Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups And Error Messages


  • This topic is locked This topic is locked
10 replies to this topic

#1 c410berry

c410berry

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 28 February 2006 - 10:59 PM

First noticed SpyFalcon and Winfixer coming up and many error messages regarding security threats. Used instructions from your site for removing SpyFalcon and Winfixer, that seemed successful, but other popups and errors continue. Please help!



Logfile of HijackThis v1.99.1
Scan saved at 10:53:04 PM, on 2/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvctrl.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp75AD.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141183997718
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 01 March 2006 - 04:31 AM

Hello c410berry, and welcome to BleepingComputer,

We'll try to help you out, just give us some time to study your log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 01 March 2006 - 04:38 PM

Hello c410berry,

Please follow these instructions very carefully.
It might be a good idea to print them or save them in a .txt file, because working in safe mode may leave you without internet connection.

1. Go to Start > Settings > Control Panel > Software, and by using Add/Remove programs remove if found:New.net or NewDotNet
It may not be present in the Software list.
If it isn't, see if, using Windows Explorer, you can find an uninstaller in the folder C:\Program Files\NewDotNet. The uninstaller will be called uninstallX_XX.exe, where the X's stands for numbers.
If not, look in the C:\Windows or C:\Winnt, there it will be called NDNuninstallX_XX.exe

If you still haven't found it, you can use this uninstaller: uninstall6_38.exe.
After removal, you may be prompted to reboot. Please reboot even if not prompted.
However, before using this last means, please download WinsockXPFix and LSP-Fix.
If you can not connect to the Internet after removing New.net, please run the WinsockXPFix program I had you download earlier.
If you still can not connect to the Internet, please run the LSP-Fix program, and click on the finish button. Reboot and you should be able to get back on..

2. Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
DO NOT RUN IT YET!

3. Please download, install, and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET.
4. Download FixSF.reg to your desktop by right clicking on the following link
and then selecting Save Link As or Save File as, depending on your browser.
Double click on the FixSF.reg file.
When it asks if you would like to merge the information, press the Yes button and then the OK button.

5. Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

6. Please go to Start > Settings > Control Panel > Software and remove, using Add/Remove Programs, if present, any instances of :Winfixer
Spyaxe
SpyFalcon

***if the computer asks for you to let it reboot DO NOT allow it.

7. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

8. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    • NOTE: During some scans with ewido it is finding cases of false positives.
      # This means you will need to step through the process of cleaning files one-by-one.
      # If ewido detects a file you KNOW to be legitimate, select none as the action.
      # DO NOT select "Perform action on all infections"
      # If you are unsure of any entry found select none for now.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
9. Restart your computer in Normal Mode.

10. Please post a new HijackThis log, as well as the log from ewido and the smitRem log (C:\smitfiles.txt).

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 01 March 2006 - 11:14 PM

Ok, I followed most of your instructions, with the exception of number 7. When running in Safe Mode, I can't find SmitRem (i.e. it disappears from my desktop). Shoud I run it in regular mode?

After skipping number 7 and following the rest of the instructions, here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:27 PM, on 3/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp76D5.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141183997718
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

and here is the ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:41:05 PM, 3/1/2006
+ Report-Checksum: D507772F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Ignored
C:\Documents and Settings\Owner\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Ignored
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\afnlfamd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\agnmpbnd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\bbgllmmd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\bbnnednd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\bbokennd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\bkeenlmd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\caafjnod.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\cgjkfkmd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\dbbigand.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\dgdpaemd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\dgppfgnd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\domakfnd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ebhlnond.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\eckdlcmd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\eomeklod.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\fjpejbnd.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\fokgbpod.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\fpfmhjod.exe -> Trojan.Dialer.ay : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\gbnjcbmd.exe -> Trojan.Dialer.ay : Ignored
C:\RECYCLER\S-1-5-21-2181170070-772524337-4252678637-500\Dc1.dll -> Not-A-Virus.Hoax.Win32.Renos.bo : Ignored
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Ignored
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Ignored
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@free.wegcash[2].txt -> TrackingCookie.Wegcash : Ignored
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@programs.wegcash[2].txt -> TrackingCookie.Wegcash : Ignored
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@www.covergirls.com.19249.fb.dbbsrv[1].txt -> TrackingCookie.Dbbsrv : Ignored
C:\WINDOWS\system32\msCMTsrvc.exe -> Downloader.Presario : Ignored
C:\WINDOWS\system32\mssearchnet.exe -> Hijacker.SpyAxe : Ignored
C:\WINDOWS\system32\nvctrl.exe -> Hijacker.SpyAxe : Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\gfbnfjod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\gkiajlnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\gnpkhdnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\gooojpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\hcicaknd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\hhfcanod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\hjgjmend.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\icpoibod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ikakaaod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jbmhfamd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jdefnkod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jecbiind.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jhdoohod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\jhjmmhod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\kafpoeod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\kdkadhnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\klmiiood.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\kpdhgnnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\kpdochnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lagfbknd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lbacnend.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lepibemd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lfjhcnod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lmfjaomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lmkfpand.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\lndcpimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\makfpond.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mbhiclmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mfjdghmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mjaaekmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mjaedmod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mkbaiood.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mogpbdod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mpkfolnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\negepimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nifmlind.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nlniicmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\nmdeofmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\odhnjfmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\oeegaand.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ofiidbmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\pjlohgod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\poacaomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AVYNGVYX\gdnUS2218[2].exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\temp\agkajpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\diemjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\ffekmimd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\gfjeopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\gflfghmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\godikjmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\hpbamkod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\kpdgffnd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\llnjhomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\nfidlmmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\ogdefmod.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\onpjppmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\temp\plcpommd.exe -> Trojan.Dialer.ay : Cleaned with backup


::Report End

Thanks for your help!

#5 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 01 March 2006 - 11:18 PM

I did run the smitRem tool a few days ago. Here's the log from then:


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 02/27/2006
The current time is: 22:03:22.51

Running from
C:\Documents and Settings\Owner\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1180 'explorer.exe'
Killing PID 1180 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 03 March 2006 - 02:08 PM

Hello c410berry,

1. Please disable Spybot's TeaTimer,since it can interfere with HijackThis fixes:Open Spybot-S&D
Go to the Mode menu, and make sure Advanced Mode is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

2. Since the tool smitRem is vital here, please remove the smitRem folder from your Desktop,
Please create a new folder: Double click My Computer
Double click Local Disk (C:)
Click File > New > Folder
Name the new folder smitRem and hit the Enter key
Now please download, install (in C:\smitRem), and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET.
3. Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser:Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

4. Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

5. Open the C:\smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

6. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • This time you can ewido give permission to delete anything it finds, since all traces found on the previous run were indeed malware.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
DO NOT click the Ignore button anymore.

7. Restart your computer in Normal Mode.

8. Please post a new HijackThis log, as well as the log from ewido and the smitRem log (C:\smitRem\smitfiles.txt).

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 04 March 2006 - 12:29 AM

Hi.

Here are the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:05 AM, on 3/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\windows\system\hpsysdrv.exe
C:\smitRem\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141183997718
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\smitRem\ewido anti-malware\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe





smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/03/2006
The current time is: 18:57:39.57

Running from
C:\smitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 720 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:





I'm sorry, I didn't manage to save the Ewido log file. I ran it again, and of course found nothing to remove. Here is that log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:44:25 PM, 3/3/2006
+ Report-Checksum: 7F2DA854

+ Scan result:

No infected objects found.


::Report End


Thanks so much for your time. I apologize for my errors in following the directions!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 05 March 2006 - 06:44 AM

Hello c410berry,

No need to apologise. :thumbsup:
Your log looks a lot better now.

You can reenable Spybot's TeaTimer now, however do not use more then one active realtime protection!

Do you experience any more problems?

-----------------
Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regulare basis and download all the "critical updates" for Windows, including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.
Do this now to install SP2

2. I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world.AVG makes an excellent free antivirus client, as do AntiVir or Avast!
Please make sure to run your antivirus software regularly, and to keep it up-to-date.

3. It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products: Sygate
Kerio
Tiny Personal Firewall
Outpost
It is important to note that you should only have one firewall installed at a time.
A tutorial on understanding and using firewalls may be found here.

4. Please consider using an alternate browser. Mozilla's Firefox browser is very good and more secure than Internet Explorer, immune to almost all known browser hijackers, and also has a built-in popup blocker (as an added benefit!) . If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems! Good luck

BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 c410berry

c410berry
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 06 March 2006 - 09:38 PM

:thumbsup: Everything seems to be working fine now! Thank you very much for your help and advice. I will certainly follow your recommendations for preventing these problems in the future. :flowers:

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 07 March 2006 - 04:36 PM

You're welcome c410berry,

Glad we could help you, and well done. :thumbsup:

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:07 AM

Posted 30 March 2006 - 02:14 PM

Since your problem is solved, this topic will be closed.
If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users