Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud.c in disguise? Help Please


  • Please log in to reply
10 replies to this topic

#1 geekettewannab

geekettewannab

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 24 July 2005 - 12:33 PM

Hi, My husband has a nasty trojan on his system that looked like the classic Smitfraud.c that hijacks your browser and leaves the dreaded BSOD as wallpaper. I followed the directions at the Symantec site but as I tried to remove items from the registry, I noticed that most of them were not there. I did remove that ugly blue wallpaper tho. I found you guys and picked up HJT as well as other tools, but I have not been able to stop the hijacking. Can somebody look at my log and help me please? My husband's PC is a few steps closer to being thrown out the window and neither of us are very smart when it comes to this. :thumbsup: I suspect I need to delete some of those R1s in the log that end in about:blank, but I was afraid to do it unless a real geek advised me to do so.
Thank you for any help you can lend!


Logfile of HijackThis v1.99.1
Scan saved at 12:09:16 AM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32pctspk.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:WINDOWSSystem32intel32.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesWinZipWZQKPICK.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesNorton AntiVirus
avapsvc.exe
C:WINDOWSSystem32
vsvc32.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesNorton AntiVirusSAVScan.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesNorton AntiVirusOPScan.exe
C:WINDOWSSystem32
undll32.exe
C:PROGRA~1WINZIPwinzip32.exe
C:Documents and SettingsdefaultLocal SettingsTempHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:DOCUME~1defaultLOCALS~1Tempse.dll/space.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = res://C:DOCUME~1defaultLOCALS~1Tempse.dll/space.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:Program FilesNetscapeUsersdefaultprefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: (no name) - {B4E38139-4ED1-4B5E-82B0-82D233BCFCC4} - C:WINDOWSSystem32mapd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [PCTVOICE] pctspk.exe
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [Symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer
O4 - HKLM..Run: [intel32.exe] C:WINDOWSSystem32intel32.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet g series).lnk = C:Program FilesHewlett-PackardAiOhp officejet g seriesBinhpoavn07.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O18 - Filter: text/html - {D4B00628-B70A-478B-AEEC-EDA52BA00F8D} - C:WINDOWSSystem32mapd.dll
O18 - Filter: text/plain - {D4B00628-B70A-478B-AEEC-EDA52BA00F8D} - C:WINDOWSSystem32mapd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:Program FilesNorton AntiVirus
avapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32
vsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:WINDOWSsystem32pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:Program FilesNorton AntiVirusSAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:39 PM

Posted 25 July 2005 - 10:33 AM

This will be a two part fix, so please be patient.

Please download and extract the following file:

http://www.derbilk.de/SpSeHjfix112.zip

Run the program and then post the resulting log along with a new hijackthis log.

#3 geekettewannab

geekettewannab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 25 July 2005 - 01:21 PM

Thank you for your response and help! I'm ready for step two. Here are the logs you requested first:


(7/25/05 9:01:16 AM) SPSeHjFix started v1.1.2
(7/25/05 9:01:16 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 9:01:16 AM) Language: english
(7/25/05 9:01:16 AM) Win-Path: C:\WINDOWS
(7/25/05 9:01:16 AM) System-Path: C:\WINDOWS\System32
(7/25/05 9:01:16 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 9:01:33 AM) Disinfection started
(7/25/05 9:01:33 AM) Bad-Dll(IEP): c:\docume~1\default\locals~1\temp\se.dll
(7/25/05 9:01:33 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\mapd.dll
(7/25/05 9:01:33 AM) Searchassistant Uninstaller - Keys Deleted
(7/25/05 9:01:33 AM) UBF: 9 - UBB: 2 - UBR: 7
(7/25/05 9:01:33 AM) FilterKey: HKCR\text/html (deleted)
(7/25/05 9:01:33 AM) FilterKey: HKCR\CLSID\{16902323-4DA0-45B1-A275-CAD76478422A} (deleted)
(7/25/05 9:01:33 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/25/05 9:01:33 AM) FilterKey: HKCR\text/plain (deleted)
(7/25/05 9:01:33 AM) FilterKey: HKCR\CLSID\{16902323-4DA0-45B1-A275-CAD76478422A} (error while deleting)
(7/25/05 9:01:33 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/25/05 9:01:33 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4E38139-4ED1-4B5E-82B0-82D233BCFCC4} (deleted)
(7/25/05 9:01:33 AM) BHO-Key: HKCR\CLSID\{B4E38139-4ED1-4B5E-82B0-82D233BCFCC4} (deleted)
(7/25/05 9:01:33 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 9:01:33 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\default\locals~1\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer, SearchURL:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\default\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/25/05 9:01:33 AM) Stealth-String not found
(7/25/05 9:01:33 AM) File added to delete: c:\windows\system32\mapd.dll
(7/25/05 9:01:33 AM) Reboot


(7/25/05 9:02:54 AM) SPSeHjFix started v1.1.2
(7/25/05 9:02:54 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 9:02:54 AM) Language: english
(7/25/05 9:02:54 AM) Win-Path: C:\WINDOWS
(7/25/05 9:02:54 AM) System-Path: C:\WINDOWS\System32
(7/25/05 9:02:54 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 9:03:31 AM) Disinfection started
(7/25/05 9:03:31 AM) Bad-Dll(IEP): (not found)
(7/25/05 9:03:31 AM) Bad-Dll(IEP) in BHO: (not found)
(7/25/05 9:03:31 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 9:03:31 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 9:03:31 AM) Bad IE-pages: (none)
(7/25/05 9:03:31 AM) Stealth-String not found
(7/25/05 9:03:31 AM) Not infected->END


(7/25/05 10:09:55 AM) SPSeHjFix started v1.1.2
(7/25/05 10:09:55 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 10:09:55 AM) Language: english
(7/25/05 10:09:55 AM) Win-Path: C:\WINDOWS
(7/25/05 10:09:55 AM) System-Path: C:\WINDOWS\System32
(7/25/05 10:09:55 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 10:09:57 AM) Disinfection started
(7/25/05 10:09:57 AM) Bad-Dll(IEP): (not found)
(7/25/05 10:09:57 AM) Bad-Dll(IEP) in BHO: (not found)
(7/25/05 10:09:57 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:09:57 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:09:57 AM) Bad IE-pages: (none)
(7/25/05 10:09:57 AM) Stealth-String not found
(7/25/05 10:09:57 AM) Not infected->END


(7/25/05 10:10:50 AM) SPSeHjFix started v1.1.2
(7/25/05 10:10:50 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 10:10:50 AM) Language: english
(7/25/05 10:10:50 AM) Win-Path: C:\WINDOWS
(7/25/05 10:10:50 AM) System-Path: C:\WINDOWS\System32
(7/25/05 10:10:50 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 10:10:53 AM) Disinfection started
(7/25/05 10:10:53 AM) Bad-Dll(IEP): (not found)
(7/25/05 10:10:53 AM) Bad-Dll(IEP) in BHO: (not found)
(7/25/05 10:10:53 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:10:53 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:10:53 AM) Bad IE-pages: (none)
(7/25/05 10:10:53 AM) Stealth-String not found
(7/25/05 10:10:53 AM) Not infected->END


(7/25/05 10:16:59 AM) SPSeHjFix started v1.1.2
(7/25/05 10:16:59 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 10:16:59 AM) Language: english
(7/25/05 10:16:59 AM) Win-Path: C:\WINDOWS
(7/25/05 10:16:59 AM) System-Path: C:\WINDOWS\System32
(7/25/05 10:16:59 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 10:17:01 AM) Disinfection started
(7/25/05 10:17:01 AM) Bad-Dll(IEP): (not found)
(7/25/05 10:17:01 AM) Bad-Dll(IEP) in BHO: (not found)
(7/25/05 10:17:01 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:17:01 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:17:01 AM) Bad IE-pages: (none)
(7/25/05 10:17:01 AM) Stealth-String not found
(7/25/05 10:17:01 AM) Not infected->END


(7/25/05 10:31:16 AM) SPSeHjFix started v1.1.2
(7/25/05 10:31:16 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/25/05 10:31:16 AM) Language: english
(7/25/05 10:31:16 AM) Win-Path: C:\WINDOWS
(7/25/05 10:31:16 AM) System-Path: C:\WINDOWS\System32
(7/25/05 10:31:16 AM) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\
(7/25/05 10:31:18 AM) Disinfection started
(7/25/05 10:31:18 AM) Bad-Dll(IEP): (not found)
(7/25/05 10:31:18 AM) Bad-Dll(IEP) in BHO: (not found)
(7/25/05 10:31:18 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:31:18 AM) UBF: 7 - UBB: 1 - UBR: 7
(7/25/05 10:31:18 AM) Bad IE-pages: (none)
(7/25/05 10:31:18 AM) Stealth-String not found
(7/25/05 10:31:18 AM) Not infected->END


HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:12:49 AM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\default\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet g series).lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:39 PM

Posted 25 July 2005 - 01:52 PM

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe

===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#5 geekettewannab

geekettewannab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 25 July 2005 - 02:29 PM

Thank you so much. I will follow all of your steps a little later today and will send you e-mail as to how things went. THANKS VERY MUCH SO FAR! :thumbsup:

#6 geekettewannab

geekettewannab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 25 July 2005 - 08:28 PM

Hi there Grinler,

Wow, that was quite the exorcism....several of the scans took a while to complete, and there were a good number of bad things the scans found and cleaned.

Here are my logs.....so far so good it seems. I was able to reset my hubby's home page without being hijacked and he is surfing away. The best part is the cussing has stopped. :thumbsup: But Panda said there are 6 viri left. Should I be concerned?

Thank you so much Grinler....you ROCK!

Geekettewannab



smitRem log file
version 2.2

by noahdfear

The current date is: Mon 07/25/2005
The current time is: 15:50:59.74

~

Pre-run Files Present


~ Program Files ~



~ Shortcuts ~



~ Favorites ~



~ system32 folder ~

intel32.exe


~ Windows directory ~



~ Drive root ~

~


Post-run Files Present


~ Program Files ~



~ Shortcuts ~



~ Favorites ~



~ system32 folder ~



~ Windows directory ~



~ Drive root ~



~ Wininet.dll ~

CLEAN!



Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:00:12 PM, 7/25/2005
+ Report-Checksum: 191626CC

+ Scan result:

C:compaqlutilWizHost.exe -> Heuristic.Win32.Dialer : Ignored
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{00000000-0000-0000-0000-000000000221} -> Spyware.ClearSearch : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{00000000-0000-0000-0000-000000002230} -> Spyware.ClearSearch : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{0191ABF4-9421-435E-9FFD-CD827A2A82D8} -> Dialer.Generic : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{02C20140-76F8-4763-83D5-B660107B7A90} -> Dialer.Generic : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{02C20140-76F8-4763-83D5-B660107BABCD} -> Spyware.EliteBar : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{13197ACE-6851-45C3-A7FF-C281324D5489} -> Spyware.2nsSearch : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{1678F7E1-C422-11D0-AD7D-00400515CAAA} -> Spyware.CometCursor : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{1E89F686-B78D-4C85-9EFC-3474516E3FE2} -> Dialer.Generic : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{386A771C-E96A-421F-8BA7-32F1B706892F} -> Spyware.ISTBar : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{556DDE35-E955-11D0-A707-000000521958} -> Spyware.IEPlugin : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKUS-1-5-21-1801674531-746137067-1060284298-1004SoftwareMicrosoftWindowsCurrentVersionExtStats{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
C:WINDOWSSYSTEM32chktrust.exe -> Spyware.BargainBuddy : Cleaned with backup
C:WINDOWSSYSTEM32iptq.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:WINDOWSSYSTEM32iptq.exe -> TrojanDownloader.Agent.bc : Cleaned with backup
C:WINDOWSPCTPTT.EXE -> Dialer.Generic : Cleaned with backup
C:WINDOWSappxa.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:WINDOWSjavabt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:System Volume Information_restore{54F07F90-D2EE-4DCD-979E-D250463ECC5B}RP2A0001135.EXE -> Trojan.Small.eu : Cleaned with backup


::Report End

Panda

Incident Status Location

Adware:adware/topsearch No disinfected C:PROGRAM FILESKAZAATopSearch.dll
Adware:adware/sidesearch No disinfected C:PROGRAM FILESLycos
Adware:adware/ncase No disinfected HKEY_CURRENT_USERSOFTWAREMICROSOFTINTERNET EXPLORERMAINSEARCH BAR_BAK
Virus:Exploit/CodeBase.S No disinfected C:adwxx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:adwxx.chm[htm2chm_explorer]
Adware:Adware/BrilliantDigitalNo disinfected C:Program FilesKaZaAdcore.dll

HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:08:47 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32pctspk.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesWinZipWZQKPICK.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program Filesewidosecurity suiteewidoctrl.exe
C:Program Filesewidosecurity suiteewidoguard.exe
C:Program FilesNorton AntiVirus
avapsvc.exe
C:WINDOWSSystem32
vsvc32.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesNorton AntiVirusSAVScan.exe
C:WINDOWSSystem32wuauclt.exe
C:PROGRA~1WINZIPwinzip32.exe
C:Documents and SettingsdefaultLocal SettingsTempHijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:Program FilesNetscapeUsersdefaultprefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [PCTVOICE] pctspk.exe
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [Symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSSystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet g series).lnk = C:Program FilesHewlett-PackardAiOhp officejet g seriesBinhpoavn07.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:Program Filesewidosecurity suiteewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:Program Filesewidosecurity suiteewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:Program FilesNorton AntiVirus
avapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32
vsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:WINDOWSsystem32pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:Program FilesNorton AntiVirusSAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:39 PM

Posted 25 July 2005 - 09:13 PM

Well i definitely do not see any malware in that log.

You can delete these, but kazaa may not work after:

C:\PROGRAM FILES\KAZAA\TopSearch.dll
C:\Program Files\KaZaA\dcore.dll


You can delete these files:
C:\PROGRAM FILES\Lycos
C:\adwxx.chm
C:\adwxx.chm


Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.


HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on search bar_bak and delete it if it exists.

Then run a scan again and tell me if it comes clean.

#8 geekettewannab

geekettewannab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 26 July 2005 - 12:52 AM

Hi Grinler.

Well, we got 4 of the 6 that way and that's a very good thing. These are the two remaining.

Any ideas at this point?

Thank you very much again.



Incident Status Location

Adware:adware/sidesearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\LYCOS
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH PAGE_BAK

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:39 PM

Posted 26 July 2005 - 09:43 AM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

KEY_LOCAL_MACHINE\SOFTWARE\LYCOS

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on Lycos and select delete.

Then in the address field enter and press enter:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH PAGE_BAK

Right click on Search Page_Bak and delete it.

#10 geekettewannab

geekettewannab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 26 July 2005 - 03:34 PM

Dear Grinler,

:thumbsup: We are viri free!!!!!!!!!!! Thank you, thank you! You 'da man. I will beam up a donation today!

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:39 PM

Posted 26 July 2005 - 08:56 PM

Your log is clean! Great job!

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users