Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gotm Zlob And More


  • Please log in to reply
3 replies to this topic

#1 sbozkut

sbozkut

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 13 May 2006 - 04:49 PM

hi tehre.

This is the new log file of a friend of mine. I'd be glad if you could help me in that

Logfile of HijackThis v1.99.1
Scan saved at 00:44:34, on 14.05.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\logon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\IAR~1\LOCALS~1\Temp\Rar$EX00.048\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp79A8.tmp
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\2.0.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\Program Files\ShopperReports\Bin\2.0.0\ShprRprt.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotbar.com/installs/hbtool...ams/hbtools.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 PM

Posted 14 May 2006 - 02:05 AM

Hello sbozkut.

I would like to take a look at this log
and will get back you you as soon as I can.

ourwilly. :thumbsup:

#3 sbozkut

sbozkut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 22 May 2006 - 11:27 AM

I can not handle this problem. I hope someone may take care of this.

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 PM

Posted 22 May 2006 - 02:06 PM

Hello sbozkut.

Sorry to keep you waiting

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1.

Please install One of these free Firewalls as soon as possible to protect your system,

Free Zone Alarm
Sunbelt Kerio Personal Firewall.

Please Note - You are running HijackThis from an Unsafe location,
Please Create a New Folder on the C: drive,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Now right click and select
New > Folder and name it HJT.

Please now move HijackThis into the new HJT folder.

Do Not Use Yet!

First go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

jre1.5.0_03 <-----Check any item with Java Runtime Environment (JRE) in the name

ShopperReports by Hotbar
Hotbar Outlook Tools
Hotbar Web Tools
.

Download the latest version of Java Runtime Environment, and install it to your computer.

Then run this Hotbar Removal Tool

Then Reboot your system..

Step 2.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int13.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please Open Notepad,
Go to: Start | Run, type in Notepad
Click Format from the Notepad menu and ensure "Word Wrap" is NOT selected.
Copy the content of the quote box below into Notepad.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinLogon"=-

[-HKEY_LOCAL_MACHINE\Software\Carmen]

Click : File | Save As
Change the Save as type to All Files
Save it to your desktop as fix.reg

Locate Fix.reg on your desktop and double-click it.
When asked if you want to merge with the registry, click YES.
Wait for the merged successfully prompt.

Please Now Download SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://siri.geekstogo.com/SmitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Do Not Use This Yet!

Please Now boot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:WINDOWS\logon.exe

Stay in Safe Mode, open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and pressing "Enter" to delete the infected files.

You will then receive the following prompt:

"Registry cleaning - Do you want to clean the registry ? (y/n)"

Type Y for yes and press "Enter" to remove the Desktop background and clean the associated registry keys for this infection.

The tool will then check if the file wininet.dll is infected.

You may be prompted to replace the infected file with another copy from your machine (if found):

"Replace infected file ? (y/n)"

Type Y for yes and press "Enter" to restore a clean copy of the file on your machine.

Restart your computer to complete the removal process.

(A log file of the fix can be found at the root of your system drive, usually at C:\rapport.txt)

Step 3.

Please use Internet Explorer and Run the Kaspersky On-line Scanner

Accept the Active X object and download the latest definitions.
When the scanner is ready, click Scan Settings.
Select the Extended anti-virus database.
Select Scan Archives & Scan Mail Bases and then ok.
Click My Computer to run a full system scan.
When complete, choose Save as Text and save the log to your desktop.

Reboot your System

Please now Open Hijackthis
Click Open Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as Uninstall_list.txt

Then Re-scan with HijackThis and post:

1/ A new HijackThis log
2/ The rapport.txt log
3/ The Uninstall_list.txt
4/ The kaspersky log

Thank you,
ourwilly. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users