Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Also Infected With: Infected With W32/myzor.fk@yf A/k/a Zlob Trojan


  • Please log in to reply
1 reply to this topic

#1 medicineman1984

medicineman1984

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 28 November 2006 - 11:17 PM

Hi there!

I'm infected with some very annoying trojan, ive previously ran adaware, spybot search and destroy, avg free antivirus, avast. Some of these picked up the problem, but im still getting the "yourieprotect" homepage when i go on internet explorer.

I have ran everything as per this link: http://www.bleepingcomputer.com/forums/t/63896/how-to-remove-virusburst-removal-instructions/

This is my smit file:


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Wed 11/29/2006
The current time is: 14:26:06.57

Running from
C:\Documents and Settings\Mourad\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe"="C:\\Program Files\\Yahoo! Games\\Scrabble\\Scrabble.exe:*:Enabled:SCRABBLE r"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 808 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


And this is my combofix file:

Mourad - 06-11-29 14:45:20.29 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-29 14:39
d-------- C:\WINDOWS\system32\ActiveScan
2006-11-29 14:39
d-------- C:\WINDOWS\LastGood
2006-11-29 14:30
d-------- C:\WINDOWS\temp
2006-11-29 14:18
d-------- C:\WINDOWS\pss
2006-11-29 13:52
d-------- C:\Program Files\Roguescanfix
2006-11-29 11:59 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-29 11:59 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-29 11:59 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-29 11:59 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-29 11:59 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-29 11:59 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-29 11:59 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-29 11:59
d-------- C:\Program Files\Alwil Software
2006-11-29 10:01
d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-29 10:01
d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-28 23:33 d-------- C:\McAfee
2006-11-28 22:50 d-------- C:\Program Files\RegCure
2006-11-28 22:40 d-------- C:\Program Files\NoAdware5.0
2006-11-28 22:03 d-------- C:\Program Files\Lavasoft
2006-11-28 22:03 d-------- C:\Documents and Settings\Mourad\Application Data\Lavasoft
2006-11-28 21:32 d-------- C:\WINDOWS\system32\appmgmt
2006-11-28 19:11 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-11-28 19:11 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2006-11-28 19:04 d-------- C:\Program Files\Virus-Bursters
2006-11-28 19:04 d-------- C:\Program Files\Gold Codec
2006-11-25 15:30 405,504 --a------ C:\RogueRemover.exe
2006-11-25 01:07 503,808 --a------ C:\WINDOWS\system32\Ralph - Jacqueline.scr
2006-11-25 01:04 503,808 --a------ C:\WINDOWS\system32\Ralph - Stacey.scr
2006-11-25 01:04 503,808 --a------ C:\WINDOWS\system32\Ralph - Girls of AFL.scr
2006-11-25 01:03 503,808 --a------ C:\WINDOWS\system32\RALPH - Claire.scr
2006-11-17 22:22 209,010 --a------ C:\RogueRemover.dll
2006-11-15 14:06 503,808 --a------ C:\WINDOWS\system32\RALPH - Alana.scr
2006-11-15 14:03 503,808 --a------ C:\WINDOWS\system32\Ralph - Rochelle.scr
2006-11-15 14:02 503,808 --a------ C:\WINDOWS\system32\Ralph - Hayley Maree.scr
2006-11-15 14:00 503,808 --a------ C:\WINDOWS\system32\RALPH - Cat.scr
2006-11-13 18:25 d-------- C:\Documents and Settings\Mourad\Application Data\DivX
2006-11-04 20:25 1,321,744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-29 14:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-28 22:15 -------- d-a------ C:\Program Files\Common Files
2006-11-28 22:13 -------- d-------- C:\Program Files\Java
2006-11-28 19:14 704 --a------ C:\Documents and Settings\Mourad\Application Data\update.log
2006-11-25 01:07 12288 --a------ C:\WINDOWS\system32\impborl.dll
2006-11-19 12:56 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 14:04 503808 --a------ C:\WINDOWS\system32\Ralph - Kim.scr
2006-11-14 20:03 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-14 20:03 -------- d-------- C:\Program Files\Adobe
2006-11-13 16:23 -------- d-------- C:\Program Files\DivX
2006-10-18 20:37 -------- d-------- C:\Program Files\Google
2006-10-13 04:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:41 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:39 163456 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-02 11:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 11:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 11:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 11:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-29 11:09 -------- d-------- C:\Documents and Settings\Mourad\Application Data\Google
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BlazeServoTool"="\"C:\\Program Files\\BlazeVideo\\BlazeDVD4 Professional\\MediaDetector.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://images.google.com/images?q=tbn:h79L7bf1n7rnHM:http://calpeacepower.org/0201/images/lebanon_flag.jpg"
"SubscribedURL"="http://images.google.com/images?q=tbn:h79L7bf1n7rnHM:http://calpeacepower.org/0201/images/lebanon_flag.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d2,03,00,00,6e,01,00,00,7d,00,00,00,4f,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d2,03,00,00,6e,01,00,00,7d,00,00,00,4f,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,9b,05,41,c0,b4,74,e8,16,0f,05,68,de,9b,05,20,6d,\
9b,05,00,fa,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job

Completion time: 06-11-29 14:46:46.98
C:\ComboFix.txt ... 06-11-29 14:46


I would REALLY appreciate someone's help

Edited by medicineman1984, 28 November 2006 - 11:21 PM.


BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:08:17 AM

Posted 30 November 2006 - 05:48 AM

Hi medicineman1984 and welcome to Bleeping Computer :thumbsup:

Please post a HijackThis log to here:
  • Click here to download HijackThis.exe
  • Save HijackThis.exe to your desktop.
  • Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
  • Run HijackThis.exe
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users