Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud cleanup still lacks Wininet resolution?


  • This topic is locked This topic is locked
36 replies to this topic

#1 Furball321

Furball321

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2005 - 02:33 AM

(If it helps with text searching, logs below all start with ++++++++++++++++++ and end with -----------------------------)
I got the Smitfraud virus and followed the instructions (with appropriate changes for the output of my HiJackThis) from this thread to clean it up:

http://www.bleepingcomputer.com/forums/How...tml#entry103417

That's Grinler's synthesis of a number of threads to create a template to clean Smitfraud. Notice it doesn't specifically address the Wininet.dll problem several (all?) of the other threads have. Well, after doing all the steps, the worst part of Smitfraud is gone on my machine, but even though the Panda virus scan reports disinfecting Wininet.dll, successive runs of it still report it as being infected, then cleaned. (Logs of everything are below. Bear with me.) :thumbsup:

To begin with, here is the output of the DOS DIR for Wininet.dll that was suggested in other threads to be gathered like this:
"Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.
CODE
dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt
ENDCODE
Double click wininet.bat and when it is ready it will open files.txt"

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Volume in drive C has no label.
Volume Serial Number is 7487-890D
Directory of C:\WINDOWS\ServicePackFiles\i386
08/29/2002 04:41 AM 599,040 wininet.dll
1 File(s) 599,040 bytes
Directory of C:\WINDOWS\system32
02/06/2004 06:05 PM 588,288 wininet.dll
1 File(s) 588,288 bytes
Directory of C:\WINDOWS\system32\dllcache
02/06/2004 06:05 PM 588,288 WININET.DLL
1 File(s) 588,288 bytes
-------------------------------------------------------------------------------------------------------

Ok. Here follows what I did exactly to create the logs that follow:

REBOOT all reboots are into regular Windows, not Safe Mode
Run CLEANUP! log is below Was told some files would be cleaned after reboot, so. . .
REBOOT
Run CLEANUP! log is below
Run SPYBOT log is below SPYBOT suggested I let it run at reboot, so . . . . . . . .
REBOOT
SPYBOT runs at Startup Log is below
(This log is from CHECKS. log file, not FIXES. sorry. 1st question, what is the
Log file it is not cleaning? And why are a MEDIA and an EXPLORER file needing
cleaning at Boot?)
RUN ADAWARE no critical problens found. 5 MRU files found. Log below, not sure it shows
that
RUN CWSHREDDER no problems found - NO log file below
RUN EWIDO SYSTEM SCAN no problems found - no log file below. NOTE: set to scan ALL files, and auto guard turned of to not interfere
with PANDA scan.
Run PANDA SCAN from the net HERE's the MAIN problem. Wininet.DLL is shown as Diinfected, but it in not, as the rebbot and rerun will show. Resilts of scan are shown. The two Smitfraud.B are show as disinfected, but you'll see after the reboot, they are still there, and Nothing touches SuperSpider.
REBOOT
RUN PANDA SCAN Log file shown and notice nothing was really fixed!
RIN HIJACKTHIS Log file is below. Last question. I no longer have a printer (Lexis) or Norton installed. Can I use HiJackThis to get rid of those last two entries and delete the directories in Program/CommonFiles ? I've already deleted the applications.

Thanks!

LOG OF CLEANUP
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CleanUp! started on 07/08/05 21:33:52.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Run MRU' list - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.0 recovered 0 bytes of disk space from 0 files.
CleanUp! finished on 07/08/05 21:34:20.
----------------------------------------------------------------------------------------------------------


LOG OF CLEANUP! AFTER REBOOT AFTER PREVIOUS RUN OF CLEANUP!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CleanUp! started on 07/08/05 21:40:45.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\MSHist012005070820050709\index.dat - deleted
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\MSHist012005070820050709\ - deleted
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Recent\files.txt.lnk - deleted
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tim Turner\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Run MRU' list - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.0 recovered 32.5 KB of disk space from 2 files.
CleanUp! finished on 07/08/05 21:41:12.
------------------------------------------------------------------------------------------------------------------

LOG OF SPYBOT
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- Report generated: 2005-07-08 21:47 ---

Log: Activity: SchedLgU.Txt (Backup file, fixing failed)
C:\WINDOWS\SchedLgU.Txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, fixed)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, fixed)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, fixed)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

MS Media Player: Anonymous ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectDraw: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

Windows Explorer: User Assistant history IE (1 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (20 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Congratulations!: No immediate threats were found. ()


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-08 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-07 Includes\Dialer.sbi (*)
2005-07-07 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-07-07 Includes\Malware.sbi (*)
2005-06-09 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-06-09 Includes\Security.sbi (*)
2005-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2005-07-07 Includes\Trojans.sbi (*)
-----------------------------------------------------------------------------------------------------------

LOG OF SPYBOT AFTER REBOOT (This is the CHECKS file, not FIXES)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- Report generated: 2005-07-08 22:05 ---

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

Windows Explorer: User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-854245398-1614895754-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Congratulations!: No immediate threats were found. ()

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-08 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-07 Includes\Dialer.sbi (*)
2005-07-07 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-07-07 Includes\Malware.sbi (*)
2005-06-09 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-06-09 Includes\Security.sbi (*)
2005-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2005-07-07 Includes\Trojans.sbi (*)
---------------------------------------------------------------------------------------------------------------

LOG OF ADAWARE - may not show that 5 MRU files were found (not critical)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, July 08, 2005 10:24:38 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R53 07.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-8-2005 10:24:38 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Tim Turner\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-854245398-1614895754-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-854245398-1614895754-682003330-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 428
ThreadCreationTime : 7-9-2005 5:00:56 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 484
ThreadCreationTime : 7-9-2005 5:00:57 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 7-9-2005 5:00:58 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 560
ThreadCreationTime : 7-9-2005 5:00:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 7-9-2005 5:00:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 744
ThreadCreationTime : 7-9-2005 5:00:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 796
ThreadCreationTime : 7-9-2005 5:00:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 988
ThreadCreationTime : 7-9-2005 5:01:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1048
ThreadCreationTime : 7-9-2005 5:01:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1164
ThreadCreationTime : 7-9-2005 5:01:01 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1272
ThreadCreationTime : 7-9-2005 5:01:01 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1300
ThreadCreationTime : 7-9-2005 5:01:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1308
ThreadCreationTime : 7-9-2005 5:01:01 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:14 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1840
ThreadCreationTime : 7-9-2005 5:01:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:15 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1852
ThreadCreationTime : 7-9-2005 5:01:09 AM
BasePriority : Normal


#:16 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1900
ThreadCreationTime : 7-9-2005 5:01:09 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:17 [tcpsvcs.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 256
ThreadCreationTime : 7-9-2005 5:01:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : TCPSVCS.EXE

#:18 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 344
ThreadCreationTime : 7-9-2005 5:01:13 AM
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:19 [em_exec.exe]
FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\
ProcessID : 228
ThreadCreationTime : 7-9-2005 5:08:21 AM
BasePriority : Normal
FileVersion : 9.61.156
ProductVersion : 9.61
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-2002.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1124
ThreadCreationTime : 7-9-2005 5:08:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 632
ThreadCreationTime : 7-9-2005 5:19:44 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
10:27:21 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:42.750
Objects scanned:94024
Objects identified:0
Objects ignored:0
New critical objects:0
---------------------------------------------------------------------------------------------------------------------

RESULTS OF PANDA AVTIVE SCAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Incident Status Location
Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/SuperSpider No disinfected Windows Registry
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
------------------------------------------------------------------------------------------------------------------------

RESULTS OF PANDA SCAN RIGHT AFTER REBOOT OF PRIOR SCAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Incident Status Location
Virus:W32/Smitfraud.B Disinfected OPERATING System
Adware:Adware/SuperSpider No disinfected Windows Registry Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
-------------------------------------------------------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 09 July 2005 - 06:03 AM

Welcome Furball321 to Bleeping Computer.

Thank you for all the info so far.

Can you post me a HijackThis log?


Posted Image
Life is what happens while you're making other plans

#3 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2005 - 05:07 PM

Argh! All that and I forgot to append the HijackThis log! Here it is. It is from just after the last Panda scan ran.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:33 PM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/269753acb4115c...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: 5dhso9czgtgs.dll.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 09 July 2005 - 05:27 PM

No problem :thumbsup:

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop!
Be sure to follow ALL instructions!



Download SmitRem
your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Update AdAware to the latest definitions.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/269753acb4115c...ip/RdxIE601.cab

O20 - AppInit_DLLs: 5dhso9czgtgs.dll.dll

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido.txt log file you saved by using Add Reply

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the contents of the smitfiles.txt log by using Add Reply.


Posted Image
Life is what happens while you're making other plans

#5 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2005 - 10:15 PM

When I ran Hijackthis to delete the 2 items you gave me, I got this error:
++++++++++++++++++++++++++++++++++++++++++++++
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: 5dhso9czgtgs.dll.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
-----------------------------------------------------------------------------

So I have not yet run smitrem or the rest of the stuff. What now?

Here is a scan from right after the error:
++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 7:22:55 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Logfile of HijackThis v1.99.1
Scan saved at 7:22:55 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
---------------------------------------------------------------------------------------------

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 10 July 2005 - 04:37 PM

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Run AboutBuster. This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here.


Posted Image
Life is what happens while you're making other plans

#7 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 10 July 2005 - 05:15 PM

Below is the AboutBuster log. It appends the log files together, so, since they are short - and the same - I sent them both.

Please note that the routine did not ask me altenate data stream, shutting down explorer or making a second pass. I did download the latest reference file before running.


AboutBuster 5.0 reference file 30
Scan started on [7/10/2005] at [3:02:39 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:03:04 PM


AboutBuster 5.0 reference file 30
Scan started on [7/10/2005] at [3:07:15 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:07:40 PM

#8 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 July 2005 - 05:48 AM

I've added everything you asled for. I stopped when I got the error message from HiJackThis. I'm ready to return to the rest of what you posted.

What do you want me to do next?

#9 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 11 July 2005 - 06:26 AM

Thanks for running About:Buster. I'll check on the routine to change my text, thank you for the feedback. The program must have changed lately.

It seems HijackThis did the trick anyway.

Please move on with the advise right after HijackThis.


Posted Image
Life is what happens while you're making other plans

#10 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 July 2005 - 07:10 PM

It looks like smitrem did the trick on the DLL. But Panda reports the superspider malware in the registry.

When you give me the commands to delete superspider, may I also have HJT
clean these entries?

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

I no longer use a Lexmark printer or Symantec software, so I'd like to delete those entries and their folders.

The reports below are in the order they were run:
SMITREM
EWIDO
HJT
PANDA
HJT

++++++++++++++++++++++++++++++++++++++++++++++++++++
Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Infected!

~~~ Replaced wininet.dll from dllcache ~~~
----------------------------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++
Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Infected!

~~~ Replaced wininet.dll from dllcache ~~~
------------------------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 4:18:05 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
------------------------------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++

Incident Status Location

Adware:Adware/SuperSpider No disinfected Windows Registry
------------------------------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 4:49:32 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
---------------------------------------------------------------------------------------------

#11 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 11 July 2005 - 07:19 PM

The HijackThis log looks clean, weldone.

It's not a good idea to use HijackThis to remove either Lexmark or Symantec (the O23 items).
HijackThis only shows a very small part of your system. There is for instance more running from Symantec. Best thing to do is to use uninstall through Software Panel. If that is not enough, follow the instructions of Lexmark and Symantec on their sites.


A O16 items can be deleted. If you should visite that site again and an ActiveX is required, it will be put back again.

We can go searching the Registry for SuperSpider, I will have to post that tomorrow then (bit late here now :thumbsup: ).


Posted Image
Life is what happens while you're making other plans

#12 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 July 2005 - 08:08 PM

Thank you - I *would like to get rid of superspider.

Another problem that popped up the same time as I got that error in HiJackThis is that about half the time I try to connect to the internet for the first time after a reboot, I get the message that the net is unavailable. But if I hit the try again button, it always connects. I've never had this problem before, and none of the other computers in the house have this problem.

We connect through a cable modem. Is there any setup tab or network option that would affect this? Again, it does not *always* happen.

Last thing: Do you recommend leaving the Ewido Guard on? I knew nothing about Ewido til reading about it here. I've seen others suggesting the use of Spyware Blaster. What are your thoughts?

Thanks and regards,
Tim Turner

#13 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 12 July 2005 - 02:37 PM

You can leave Ewido. It's a two weeks free trial. I'll give you some tips for the future when we are done.


Let's try this first:

Download swap.zip from this location:
http://forums.skads.org/index.php?act=Attach&type=post&id=59


Unzip the folder, but make sure all those files are still present in the same folder swap!!

Double Click swap.bat.
This can take awhile to run.
Don't worry, your computer will reboot by itself, so let it finish the job.

See what Panda has to say to this :thumbsup:


Posted Image
Life is what happens while you're making other plans

#14 Furball321

Furball321
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 12 July 2005 - 05:19 PM

Darn, still there. Panda log:



Incident Status Location

Adware:Adware/SuperSpider No disinfected Windows Registry

#15 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:35 PM

Posted 12 July 2005 - 06:05 PM

Download and install Registrar Lite.

Let's go search the Registry for 467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' copy and paste
467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

Repeat the search for these:
444A5674-FF85-45D4-9AE2-4199D8D70C85

0D721150-AEF3-457B-B03A-5097B623CE45

Plugin6.DNSErrObj

Let's see what it finds.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users