Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Hijacked By "softwarereferral" With "virus Alert" In Taskbar.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Suggers

Suggers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 29 July 2008 - 06:44 AM

Hi Beeping Computer Staff,
Suddenly have infection as described in the title. Have seen this problem reported recently, but understand each solution is different for each PC configuration.
Drive C:, Control Panel, Task Manager are all inaccessible.
AVG 8.0 keeps reporting Trojan Horse Generic_c.MFD, which it removes to virus vault.
Also have pop ups from both "Virus Remover 2008" and "Win Anti-Virus 2008".
I presume all these symptoms are all related ?
Have followed your posting instructions - here follows the report from DSS - it didn't generate an "extra text" ?

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-29 12:36:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36: VIRUS ALERT!, on 29/07/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\IoctlSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\PuXpMan2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {BF53502D-3BEF-4273-9925-89D7526A5F87} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mspwr] C:\WINNT\system32\PuXpMan2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1179906429406
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: eqvwamkl - {DCCDE7B8-AABC-4BF8-BBB8-0AB60C5E13C4} - C:\WINNT\eqvwamkl.dll
O21 - SSODL: wnslvxtf - {BD953E09-5E23-4B4B-AFCD-20BEB8C70A57} - C:\WINNT\wnslvxtf.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINNT\system32\IoctlSvc.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 6019 bytes

-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 11:40:47 0 d-------- C:\WINNT\privacy_danger
2008-07-28 22:45:02 918464 ---h----- C:\WINNT\ShellIconCache
2008-07-28 18:22:27 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-28 17:42:18 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_468.dat
2008-07-28 14:37:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-07-28 14:37:07 303104 --a------ C:\WINNT\wnslvxtf.dll
2008-07-28 14:37:07 163840 --a------ C:\WINNT\eovp.exe
2008-07-28 14:37:06 94208 --a------ C:\WINNT\grswptdl.exe
2008-07-28 14:37:06 204800 --a------ C:\WINNT\fdkowvbp.dll
2008-07-28 14:37:06 274432 --a------ C:\WINNT\eqvwamkl.dll
2008-07-28 14:36:54 0 d-------- C:\Program Files\VAV
2008-07-28 14:36:50 0 d-------- C:\Program Files\PCHealthCenter
2008-07-25 21:48:31 0 d-a------ C:\WINNT\system32\appmgmt
2008-07-24 08:48:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-07-24 08:48:29 0 d-------- C:\Program Files\LimeWire
2008-07-12 18:22:06 0 d-------- C:\WINNT\Sun
2008-07-12 18:22:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-12 18:21:30 0 d-------- C:\Program Files\Java
2008-07-12 18:21:11 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 09:42:24 94208 --a------ C:\WINNT\system32\msstkprp.dll <Not Verified; Microsoft Corporation; msprop32>
2008-07-08 09:42:22 61440 --a------ C:\WINNT\system32\cdTextCtl.dll <Not Verified; ; cdTextCtl Module>
2008-07-08 09:42:21 1136128 --a------ C:\WINNT\system32\stmpcdtx.dll <Not Verified; Smart Projects - Stomp Inc; CDText.dll>
2008-07-08 09:42:19 1040384 --a------ C:\WINNT\system32\Ter32.dll <Not Verified; Sub Systems, Inc.; TE Edit Control>
2008-07-08 09:42:17 0 d-------- C:\Program Files\Click'N Design 3D (V5)


-- Find3M Report ---------------------------------------------------------------

2008-07-29 12:23:24 0 d-a------ C:\Program Files\ZipCentral
2008-07-29 09:49:03 0 d-------- C:\Program Files\Spyware Doctor
2008-07-28 10:56:45 0 d-------- C:\Program Files\FinePixViewer
2008-07-14 03:09:31 0 d-------- C:\Program Files\Avery Dennison
2008-07-12 18:21:11 0 d-a------ C:\Program Files\Common Files
2008-07-08 08:51:46 0 d-------- C:\Program Files\DesignPro
2008-06-27 20:30:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-06-12 20:32:05 0 d-------- C:\Program Files\VST&DXplugins
2008-06-12 20:18:04 0 d-------- C:\Program Files\CloneEnsemble 4
2008-06-12 20:17:43 0 d-------- C:\Program Files\Spin Audio
2008-06-12 19:17:18 0 d-------- C:\Program Files\Cool2000
2008-06-11 13:56:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Syntrillium
2008-06-07 09:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-06-07 08:44:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-06-07 08:40:24 0 d-------- C:\Program Files\QuickTime
2008-06-07 08:22:16 0 d-------- C:\Program Files\MSXML 4.0
2008-06-06 08:46:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-06-06 08:45:46 0 d-------- C:\Program Files\Common Files\Nero
2008-06-06 08:44:32 0 d-------- C:\Program Files\Nero
2008-06-04 14:25:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Pegasys Inc
2008-06-04 11:09:37 0 d-------- C:\Program Files\Dell
2008-06-04 08:05:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 18:53:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ashampoo
2008-06-03 18:53:03 0 d-------- C:\Program Files\Ashampoo
2008-05-28 06:06:04 80896 --a------ C:\WINNT\system32\dxdllreg.exe <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/07/08 09:00 ]
"igfxtray"="C:\WINNT\system32\igfxtray.exe" [20/09/05 10:35 ]
"igfxhkcmd"="C:\WINNT\system32\hkcmd.exe" [20/09/05 10:32 ]
"igfxpers"="C:\WINNT\system32\igfxpers.exe" [20/09/05 10:36 ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/02 22:32 ]
"Synchronization Manager"="mobsync.exe" [20/06/03 13:00 C:\WINNT\system32\mobsync.exe]
"mspwr"="C:\WINNT\system32\PuXpMan2.exe" [29/09/05 11:05 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/08 04:27 ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [27/06/08 21:11 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"NoDispCPL"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"HideClock"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"eqvwamkl"= {DCCDE7B8-AABC-4BF8-BBB8-0AB60C5E13C4} - C:\WINNT\eqvwamkl.dll [27/07/08 08:57 274432]
"wnslvxtf"= {BD953E09-5E23-4B4B-AFCD-20BEB8C70A57} - C:\WINNT\wnslvxtf.dll [27/07/08 08:57 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-07-29 12:36:44 ------------

Here's hoping you can help.
Kind Regards.

Edited by Suggers, 29 July 2008 - 06:55 AM.


BC AdBot (Login to Remove)

 


#2 Suggers

Suggers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 29 July 2008 - 11:01 AM

Having had a pop-up which opened Ultimate Cleaner, I looked it up in your Malware Removal Guides. Followed your step by step guide, involving the SmitFraudFix, and touch wood, my pc seems to be back to normal.
What a fantastic service you guys provide - many many thanks.

#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:48 AM

Posted 07 August 2008 - 09:55 PM

Having had a pop-up which opened Ultimate Cleaner, I looked it up in your Malware Removal Guides. Followed your step by step guide, involving the SmitFraudFix, and touch wood, my pc seems to be back to normal.
What a fantastic service you guys provide - many many thanks.



Thanks for letting us know
As this issue is resloved the topic will be closed, Should you have any issues in the future please start a new topic

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users