Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

M32myzor.fk@yf - This Sucks


  • Please log in to reply
6 replies to this topic

#1 marcus agrippa

marcus agrippa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 October 2006 - 11:08 PM

I have a problem - my computer is FUBAR'd. At least I think it is. I have downloaded Hijack and cannot make any rhyme or reason on the product of the scan. Can someone please help me. This is the saved log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:45 AM, on 10/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\ismini.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

To any that can help, my gratitude would be limitless. Long days and pleasant nights.

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 07 October 2006 - 01:35 AM

Hello marcus agrippa.

Like to take a look at this log, I'll get back you you as soon as I can.

ourwilly. :thumbsup:

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 07 October 2006 - 12:42 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry369617

Hello marcus agrippa. :thumbsup:

Copy and Paste this post into a new text document or print it out for reference.

Step 1

First Please install One of these good free firewalls below to fully protect your system anyone of these will give you Full control over everything that requests Internet access

ZoneAlarm
Kerio Personal Firewall
OutPost Firewall Free
Sygate Personal Firewall

For more information Please read: Understanding and Using Firewalls


Now Download the AVG anti-virus: http://free.grisoft.com/softw/70free/setup...ree_394a763.exe
and Install the latest definitions, Do Not Scan With This Yet!


Then Download SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://siri.geekstogo.com/SmitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Do Not Scan With This Yet!


Step 2

Please Now Reboot your System into Safe Mode
Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Re-Scan with HijackThis and place a "checkmark" next to these entries:

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)


Make sure all browser and all Windows Explorer windows are closed and select "Fix checked". Exit Hijack This


Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
[*]Click on the Scan tab.
[*]Click on Complete System Scan to start the scan process.
[*]Let the program scan the machine.
[*]When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    Posted Image
[*]When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.


Stay In Safe Mode
and Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt


Step 3

Please Re-scan with HijackThis and post:

1/ The new HiJack This Log
2/ The SmitfraudFix C:\rapport.txt
3/ The AVG Anti-Spyware Log

Thank you,
ourwilly. :flowers:

#4 marcus agrippa

marcus agrippa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 October 2006 - 03:52 PM

Okay - thanks for replying. Here are the posts you wanted:

NEW HIJACK LOG:

Logfile of HijackThis v1.99.1
Scan saved at 4:39:56 PM, on 10/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



THE SMITFRAUDFIX LOG:

SmitFraudFix v2.105

Scan done at 16:36:16.25, Sat 10/07/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"="horologium"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VirusBurster\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



THE AVG LOG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:34:03 PM 10/7/2006

+ Scan result:



C:\Program Files\Safety Bar -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\SafetyBar.dll -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\Uninstall.bat -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{052b12f7-86fa-4921-8482-26c42316b522} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{052b12f7-86fa-4921-8482-26c42316b522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0024735.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0024736.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0025737.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0025738.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026736.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026737.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026831.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026832.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026836.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026849.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0026850.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0027849.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP199\A0027850.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP200\A0027865.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP200\A0027866.dll -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A5D651AB-4161-48C4-ADC7-DE481A13DFAF}\RP200\A0027879.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ismini.exe -> Not-A-Virus.Hoax.Win32.Renos.fh : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@a.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).


::Report end




I hope this sheds some light on my problem. Thanks again.

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 07 October 2006 - 06:13 PM

Hello marcus agrippa :thumbsup:

Copy and Paste this post into a new text document or print it out for reference.

Step 1

Please Re-Scan with HijackThis and place a "checkmark" next to this entry:

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab

Make sure all browser and all Windows Explorer windows are closed and select "Fix checked


Now Install and Update SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html
This Prevent's the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.


Step 2

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Please now Use 'Internet Explorer' and run The Panda Online Scan
http://www.pandasoftware.com/products/activescan.htm
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component, allow it to.
It will start downloading the files it requires for the scan (Note: It may take a minute or two).
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button, then Save Report, and save it to your desktop.

Reboot your System

Then Re-scan with HijackThis and post

1/ The new HijackThis Log
2/ The Online Panda Result's.

And please let me know how your system is running now

ourwilly. :flowers:

#6 marcus agrippa

marcus agrippa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 October 2006 - 09:57 PM

Alright - my computer seems to be working fine. Thanks for the help thus far.

One thing that I should note is that when you told me to go into the control panel and delete cookies, that was fine, but then I tried to "delete files", as you said, and it kept freezing on me, telling me it was not responding. So I got out of this and continued on with your instructions. As you will see, there are two files that the Panda program have caught that says are still infected.

This is the HiJack report:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:56 PM, on 10/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



And this is the Panda report:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AZQFUNMZ\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AZQFUNMZ\checkin[2].htm
Virus:Trj/Lowzones.ST Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH41614D\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH41614D\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH41614D\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH41614D\checkin[4].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CH41614D\checkin[5].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[4].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[5].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[6].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D2QVDNB8\checkin[7].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EPLIV25W\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G3XNIYZ1\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G3XNIYZ1\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IDH2ZY1G\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IP07M50T\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IP07M50T\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IP07M50T\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IP07M50T\checkin[4].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K0H7NBO1\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K0H7NBO1\checkin[3].htm
Virus:Trj/Lowzones.ST Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L13EPH17\checkin[1].htm
Virus:Trj/Lowzones.ST Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L13EPH17\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L13EPH17\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MJON34DC\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MJON34DC\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MJON34DC\checkin[4].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\checkin[4].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\checkin[5].htm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q29SJ067\index[1].chm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TB3J91CE\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TB3J91CE\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TJVZ998E\checkin[1].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TJVZ998E\checkin[2].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TJVZ998E\checkin[3].htm
Virus:Trj/Lowzones.SV Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TJVZ998E\checkin[4].htm
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Thanks. Talk to you in a bit.

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 08 October 2006 - 03:08 AM

Hello marcus agrippa :thumbsup:

Please note that some files will not be removed as an example "Zone Alarm" will always create a Temp file which is fine.

Navigate to then Right Click on and Delete these Bold Files/Folders:

C:\WINDOWS\system32\Process.exe
and please remove the SmitfraudFix Tool this is no required anymore


Now Download CCleaner
http://www.ccleaner.com/download128.asp
Double click on the file to start the installation of the program.
Select your language and click "OK", then next.
Read the license agreement and click "I Agree".
Click next to use the default install location. Click Install then finish to complete installation.
"Double click" the CCleaner shortcut on the desktop to start the program.
Click "Run Cleaner" to run the program.
Caution: It is not recommended to use the 'Issues' tab as it allegedly find's legitimate items. After it has completed it's process, click Exit.


Now that everything is running fine, Please "Disable" and then "Re-Enable" your System Restore

and please "Bookmark" these Tutorials on how to stay safe:

So how did I get infected in the first place
Simple and easy ways to keep your computer safe and secure on the Internet

I would also recommend removing P2P Software and anything relating to this from your system, you are susceptible to malware infection if used in obtaining files from unknown sources, please note that More & More HijackThis logs are now being posted because of P2P related problems now that contain unknown malware on a system this leads to untold damage to the Registry that simply can't be repaired.

Thank you,
ourwilly. :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users