Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32mx


  • This topic is locked This topic is locked
12 replies to this topic

#1 EdithBunker

EdithBunker

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 25 October 2007 - 07:51 PM

My hubby's laptop is getting a popup warning telling him he has a trojan/spyware and that it is win32mx. This is the second time his computer has gotten something like this, I came here a few months ago to ask for help removing that one.

I ran the Avast AV, AVG, adaware, spybot, and ccleaner, and the smitfraud tool. Avast found nothing, AVG found nothing (I ran that in safe mode), smitfraud said everything was fixed (also run in safe mode, and I have a log saved, but can't find it--I saved it on the desktop in safe mode but it isn't on the desktop in the normal mode).

I ran spybot and adaware, and those both found something. Trojan downloaderZlob was one, but in adaware, when it was done scanning, the zlob thing was switched out for smitfraud-C. I wasn't there when it switched out, but when i came back that one entry was gone and the smitfraud was there. I didn't remove the smitfraud, only the tracking cookies that were found.


Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:28 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Add-on\icthis.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: boardwalk - {75a65a53-15c9-4a0c-bb40-a7ca8b24f544} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4266 bytes



I have all sorts of "dire warnings" popping up telling me to download the security stuff they are pushing!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 27 October 2007 - 06:17 PM

Hello EdithBunker,


NOTE: Please delete that version of SmitfraudFix your downloaded previously and download it again!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of the SmitfraudFix report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 29 October 2007 - 11:02 AM

SifuMike, Thank you for your reply. Sorry it took me so long to get back, we were out of town for the weekend.

Here is the logfile of Smitfraud search:


SmitFraudFix v2.242

Scan done at 11:39:03.06, Mon 10/29/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ugbtna.dll FOUND !

C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\user


C:\Documents and Settings\user\Application Data


Start Menu


C:\DOCUME~1\user\FAVORI~1

C:\DOCUME~1\user\FAVORI~1\Online Security Test.url FOUND !

Desktop


C:\Program Files

C:\Program Files\Video Add-on\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{75a65a53-15c9-4a0c-bb40-a7ca8b24f544}"="boardwalk"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Wireless-G Notebook Adapter v.2.0 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

Description: Wireless-G Notebook Adapter v.2.0 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162


Scanning for wininet.dll infection


End

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 29 October 2007 - 12:03 PM

Hi EdithBunker,

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 30 October 2007 - 09:52 AM

SifuMike,
I lost the desktop background! But this 'puter IS infected, isn't it? or not? (My hubby ran AVG antispyware this morning)
We also have an interesting problem: The other three computers on this network all have a virus, picked up by Avast! AV. I wrote down one of them--Win32ctx, I didn't make a note as to whther or not the other compters had the exact ending or not, all I paid attention to was taht the AV yelled I had an infection, and it started with Win32.

I realize I have posted in this thread only about my hubby's computer, should I start a new thread about the networked virus?


Here is the log of the Smitfraud scan:

SmitFraudFix v2.242

Scan done at 10:34:22.19, Tue 10/30/2007
Run from C:\Documents and Settings\user\Desktop\Security\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{75a65a53-15c9-4a0c-bb40-a7ca8b24f544}"="boardwalk"


Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ugbtna.dll Deleted
C:\DOCUME~1\user\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video Add-on\ Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1734B31D-376E-4D25-BF75-BBE7466621C2}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1C733E3C-C4D0-4800-9822-DBF3715F898E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


edited to add the HJT log--sorry

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:43 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4006 bytes

Edited by EdithBunker, 30 October 2007 - 11:17 AM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 30 October 2007 - 12:07 PM

Hello EdithBunker,

But this 'puter IS infected, isn't it? or not?


Yes, it is infected, that is why we ran SmitfraudFix option 2. It removed several malware files.

You log looks clean. :thumbsup: How is this computer running?

We also have an interesting problem: The other three computers on this network all have a virus, picked up by Avast! AV. I wrote down one of them--Win32ctx, I didn't make a note as to whther or not the other compters had the exact ending or not, all I paid attention to was taht the AV yelled I had an infection, and it started with Win32.


If Avast found and quarentined the virus then you are probably OK;
however, if it is still finding it after you quarentined it, then you need to post Hijackthis logs form each of the computers.

I realize I have posted in this thread only about my hubby's computer, should I start a new thread about the networked virus?


If you are still seeing malware on them then yes, start a new thread with a Hijackthis on each computer (so make each two a seperate threads).

Edited by SifuMike, 30 October 2007 - 12:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 31 October 2007 - 09:37 AM

SifuMike, Thanks so much for your help. As far as I know, this laptop is now running fine. I'm not on it every day and I haven't gotten feedback from my hubby yet about it. I didn't know if we could get false results because my hubby was running the scan on AVG antispyware every time he started his computer--several times a day! GEESH! (He just told me taht yesterday, after I had posted here) Can we not close this thread yet, til I talk to him about how this is running? I will post back later today.


As far as the other computers go, AVAST! did quarantine the virus on each computer, and I ran antispyware scans (Spybot, Adaware, AVG) as well as ccleaner. They seem to be okay right now, although I hate how the mouse on my computer works--it's a wireless one and it's jumpy, but I don't think it is malware, I think I need a mouse pad or something.



The stuff my hubby is picking up on his computer is from job-hunting sites as far as I know. He's been looking since July and goes to these sites every so often, and this is the second time he's gotten one of these "foistware" thingys. How can i protect his computer from them? I have Avast running as well as the AVG antivirus. As far as i know, I don't have any of the extras from Adaware or Spybot running (I think it's teatimer)


Thanks so much!

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 31 October 2007 - 12:45 PM

Hi EdithBunker,

this is the second time he's gotten one of these "foistware" thingys. How can i protect his computer from them? I have Avast running as well as the AVG antivirus. As far as i know, I don't have any of the extras from Adaware or Spybot running (I think it's teatimer)




Please delete Smitfraudfix from your desktop as well as C:\rapport.txt


Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are
Comodo Firewall Pro, Kerio, ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Edited by SifuMike, 31 October 2007 - 12:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 01 November 2007 - 06:29 PM

SifuMike

Thanks for all your help--The laptop is working just fine.

A couple questions, though

1) I thought the automatic updates gets all the critical updates at microsoft?

2) the firewall: I never have gotten a satisfactory answer to this. I have a Linksys router with the security in place. Linksys says that is all i need and that i don't need a software firewall, but I think i (mis?)understand from these forums that I DO need one-- and not the MS firewall. Can you clarify this?


3) the antispyware realtime programs. Are these like the AV, in that you shouldn't run more than one in order to not bog down your system? We have AVG antispyware running, and used the immunization in spybot. I run the spybot scan and the adaware scan, and clear up tempfiles with ccleaner about once a week.

I will install everything we need to do to keep the computers safe, but i don't want to overdo it and bog down the system.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 01 November 2007 - 10:30 PM

Hi EdithBunker,


You're most welcome. :thumbsup: And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :wacko:


A couple questions, though
1) I thought the automatic updates gets all the critical updates at microsoft?



Good questions. :blink:
Yes, that is correct. Some people do the updates manually, others do it automatically. The link I posted http://windowsupdate.microsoft.com is from MicroSoft. That only updates your MS Windows, not your antivirus or antispyware programs.

2) the firewall: I never have gotten a satisfactory answer to this. I have a Linksys router with the security in place. Linksys says that is all i need and that i don't need a software firewall, but I think i (mis?)understand from these forums that I DO need one-- and not the MS firewall. Can you clarify this?


I do not recommend Windows XP's software firewall, as it monitors only inbound connections, offering no protection from malware already on your PC. All commercial firewalls offer both inbound and outbound connection monitoring.

Even if you have a router, you should have a software firewall. You should have a software firewall, as that is your first line of defense against malware.

The hardware router will mask the IP addresses of the PCs on your local network from the outside world, while the software firewall will provide a service that the hardware firewall can't easily do (blocking rogue applications on your PC from opening outgoing connections to remote servers).

Here are five free firewalls available for personal use. If one conflicts with your system, try another. I use Comodo Firewall Pro.

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls


Comodo Firewall Pro
Comodo Firewall Pro user guide

Sunbelt Kerio Firewall

Outpost Firewall Free

Jetico Personal Firewall

ZoneAlarm
ZoneAlarm Manual http://download.zonelabs.com/bin/media/pdf/ZAP40_manual.pdf

3) the antispyware realtime programs. Are these like the AV, in that you shouldn't run more than one in order to not bog down your system?
I will install everything we need to do to keep the computers safe, but i don't want to overdo it and bog down the system.



You should be running only ONE antivirus program on your computer.
I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

You can use as many antimalware or antispyware program as you want to (AVG antispyware, Spybot, Adaware, Spysweepre, SUPERantispyware). Just run them one at a time.

We have AVG antispyware running, and used the immunization in spybot. I run the spybot scan and the adaware scan, and clear up tempfiles with ccleaner about once a week.



Remember to have only one registry protector running (like Spybot Teatimer or AVG guard). If you run two registry protectors it will slow the computer.
If you are not using a registry protector now, then use the Spybot Teatimer.

Updating and running Spybot and Adaware weekly is great, as is running CCleaner weekly.
You can run CCleaner more often if you are a heavy Internet user.

Edited by SifuMike, 01 November 2007 - 10:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:08:52 AM

Posted 02 November 2007 - 09:18 AM

SifuMike
Thank you once again! :blink:

With my MS updates, those are on automatic--I know some people load them manually, but i don't know enough to make a good judgement call on which to accept, so for now, I just let "them" (Microsoft) decide for me. My Avast AV and AVG antivirus are also on automatic updates for the same reason.

With the firewall. I kinda thought the hardware firewall wasn't enough, but I never quite understood why. I did know the XP firewall was only "half a firewall" and therefore not good, but wondered if it would be sufficient with having a hardware firewall.
You really explained that well--even an airhead (me) can understand! :thumbsup: I am familiar with Zone Alarm, I'll probably get that again.


With my antispyware program, the AVG program I have is a one-month trial, so I guess I'll end up using TeaTimer when this trial period is up.

I'm going to look at the Mozilla browser, too!

Sorry I keep bringing this back up to the front page when there are so many others on the front page who need help. But I also really appreciate the explanations to my question!

Thanks Again!

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 02 November 2007 - 09:55 AM

You're most welcome. :thumbsup: And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :blink:
Regards,
SifuMike
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:52 AM

Posted 08 November 2007 - 05:45 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users