry - lots of stuff there I'd rather not delete, and if I delete on outlook it'll synch and delete on the remote server. Could I ask my provider to check for delf at their end too??
Thanks again
Dave

 

Hi Dave
Yes Kaspersky scans email, so that's OK to leave.
You can try adding this to the host file.
In case you don't know where it's located...
C:\windows\system32\Drivers\ect\hosts file

Open it with Note Pad and under the line
127.0.0.1 localhost

add this.
67.228.10.245 www.windowsbbs.com

Close note pad OK any prompts if any, reboot and try to get here.

Geri

 

Thanks geri
Kaspersky happy bar the 'not a virus' bit of stimfraudfix
Added the hosts line, but get the the operation 'transferring data from ads.infinisource.com' of loading a page and it snarls up still
Ought I to apply the DNS Service fix in the IEHosts setup info, where they talk about it slowing windows?
Incidentally, I'm running Firefox - which locked completely after one episode of this. Windows told me it was a firefox problem, but also pointed out I was on 2 not 3; downloaded version 3, and as it was setting up told me that Sotphone add-on was not compatible with version 3. I think sotfone another part of the rubbish I got but alarmed that nothing else spotted it?
Hopefully the change to firefox 3 will foil it but I guess it's still in there somewhere.
Dave T

 

Me again. Went through the services manager and found DNS already disabled; realised that spybot already using Hosts file to block a fair range and guess it then applies the tweak to keep speed up?
Have removed the IEHosts file, gone back to my spybot-populated original, and all now seems fine, though still a bit concerned about the sotfone things
Thanks for your help
Dave T

 

Hi
A goolge search turns up that it is software for some phone services.
http://www.google.com/search?hl=en&...l&resnum=0&ct=result&cd=1&q=Softphone&spell=1

So I don't belive it's malware related.

Let me know if you think everythings up and running as should be and I'll mark this resolved.

Thanks
Geri

 

Thanks again
Panda support got back to me and suggested running their online scanner; report was

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-26 20:42:54
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Panda Internet Security 2007 11.00.02 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe[C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe][SmitfraudFix\Process.exe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 No No C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe[C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe][SmitfraudFix\Reboot.exe]
03445477 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{13B9AB68-59DA-40B9-BB5C-495E69A9E7CC}\RP1057\A0347518.exe
03445477 Adware/MalwareAlarm Adware No 1 No No C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe[C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe][SmitfraudFix\IEDFix.exe]
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\David&Becky\My Documents\programs\SmitfraudFix.exe
03511254 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{13B9AB68-59DA-40B9-BB5C-495E69A9E7CC}\RP1057\A0347294.exe
03517148 Adware/AntiSpyCheck Adware No 0 Yes No C:\System Volume Information\_restore{13B9AB68-59DA-40B9-BB5C-495E69A9E7CC}\RP1057\A0347293.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location Q
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Q
;===================================================================================================================================================================================
;===================================================================================================================================================================================


So far as I can tell it's picking up various bits of smitfraudfix - so have deleted all smitfraudfix files as I don't seem to need them anymore - and perhaps a couple of recovery files - do I need to set a clean restore point to be safe?
Dave

 

Hi Dave

Yes, That would be a good idea.

The smitfraud you don't need any more so all those can go plus smitfraud.exe, old version will do you no good anyway.

Any other problems (malware related )

Let me know

Thanks
Geri