Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please


  • This topic is locked This topic is locked
10 replies to this topic

#1 mjh

mjh

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 24 July 2005 - 11:07 PM

Hi there

Could you please help me to rid our computer of the smitfraud virus.Sorry I am not a computer geek so you may have to be a bit patient with me, but will do my best to follow all your instructions. Have run Hijackthis scan - so here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:20 PM, on 25/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOBILE PHONETOOLS\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O1 - Hosts: 140.99.106.182 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q170933_DISK.DLL (file missing)


Many thanks

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:01 PM

Posted 25 July 2005 - 03:03 PM

Hello mjh and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Step #2

Place a shortcut to Panda ActiveScan on your desktop.

Step #3

If you already have Ad-Aware SE 1.06 then check for updates. Otherwise follow these Ad-Aware SE Setup Instructions.

Do NOT run a scan yet.

Step #4

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O1 - Hosts: 140.99.106.182 auto.search.msn.com
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q170933_DISK.DLL (file missing)

Step #6

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Step #7

Open Ad-aware SE and do a full scan. Remove all it finds.

Step #8

Next go to Control Panel click Display > Web > Uncheck "Security Info" if present.

Step #9

Reboot normally and click the Panda ActiveScan shortcut on your desktop. Do a full system scan and make sure the autoclean box is checked! Save the scan log when finished.

Step #10

Post the following information back here using the Add Reply button (note any problems encountered):
  • A new HijackThis log
  • The contents of the Smitfiles.txt file
  • The log from the Panda ActiveScan
Cheers.

OT

Edited by OldTimer, 25 July 2005 - 03:08 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 mjh

mjh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 25 July 2005 - 10:26 PM

Thank you Old Timer

I guess that this answer reflects my lack of computer knowledge!! I don't know if I did everything correctly, but did encounter some problems - I placed the Panda ActiveScan shortcut to the desktop, but when I clicked the shortcut to follow your instructions to do a full system scan, the IE window that opened was completly empty so I don't know where the program was, maybe it didn't download initially?

Also after the 'RunThis.bat' instruction, it did a scan but came up with 'sharing violation reading drive C Abort Retry Fail' I tried to 'Retry' but it just came up with the same information again.

I can't find a new HijackThis log

I can't find a Panda ActiveScan log

Here is the smitfiles.txt file:

smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll
intel32.exe
wp.bmp
intmonp.exe
ole32vbs.exe
msole32.exe
shnlog.exe


~~~ Windows directory ~~~

screen.html


~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Any help you can offer would be most appreciated

mjh

#4 mjh

mjh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 26 July 2005 - 01:28 AM

Old Timer

I tried to do the all the instructions and scans you asked me to do, again. I cannot download Panda ActiveScan - have tried several times and the download just aborts after a short while.

I did manage to do the HijackThis scan, but I think this is the original one I sent you but here it is anyway as there doesn't seem to be another one:


Logfile of HijackThis v1.99.1
Scan saved at 2:02:20 PM, on 25/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOBILE PHONETOOLS\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O1 - Hosts: 140.99.106.182 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q170933_DISK.DLL (file missing)



and here is the Smitfiles.txt file:


smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll
intel32.exe
wp.bmp
intmonp.exe
ole32vbs.exe
msole32.exe
shnlog.exe


~~~ Windows directory ~~~

screen.html


~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!

Hope all of this makes some sense to you.

Look forward to your comments

Many thanks

mjh

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:01 PM

Posted 26 July 2005 - 10:19 AM

Hi mjh. Yes, sometimes Panda is kind of problematic even though it is a good online scanner for this infection. I don't understand why Hijackthis did not produce a new log but let's deal with that later.

Let's try a different scanner and see what it finds and if necessary remove these files manually.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

Also try to run HijackThis again and tell me what happens when you click the button for running a scan and making a log. Are there any error messages or does it just do nothing? Does Notepad open up at all? If that is the case then try running the HijackThis scan in Safe Mode. That is not the best way to do it but it is better than nothing. Post whatever log you can from HijackThis.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 mjh

mjh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 27 July 2005 - 01:17 AM

OT I'm not sure if I correctly posted my reply to you last instructions, if you have already received it please just regard this latest posting.

Have been successful in scanning via WinPFind here is the log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 4/06/04 3:15:10 PM 89600 C:\holi26516210.exe

Checking %ProgramFilesDir% folder...
UPX! 25/07/05 1:36:32 PM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...
PEC2 7/06/04 5:11:02 PM 40448 C:\WINDOWS\SYSTEM\msdlupd.dll
PECompact2 7/06/04 5:11:02 PM 40448 C:\WINDOWS\SYSTEM\msdlupd.dll
PEC2 27/08/04 7:08:52 AM 42496 C:\WINDOWS\SYSTEM\zusbrura.exe
PECompact2 27/08/04 7:08:52 AM 42496 C:\WINDOWS\SYSTEM\zusbrura.exe
PEC2 9/09/04 3:36:38 PM 42496 C:\WINDOWS\SYSTEM\mxszyrfb.exe
PECompact2 9/09/04 3:36:38 PM 42496 C:\WINDOWS\SYSTEM\mxszyrfb.exe
PEC2 25/08/04 4:40:12 PM 42496 C:\WINDOWS\SYSTEM\nlxdqasz.exe
PECompact2 25/08/04 4:40:12 PM 42496 C:\WINDOWS\SYSTEM\nlxdqasz.exe
PEC2 31/08/04 4:08:58 PM 42496 C:\WINDOWS\SYSTEM\ruosdshz.exe
PECompact2 31/08/04 4:08:58 PM 42496 C:\WINDOWS\SYSTEM\ruosdshz.exe
PEC2 1/09/04 7:43:22 PM 42496 C:\WINDOWS\SYSTEM\tvunirzu.exe
PECompact2 1/09/04 7:43:22 PM 42496 C:\WINDOWS\SYSTEM\tvunirzu.exe
PEC2 27/08/04 11:09:22 AM 42496 C:\WINDOWS\SYSTEM\wpvlxiam.exe
PECompact2 27/08/04 11:09:22 AM 42496 C:\WINDOWS\SYSTEM\wpvlxiam.exe
PEC2 2/09/04 10:10:50 AM 32768 C:\WINDOWS\SYSTEM\sp2ctr.exe
PECompact2 2/09/04 10:10:50 AM 32768 C:\WINDOWS\SYSTEM\sp2ctr.exe
PEC2 7/09/04 12:18:32 PM 42496 C:\WINDOWS\SYSTEM\etszmrhe.exe
PECompact2 7/09/04 12:18:32 PM 42496 C:\WINDOWS\SYSTEM\etszmrhe.exe
PEC2 7/09/04 4:19:00 PM 42496 C:\WINDOWS\SYSTEM\hrhshjsi.exe
PECompact2 7/09/04 4:19:00 PM 42496 C:\WINDOWS\SYSTEM\hrhshjsi.exe
PEC2 8/09/04 6:10:20 PM 42496 C:\WINDOWS\SYSTEM\vzqmaaqk.exe
PECompact2 8/09/04 6:10:20 PM 42496 C:\WINDOWS\SYSTEM\vzqmaaqk.exe
PEC2 10/09/04 10:53:18 AM 42496 C:\WINDOWS\SYSTEM\teywkndk.exe
PECompact2 10/09/04 10:53:18 AM 42496 C:\WINDOWS\SYSTEM\teywkndk.exe
PEC2 7/09/04 8:19:32 PM 42496 C:\WINDOWS\SYSTEM\lrnwggml.exe
PECompact2 7/09/04 8:19:32 PM 42496 C:\WINDOWS\SYSTEM\lrnwggml.exe
PEC2 9/09/04 5:36:56 PM 42496 C:\WINDOWS\SYSTEM\objnjwzq.exe
PECompact2 9/09/04 5:36:56 PM 42496 C:\WINDOWS\SYSTEM\objnjwzq.exe
PEC2 15/09/04 1:52:42 PM 42496 C:\WINDOWS\SYSTEM\rybjojjy.exe
PECompact2 15/09/04 1:52:42 PM 42496 C:\WINDOWS\SYSTEM\rybjojjy.exe
PEC2 13/09/04 12:44:58 PM 42496 C:\WINDOWS\SYSTEM\dqbctuqc.exe
PECompact2 13/09/04 12:44:58 PM 42496 C:\WINDOWS\SYSTEM\dqbctuqc.exe
PEC2 14/09/04 1:47:24 PM 42496 C:\WINDOWS\SYSTEM\nwlbrczt.exe
PECompact2 14/09/04 1:47:24 PM 42496 C:\WINDOWS\SYSTEM\nwlbrczt.exe
PEC2 14/09/04 7:48:18 PM 42496 C:\WINDOWS\SYSTEM\hsnmzsuz.exe
PECompact2 14/09/04 7:48:18 PM 42496 C:\WINDOWS\SYSTEM\hsnmzsuz.exe
PEC2 17/09/04 4:47:54 PM 42496 C:\WINDOWS\SYSTEM\wegvundy.exe
PECompact2 17/09/04 4:47:54 PM 42496 C:\WINDOWS\SYSTEM\wegvundy.exe
PEC2 15/09/04 11:52:24 AM 42496 C:\WINDOWS\SYSTEM\roduubkb.exe
PECompact2 15/09/04 11:52:24 AM 42496 C:\WINDOWS\SYSTEM\roduubkb.exe
PEC2 17/09/04 10:46:58 AM 42496 C:\WINDOWS\SYSTEM\pbearmii.exe
PECompact2 17/09/04 10:46:58 AM 42496 C:\WINDOWS\SYSTEM\pbearmii.exe
PEC2 16/09/04 5:40:12 PM 42496 C:\WINDOWS\SYSTEM\retfwtrn.exe
PECompact2 16/09/04 5:40:12 PM 42496 C:\WINDOWS\SYSTEM\retfwtrn.exe
PEC2 18/09/04 9:10:40 PM 42496 C:\WINDOWS\SYSTEM\szndctxe.exe
PECompact2 18/09/04 9:10:40 PM 42496 C:\WINDOWS\SYSTEM\szndctxe.exe
PEC2 6/10/04 8:10:26 AM 28672 C:\WINDOWS\SYSTEM\evthtm.exe
PECompact2 6/10/04 8:10:26 AM 28672 C:\WINDOWS\SYSTEM\evthtm.exe
PEC2 23/04/99 10:22:00 PM 14336 C:\WINDOWS\SYSTEM\idecntl.exe
PECompact2 23/04/99 10:22:00 PM 14336 C:\WINDOWS\SYSTEM\idecntl.exe
PEC2 22/10/04 7:33:44 PM 39424 C:\WINDOWS\SYSTEM\uqcerjmi.exe
PECompact2 22/10/04 7:33:44 PM 39424 C:\WINDOWS\SYSTEM\uqcerjmi.exe
UPX! 26/07/05 4:26:00 PM 6144 C:\WINDOWS\SYSTEM\intel32.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
27/07/05 10:59:24 AM 5128224 C:\WINDOWS\SYSTEM.DAT
27/07/05 11:01:56 AM 720928 C:\WINDOWS\USER.DAT
21/07/05 5:40:26 PM 12041 C:\WINDOWS\ttfCache
25/07/05 1:12:18 PM 54156 C:\WINDOWS\QTFont.qfn
27/07/05 10:57:54 AM 826625 C:\WINDOWS\ShellIconCache
22/06/05 1:31:34 PM 200736 C:\WINDOWS\SYSTEM\RATINGS.POL
26/07/05 5:18:46 PM 9793 C:\WINDOWS\HELP\windows.GID
22/06/05 2:03:56 PM 4096 C:\WINDOWS\All Users\DRM\drmv2.sst
27/07/05 10:59:06 AM 1370 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
27/07/05 10:51:40 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
27/03/05 2:50:28 PM 613 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
21/07/05 11:48:44 PM 488 C:\WINDOWS\Start Menu\Programs\StartUp\BTTray.lnk
27/07/05 10:52:16 AM 2174 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office Shortcut Bar.lnk
21/07/05 11:48:36 PM 434 C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk

Checking files in %USERPROFILE%\Application Data folder...
22/07/05 12:06:52 PM 4531 C:\WINDOWS\Application Data\dw.log
19/06/05 11:10:00 AM 28232 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
28/09/04 5:57:30 PM 3262 C:\WINDOWS\Application Data\Stop Popup Ads Now.ico

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\DigExt
DigExt =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
=

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 Aticwd32.exe
EnsoniqMixer starter.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WatchDog C:\Program Files\mobile PhoneTools\WatchDog.exe
mdac_runonce C:\WINDOWS\SYSTEM\runonce.exe
AdwareAlert C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
intel32.exe C:\WINDOWS\SYSTEM\intel32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key ZJs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
EditLevel 0
NoRun 0
NoClose 0
NoFileMenu 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.


And here is the log for HijackThis, which was successful this time around:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:43 AM, on 27/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOBILE PHONETOOLS\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O1 - Hosts: 140.99.106.182 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q170933_DISK.DLL (file missing)


Sorry again if this message has been posted twice.

Thanks for all your help.

mjh

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:01 PM

Posted 27 July 2005 - 11:49 AM

Hi mjh. Ok, let's see if we can clean this up. Please print these directions and then proceed with the following steps in order.

Go here and then go to the W section. Click on the dropdown arrow and choose wininet.dll and download it to a place you can find back later.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the option Delete on Reboot
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\SYSTEM\msdlupd.dll
      C:\WINDOWS\SYSTEM\zusbrura.exe
      C:\WINDOWS\SYSTEM\mxszyrfb.exe
      C:\WINDOWS\SYSTEM\nlxdqasz.exe
      C:\WINDOWS\SYSTEM\ruosdshz.exe
      C:\WINDOWS\SYSTEM\tvunirzu.exe
      C:\WINDOWS\SYSTEM\wpvlxiam.exe
      C:\WINDOWS\SYSTEM\sp2ctr.exe
      C:\WINDOWS\SYSTEM\etszmrhe.exe
      C:\WINDOWS\SYSTEM\hrhshjsi.exe
      C:\WINDOWS\SYSTEM\vzqmaaqk.exe
      C:\WINDOWS\SYSTEM\teywkndk.exe
      C:\WINDOWS\SYSTEM\lrnwggml.exe
      C:\WINDOWS\SYSTEM\objnjwzq.exe
      C:\WINDOWS\SYSTEM\rybjojjy.exe
      C:\WINDOWS\SYSTEM\dqbctuqc.exe
      C:\WINDOWS\SYSTEM\nwlbrczt.exe
      C:\WINDOWS\SYSTEM\hsnmzsuz.exe
      C:\WINDOWS\SYSTEM\wegvundy.exe
      C:\WINDOWS\SYSTEM\roduubkb.exe
      C:\WINDOWS\SYSTEM\pbearmii.exe
      C:\WINDOWS\SYSTEM\retfwtrn.exe
      C:\WINDOWS\SYSTEM\szndctxe.exe
      C:\WINDOWS\SYSTEM\evthtm.exe
      C:\WINDOWS\SYSTEM\idecntl.exe
      C:\WINDOWS\SYSTEM\uqcerjmi.exe
      C:\WINDOWS\SYSTEM\intel32.exe
      C:\WINDOWS\Application Data\Stop Popup Ads Now.ico
      C:\WINDOWS\Q170933_DISK.DLL
      C:\WINDOWS\SYSTEM\oleadm.dll
      C:\WINDOWS\SYSTEM\wp.bmp
      C:\WINDOWS\SYSTEM\intmonp.exe
      C:\WINDOWS\SYSTEM\ole32vbs.exe
      C:\WINDOWS\SYSTEM\msole32.exe
      C:\WINDOWS\SYSTEM\shnlog.exe
      C:\WINDOWS\SYSTEM\wininet.dll
      C:\WINDOWS\screen.html
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • Click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • Copy the wininet.dll file you downloaded earlier to the c:\windows\system\ folder.
  • Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O1 - Hosts: 140.99.106.182 auto.search.msn.com
    O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
    O20 - Winlogon Notify: style2 - C:\WINDOWS\Q170933_DISK.DLL (file missing)
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Reboot and post a new HijackThis log along with a new WinPFind log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 mjh

mjh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 27 July 2005 - 08:54 PM

Thanks again OT - I got really worried earlier, when I couldn't connect to the internet, but it was OK after I copied the 'wininet.dll' file into the system folder.

I followed all your instructions and was able to copy and paste all the files you listed into KillBox EXCEPT these files which would not copy and paste for some reason:

C:\WINDOWS\Q170933_DISK.DLL
C:\WINDOWS\SYSTEM\wp.bmp
C:\WINDOWS\SYSTEM\intmonp.exe
C:\WINDOWS\SYSTEM\ole32vbs.exe
C:\WINDOWS\SYSTEM\msole32.exe
C:\WINDOWS\SYSTEM\shnlog.exe
C:\WINDOWS\screen.html

but all the other files were deleted through KillBox

Here are the logs you asked for:
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 11:55:20 AM, on 28/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOBILE PHONETOOLS\WATCHDOG.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

WinPFind
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 4/06/04 3:15:10 PM 89600 C:\holi26516210.exe

Checking %ProgramFilesDir% folder...
UPX! 25/07/05 1:36:32 PM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
28/07/05 11:51:00 AM 5128224 C:\WINDOWS\SYSTEM.DAT
28/07/05 11:51:00 AM 729120 C:\WINDOWS\USER.DAT
21/07/05 5:40:26 PM 12041 C:\WINDOWS\ttfCache
25/07/05 1:12:18 PM 54156 C:\WINDOWS\QTFont.qfn
28/07/05 11:43:24 AM 738572 C:\WINDOWS\ShellIconCache
22/06/05 1:31:34 PM 200736 C:\WINDOWS\SYSTEM\RATINGS.POL
26/07/05 5:18:46 PM 9793 C:\WINDOWS\HELP\windows.GID
22/06/05 2:03:56 PM 4096 C:\WINDOWS\All Users\DRM\drmv2.sst
28/07/05 11:45:08 AM 1370 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
28/07/05 11:43:28 AM 8278 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off41B4.tmp
28/07/05 11:44:26 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
27/03/05 2:50:28 PM 613 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
21/07/05 11:48:44 PM 488 C:\WINDOWS\Start Menu\Programs\StartUp\BTTray.lnk
28/07/05 11:44:48 AM 2174 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office Shortcut Bar.lnk
21/07/05 11:48:36 PM 434 C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk

Checking files in %USERPROFILE%\Application Data folder...
22/07/05 12:06:52 PM 4531 C:\WINDOWS\Application Data\dw.log
19/06/05 11:10:00 AM 28232 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\DigExt
DigExt =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
=

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 Aticwd32.exe
EnsoniqMixer starter.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WatchDog C:\Program Files\mobile PhoneTools\WatchDog.exe
mdac_runonce C:\WINDOWS\SYSTEM\runonce.exe
AdwareAlert C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key ZJs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
EditLevel 0
NoRun 0
NoClose 0
NoFileMenu 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Look forward to hearing from you OT and many thanks



By the way can you also expain why I cannot view some Internet Explorer pages which have the following statement on them:

'The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link'



Cannot find server or DNS Error
Internet Explorer

Thanks again
mjh

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:01 PM

Posted 27 July 2005 - 10:55 PM

Hi mjh. both logs look clean. Good job! How are things running? Any further problems?

In regards to the DNS error on certain websites, that is usually caused by either improper DNS settings in the internet connection, DNS server problems at the ISP or possibly site problems on the website. I would suggest contacting your ISP and having them verify that the computer DNS settings are correct and that they are not having any DNS issues at their end.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section unselect Show all files.
  • Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 mjh

mjh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 01 August 2005 - 09:33 PM

Many thanks OT - I waited a few days, just to see if everything was working OK, so far so good.

Thanks again for all your help.

May need help with another computer soon it is running Windows XP, should I contact you or some other expert on your site?

mjh

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:01 PM

Posted 01 August 2005 - 09:42 PM

You're very welcome mjh. I'm glad that we could help.

Just post a HijackThis log for the other computer to the forum and either myself or one of the other helpers will pick it up and evaluate it.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users