Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my comptuer is infected please help


  • Please log in to reply
10 replies to this topic

#1 papa tee

papa tee

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 08 July 2005 - 02:20 PM

a moment of weakness and i clicked in a bad place my pc is now up the creek
i ran hijack this and came up with the following


Logfile of HijackThis v1.99.1
Scan saved at 19:52:00, on 08/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\SVCNT.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
D:\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX01.117\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/

certain software was put on my computer
namely ps guard and antivirus gold
there is a red icon running in my taskbar
with an exclamation mark
and IE is being hijacked.
anyone able to help me with this problem

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 09 July 2005 - 11:12 AM

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff.
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.


Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#3 papa tee

papa tee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 09 July 2005 - 12:13 PM

thank you so much
will try this procedure on monday when im able to print off instructons.
will let you know how it goes
once again many thanks

#4 papa tee

papa tee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 13 July 2005 - 05:00 AM

ok i ran thru the procedures as instructed.
internet explorer still being hijacked
to this address

res://shdocsv.dll/blank.htm

here are the results of the scans

EWIDO

I WAS NOT ABLE TO PERFORM THE SCAN WITH EWIDO AS I AM RUNNNING WINDOWS98 AND IT WOULD NOT INSTALL.

hijACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 10:52:51, on 09/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\SVCNT.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
D:\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BT BROADBAND BASIC HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX00.011\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/


SMITREM

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system ~~~

oleadm.dll
intel32.exe
wp.bmp
hookdump.exe


~~~ Windows directory ~~~

screen.html


~~~ Drive root ~~~


ADAWARE
Ad-Aware SE Build 1.06r1
Logfile Created on:11 July 2005 11:58:37
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R47 24.05.2005


References detected during the scan:

Tracking Cookie(TAC index:3):10 total references


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-07-05 11:58:37 - Scan started. (Full System Scan)

Listing running processes


#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279209755
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294958079
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294955911
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966143
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294861831
Threads : 5
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:6 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294796703
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan



Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:konehead@mediaplex.com/
Expires : 22-06-09 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@qksrv[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:konehead@qksrv.net/
Expires : 08-07-10 20:29:30
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:konehead@imrworldwide.com/cgi-bin
Expires : 06-07-15 13:16:46
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:anyuser@mediaplex.com/
Expires : 22-06-09 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@apmebf[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:konehead@apmebf.com/
Expires : 08-07-10 20:29:30
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:

New critical objects: 5
Objects found so far: 5



Deep scanning and examining files (c:)


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\konehead@cgi-bin[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\konehead@mediaplex[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@qksrv[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\konehead@qksrv[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : konehead@apmebf[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\konehead@apmebf[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\anyuser@mediaplex[1].txt

Disk Scan Result for c:\

New critical objects: 0
Objects found so far: 10


Deep scanning and examining files (d:)


Disk Scan Result for d:\

New critical objects: 0
Objects found so far: 10


Performing conditional scans...


Conditional scan result:

New critical objects: 0
Objects found so far: 10

12:15:47 Scan Complete

Summary Of This Scan

Total scanning time:00:17:09.910
Objects scanned:122665
Objects identified:10
Objects ignored:0
New critical objects:10



ACTIVE SCAN
Incident Status Location

Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\SVCNT.EXE
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/PsGuard No disinfected C:\WINDOWS\All Users\Desktop\PSGuard.lnk
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\oleadm.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM32\svcnt.exe
Adware:Adware/PsGuard No disinfected C:\WINDOWS\All Users\Desktop\PSGuard.lnk
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html

I AM WORRIED ABOUT THE OBJECTS FOUND ON DRIVE D BY ADAWARE

ANY ADVICE WHAT TO DO NEXT ?

MANY THANKS

TONY

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 13 July 2005 - 02:00 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\SYSTEM\intel32.exe

Reboot your computer to go back to normal mode and post a new log.

#6 papa tee

papa tee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 19 July 2005 - 01:49 PM

first off here is my latest hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 19:27:55, on 19/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

could not find any trace of the following file you mentioned

C:\WINDOWS\SYSTEM\intel32.exe.

my pc is now behaving very strange.
left click on desktop icons brings up 'properties'
you can open programs with right click but sometime the wrong program opens up
and sometimes several at once.
any idea how to put this right.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 19 July 2005 - 01:53 PM

Please go to :

http://virusscan.jotti.org/


and have it scan the file c:\windows\system32\wininet.dll

Tell me what it say

#8 papa tee

papa tee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 20 July 2005 - 03:18 AM

hi ya grinler.
my desktop seems to be normal now but i
did the scan you suggested
here is what it said

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Last file scanned at least one scanner reported something about: something classified by Norman Sandbox as a W32/Downloader in canary.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control Sandbox: W32/Downloader
UNA X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion.


24066 files (16830 of those unique) have been uploaded & scanned since 11/Jul/2005, the day of the last database purge.
4184 of those 16830 files contained a virus or any other form of malware.
This page has been visited 39315 times in this time period.

i ran the panda active scan as well for fun and it tells me i have four infected files
all related to smit fraud

i am still concerned about my d-drive as well

is there anything else i need to do ?

Edited by papa tee, 20 July 2005 - 10:26 AM.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 20 July 2005 - 11:41 AM

What were the four files it said were infected? Tell me do you have a wininet.dll in c:\windows\system32\dllcache?

#10 papa tee

papa tee
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 July 2005 - 03:44 AM

hiya grinler

wininet.dll only exists in these locations
c:\windows\system
c:\windows\web tool program\arachnophilia\PROGRAM
cant find dllcache on my computer at all
the only things in system32 are folders called 'adobe' and 'drivers'

this time i ran a full scan with panda active scan
and it came up with the following infected files


Incident Status Location Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/PsGuard No disinfected C:\WINDOWS\All Users\Desktop\PSGuard.lnk
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\oleadm.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/PsGuard No disinfected C:\WINDOWS\All Users\Desktop\PSGuard.lnk
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html



thanks again for all your help
i hope i am not becoming a pain the pc seems to be running ok but makes a grinding noise when operating butthis might just be the hot weather is it safe to use. ?????

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 24 July 2005 - 01:31 PM

I think your probably in good shape. was adware able to remove those files?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users