Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winstall.exe + Ann.exe


  • This topic is locked This topic is locked
43 replies to this topic

#31 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 21 September 2006 - 07:09 PM

SmitFraudFix v2.85

Scan done at 22:50:49.88, 21/09/2006
Run from C:\Documents and Settings\Default\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\winstall.exe Deleted
C:\Documents and Settings\Default\Application Data\Install.dat Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

BC AdBot (Login to Remove)

 


#32 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 21 September 2006 - 07:11 PM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:02:19 22/09/2006

+ Scan result:



C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP319\A0094832.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP319\A0094833.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP319\A0094876.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP319\A0094877.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP320\A0095088.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP320\A0095089.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP321\A0095153.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP321\A0095154.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP322\A0095228.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP322\A0095229.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP323\A0095323.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP323\A0095324.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP323\A0095409.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP323\A0095441.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\ann.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP311\A0091342.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP311\A0091343.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{84B030D6-5E50-47A6-AD78-2795F4CF5E5D}\RP311\A0091344.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


::Report end

#33 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 21 September 2006 - 07:13 PM

Logfile of HijackThis v1.99.1
Scan saved at 01:11:29, on 22/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158429433242
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 85.255.114.43 85.255.112.165
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by draven, 21 September 2006 - 07:15 PM.


#34 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 21 September 2006 - 07:20 PM

Killbox

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\NTSYSTEM.EXE

Killbox made its own folder in the C:\ Drive, along with a log folder and log text file, plus the NTSYSTEM.EXE file is in the folder?

What should i do with that? - manually delete it?

Edited by draven, 21 September 2006 - 07:20 PM.


#35 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:20 AM

Posted 22 September 2006 - 05:26 AM

Hi draven,

Killbox makes its own backups. Take a look inside and let me know if this file:

C:\WINDOWS\SYSTEM32\NTSYSTEM.EXE

is present, please.
Posted ImagePosted Image

Olivier

#36 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 22 September 2006 - 06:12 AM

I did a file search for the C:\ Drive : -

!KillBox folder it has the NTSYSTEM.EXE (backup?)

C:\WINDOWS\Prefetch - NTSYSTEM.EXE-39963473.pf

#37 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 22 September 2006 - 06:29 AM

It looks like the pop-ups with the infected messages have stopped, ive been connected to the internet for awhile and nothing happened.

Can i delete off SmitfraudFix, Fixwareout and Blacklight?

Should i keep !KillBox for a while?

Edited by draven, 22 September 2006 - 06:29 AM.


#38 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:20 AM

Posted 22 September 2006 - 09:44 AM

Hi draven,

* You can delete them. If needed I'll ask you to download a few if needed.

* Turn off then turn on System restore as explained here:
http://support.microsoft.com/default.aspx?...%5BLN%5D;310405

* You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 85.255.114.43 85.255.112.165

Click FIX CHECKED. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ).

* Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new hijackthis log, please.

Posted ImagePosted Image

Olivier

#39 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 22 September 2006 - 09:55 AM

Is there a reason to run the programs again?, it seems the spyware is now gone.

Edited by draven, 22 September 2006 - 09:55 AM.


#40 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:20 AM

Posted 22 September 2006 - 10:00 AM

There's still a WareOut entry in HijackThis. May be its a leftover but I prefer to be sure...

Wait and see...

Edited by stonangel, 22 September 2006 - 10:01 AM.

Posted ImagePosted Image

Olivier

#41 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:05:20 AM

Posted 22 September 2006 - 11:11 AM

Just ran HijackThis and fixed the entry :-

O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 85.255.114.43 85.255.112.165

Is it best to use the Kaspersky Online Scanner and turn off then turn on the System Restore?

Are all the logs i recently posted fine?

Edited by draven, 22 September 2006 - 11:13 AM.


#42 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:20 AM

Posted 22 September 2006 - 11:16 AM

Hi draven,

Turn off then turn on System restore and post back the logs required. Thanks.
Posted ImagePosted Image

Olivier

#43 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:07:20 AM

Posted 24 September 2006 - 01:22 PM

Hi draven,

Could you post back a fresh hijackthis log, please?
Posted ImagePosted Image

Olivier

#44 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:07:20 AM

Posted 29 September 2006 - 02:04 PM

due to lack of feedback to a helper-- this topic is now closed
contact the forum staff with the address of this thread if you wish to have it reopened
this applies to the topic starter only, everyone else with similar problems start a new topic

thank you stonangel :thumbsup:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users