Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log-nima


  • This topic is locked This topic is locked
8 replies to this topic

#1 nima

nima

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 09 May 2005 - 11:07 PM

hi,
Apparently my PC is infected with the smitfraud trojan. My homepage is set to: newgenlook.info/ad/ad0278/
And my desktop is covered with all this icons linking to the same site.This message has also appeared on the desktop:
A fatal error in IE has occurred at 0028:C0011E36 in VXD VMM(01) + 00010E36 Error was caused by Trojan-spy.html.smitfraud.c
I scanned my computer with several antivirus and antispywares including sysclean,adaware,spybot S&D but couldnt fix it.
I also followed Grinler's instructions with HJT but had no success. Most of the items including wp.exe and bsw.exe were not found.
by the way Im using winxp service pack 1a.
here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:46 AM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Protector Plus\PPAVMon.exe
D:\Program Files\Protector Plus\PPServ.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Fmctrl.EXE
G:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\PROTEC~1\PPTbc.EXE
D:\PROGRA~1\PROTEC~1\PPInupdt.exe
G:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RealTray] G:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PP2000 Taskbar Control] D:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] D:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - D:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - D:\Program Files\Protector Plus\PPServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe



I appreciate your help!

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:00 AM

Posted 10 May 2005 - 09:16 PM

Hello nima and welcome to BleepingComputer.

Download smitfraud.reg to your desktop.
Do not run it yet.

Download Silent Runners and unzip it into it's own folder.
Do not run it yet.


Configure Windows to enable viewing of Hidden and System files.

Reboot into Safe Mode.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Double click the smitfraud.reg icon on your desktop. When it asks if you want to add the data to the registry, say Yes.

Reboot normally.


Run SilentRunners.vbs.
If your antivirus complains, tell it to allow this script.

Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply. Also post a fresh HijackThis log.
Derfram
~~~~~~

#3 nima

nima
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 20 May 2005 - 08:46 AM

Hello and thanks a lot for your assistance.Im sorry Im so late. Actually I expected an email notification but I received none and just today noticed that youve answered me.
Anyway this is the silentrunner textfile:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS]
"Yahoo! Pager" = "D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [file not found]
"PHIME2002A" = "D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [file not found]
"NeroCheck" = "D:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"FmctrlTray" = "Fmctrl.EXE" ["ForteMedia, Inc."]
"RealTray" = "G:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"PP2000 Taskbar Control" = "D:\PROGRA~1\PROTEC~1\PPTbc.EXE" ["Proland Software "]
"PP2000 InstaUpdate" = "D:\PROGRA~1\PROTEC~1\PPInupdt.exe" [null data]
"QuickTime Task" = ""G:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"HP Software Update" = ""D:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"gcasServ" = ""G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"HP Component Manager" = ""D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""D:\WINDOWS\System32\rundll32.exe" "D:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\twext.dll" [file not found]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\param32.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]


Startup items in "hossein" & "All Users" startup folders:
---------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Microsoft Office" -> shortcut to: "G:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"HP Digital Imaging Monitor" -> shortcut to: "G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

MD Simple Burner Service, NetMDSB, "G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe" ["Sony Corporation"]
Protector Plus Anti-virus Monitor Service, ProtectorPlusAVMonitor, "D:\Program Files\Protector Plus\PPAVMon.exe" [null data]
Protector Plus Service, ProtectorPlusService, "D:\Program Files\Protector Plus\PPServ.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.


And this is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:10:56 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Protector Plus\PPAVMon.exe
D:\WINDOWS\System32\Fmctrl.EXE
D:\Program Files\Protector Plus\PPServ.exe
D:\WINDOWS\System32\svchost.exe
G:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\PROTEC~1\PPTbc.EXE
D:\PROGRA~1\PROTEC~1\PPInupdt.exe
G:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RealTray] G:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PP2000 Taskbar Control] D:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] D:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - D:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - D:\Program Files\Protector Plus\PPServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Thanks again

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:00 AM

Posted 20 May 2005 - 10:44 AM

Download Killbox.exe to your desktop.
Run killbox.exe.
Select the option "Delete on reboot".
In the field "Full Path of File to Delete" copy and paste:

D:\WINDOWS\System32\param32.dll

Choose the option: "unregister dll before deleting"
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES.
When it asks if you would like to Reboot now, click YES.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D56A1203-1452-EBA1-7294-EE3377770000}"=-

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.
Doubleclick on fix.reg and answer Yes when prompted to add the contents to the registry.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Reboot normally and post a fresh HJT log. How are things looking?
Derfram
~~~~~~

#5 nima

nima
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 21 May 2005 - 10:19 AM

Man,you ARE good :thumbsup:
things are looking just fine.thanks a lot
just one thing,how does this trojan usually infect pc's?

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:00 AM

Posted 21 May 2005 - 06:23 PM

just one thing,how does this trojan usually infect pc's?

I asked a similar question many months ago before I started my HJT training - not about smitfraud or newgenlook, but about something I was trying to remove from a friends machine. There are many ways malware may enter a system - installed as part of some other software, from an email attachment, via an IE activeX program, or sometimes simply by viewing a webpage. The experts that research malware removal sometimes will identify how the malware installs, but mostly they just try to figure out how to get rid of it.

To answer your question, I've never seen the source of smitfraud or newgenlook mentioned.

Please post a fresh HJT log so that I can confirm that you are all clear.

Edited by ddeerrff, 21 May 2005 - 06:25 PM.

Derfram
~~~~~~

#7 nima

nima
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 21 May 2005 - 11:34 PM

will zonealarm or similar programs prevent future infections?
and this is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:02 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
D:\Program Files\Protector Plus\PPAVMon.exe
D:\Program Files\Protector Plus\PPServ.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Fmctrl.EXE
G:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\PROTEC~1\PPTbc.EXE
D:\PROGRA~1\PROTEC~1\PPInupdt.exe
G:\Program Files\QuickTime\qttask.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.84.105.144 :63000
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RealTray] G:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PP2000 Taskbar Control] D:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] D:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D826FDB-2483-47A5-B2D7-DD34BA70F639}: NameServer = 217.218.42.129 192.9.9.3
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - G:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - D:\Program Files\Protector Plus\PPAVMon.exe
O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - D:\Program Files\Protector Plus\PPServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:00 AM

Posted 21 May 2005 - 11:52 PM

Log looks clean nima. Good job!

Zone Alarm, or other firewall, will help. An up to date antivirus and keeping your operating system up to date are also important.


Now that you are clean, please follow these steps in order to keep your computer safe and secure:

How did I get infected?, With steps so it does not happen again!
Simple and easy ways to keep your computer safe and secure on the Internet
Derfram
~~~~~~

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:00 AM

Posted 31 May 2005 - 12:21 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users