Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Sunshine1309


  • Please log in to reply
3 replies to this topic

#1 Sunshine1309

Sunshine1309

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 08 February 2005 - 06:26 PM

Hi, I have something downloaded to my computer and i can't seem to get rid of it. It is constantly popping up windows to porn sites or redirecting me to other sites. It has listed itself as a trusted site and though I have removed that through my internet options on my IE it is still showing as a trusted zone in my registry (I prefer not to mess with that too much on my own as I don't have the knowledge). I belive I may also have incredifind though I'm not positive.
Here is my HiJack This log...any help would be appreciated!


Logfile of HijackThis v1.99.0
Scan saved at 3:17:14 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\smbdins.exe
C:\WINDOWS\system32\sethcd.exe
C:\WINDOWS\system32\tsmsetup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: Search - {C672DF2D-46C9-45EE-98B8-3C23416E14D1} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {590C9408-3D8B-4FB6-B6B7-FAD91BE21E1A} - C:\WINDOWS\System32\msnyj.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {74DBD39E-7B8C-4C63-B111-7866FEFE640D} - C:\WINDOWS\System32\feglda.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll
O3 - Toolbar: Search - {EE1874C7-D868-4759-9A18-0173823D625E} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Search - {EE1874C7-D868-4759-9A18-0173823D625E} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106450250045
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8BAE502-5ECB-4CD1-9250-44E8A8DCD03A}: NameServer = 69.50.188.180,195.225.176.31

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:28 AM

Posted 08 February 2005 - 10:55 PM

Hello Sunshine1309,

You have a suspicious files we need to check.
Go to Jotti's malware scan press the Browse button, and find the files below, then upload and scan it. Let me know the results.
Copy and paste the outputs of each of the three scans to this thread

C:\WINDOWS\system32\smbdins.exe
C:\WINDOWS\system32\sethcd.exe
C:\WINDOWS\system32\tsmsetup.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sunshine1309

Sunshine1309
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 09 February 2005 - 03:21 AM

C:\WINDOWS\system32\smbdins.exe

Service load: 0% 100%

File: smbdins.exe
Status: INFECTED/MALWARE
Packers detected: UPX

AntiVir TR/Click.Small.DJ (0.21 seconds taken)
Avast No viruses found (1.51 seconds taken)
AVG Antivirus Clicker.2.K (0.80 seconds taken)
BitDefender No viruses found (0.38 seconds taken)
ClamAV Trojan.Clicker.Small-38 (0.38 seconds taken)
Dr.Web Trojan.Click.210 (0.55 seconds taken)
F-Prot Antivirus No viruses found (0.11 seconds taken)
Fortinet No viruses found (0.52 seconds taken)
Kaspersky Anti-Virus Trojan-Clicker.Win32.Small.dj (0.63 seconds taken)
mks_vir Trojan.Clicker.Small.Dj (0.23 seconds taken)
NOD32 No viruses found (0.43 seconds taken)
Norman Virus Control No viruses found (0.49 seconds taken)


C:\WINDOWS\system32\sethcd.exe

Service load: 0% 100%

File: sethcd.exe
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected: UPX

AntiVir TR/Spy.Jepan (0.21 seconds taken)
Avast No viruses found (1.57 seconds taken)
AVG Antivirus No viruses found (1.53 seconds taken)
BitDefender No viruses found (0.38 seconds taken)
ClamAV No viruses found (0.40 seconds taken)
Dr.Web Trojan.Click.209 (0.55 seconds taken)
F-Prot Antivirus security risk or a "backdoor" program (0.23 seconds taken)
Fortinet W32/Adclicker.BW-tr (0.34 seconds taken)
Kaspersky Anti-Virus not-a-virus:AdWare.Msnagent.a (0.64 seconds taken)
mks_vir No viruses found (0.36 seconds taken)
NOD32 No viruses found (0.47 seconds taken)
Norman Virus Control No viruses found (0.97 seconds taken)


C:\WINDOWS\system32\tsmsetup.exe


Service load: 0% 100%

File: tsmsetup.exe
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected: UPX

AntiVir No viruses found (0.21 seconds taken)
Avast No viruses found (1.51 seconds taken)
AVG Antivirus No viruses found (0.82 seconds taken)
BitDefender No viruses found (0.42 seconds taken)
ClamAV No viruses found (0.38 seconds taken)
Dr.Web No viruses found (0.55 seconds taken)
F-Prot Antivirus W32/Downloader.ACS (0.07 seconds taken)
Fortinet No viruses found (0.51 seconds taken)
Kaspersky Anti-Virus not-a-virus:AdWare.FindSpy.a (0.62 seconds taken)
mks_vir No viruses found (0.22 seconds taken)
NOD32 No viruses found (0.40 seconds taken)
Norman Virus Control No viruses found (0.52 seconds taken)


Hope I did that right!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:28 AM

Posted 09 February 2005 - 02:18 PM

Hello Sunshine1309,

You have a nasty CWS infection on your computer. :thumbsup: We will soon have it removed. :flowers:

Download the latest version of Adaware SE here:
http://www.lavasoft.de/support/download/
Install it, but don't run it yet.
Click on the globe in the upper right hand corner to get the latest updates.

******************************************************

Please download the CWShredder 2.1 (Standalone version).
http://www.intermute.com/spysubtract/cwshr...r_download.html
(don't run it yet we will get to that in a minute)

******************************************************

Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)


******************************************************

Uninstall FreshBar , if it exists.

******************************************************

Go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\WINDOWS\system32\smbdins.exe
C:\WINDOWS\system32\sethcd.exe
C:\WINDOWS\system32\tsmsetup.exe


******************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: Search - {C672DF2D-46C9-45EE-98B8-3C23416E14D1} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O2 - BHO: (no name) - {590C9408-3D8B-4FB6-B6B7-FAD91BE21E1A} - C:\WINDOWS\System32\msnyj.dll
O2 - BHO: (no name) - {74DBD39E-7B8C-4C63-B111-7866FEFE640D} - C:\WINDOWS\System32\feglda.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll
O3 - Toolbar: Search - {EE1874C7-D868-4759-9A18-0173823D625E} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O9 - Extra button: Search - {EE1874C7-D868-4759-9A18-0173823D625E} - C:\WINDOWS\system32\Q107929133.dll (file missing)
O15 - Trusted Zone: http://*.63.219.181.7


******************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:
C:\WINDOWS\system32\smbdins.exe <===file
C:\WINDOWS\system32\sethcd.exe <===file
C:\WINDOWS\system32\tsmsetup.exe <===file
C:\WINDOWS\System32\iesp1.dll <===file
C:\WINDOWS\system32\Q107929133.dll <===file

******************************************************

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entrys from your HijackThis log.

In the current log it is this file but it may have changed names.
It is currently :
C:\WINDOWS\System32\msnyj.dll <--This file name
C:\WINDOWS\System32\feglda.dll <--This file name

Select Unload DLL, and click OK on the prompts that follow.


******************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Run the CWShredder.

Let it fix everything it finds.

Scan with AdAware SE to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Run Adaware SE with the following settings:


Configure Ad-aware

Click on the Gear-shaped icon at the top to open the Settings window.

All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.

General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)


Scanning Settings

Scan Within Archives

Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

Advanced Settings - Enable all four options under 'Log-file Detail level'

Tweak Settings

Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'

Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'

Click Proceed

Click on the 'Start' button in the lower right.

Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

Close Ad-aware


If Ad-Aware SE needs to reboot to finish cleaning, please let it.

******************************************************

Please run the following online scan and let it fix everything it finds:
TrendMicro http://housecall.trendmicro.com/housecall/start_corp.asp

******************************************************


Reboot and post a new Hijackthis log.

Edited by SifuMike, 09 February 2005 - 04:05 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users