Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Isadd.dll


  • Please log in to reply
13 replies to this topic

#1 ochaye

ochaye

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 25 February 2007 - 12:48 PM

My computer seems to have been infected.
Spybot continually detects 'an important registry entry that has been changed' The category is described as 'Browser Helper Object'.
When I reject the change the same message keeps appearing.
Win Patrol refers to 'a new Internet Explorer Add-On has been installed on your system'.
Win Patrol says that the problem is
isadd.dll
at
C:\Program Files\Video Access ActiveX Object\isadd.dll
Sometimes a window described as a 'System alert' is displayed.
It reads
'System Alert: Trojan - Spy.Win32@mx
Type: Spyware/Trojan
Description: Spyware that sends confidential information to a remote tracker'
Adware detected the critical object but then can't delete it.
I can see the isadd.dll program in the Video Access ActiveX Object folder but also can't delete it.
I am wondering if anyone can help. I would be most grateful.
thanks

BC AdBot (Login to Remove)

 


#2 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 25 February 2007 - 12:55 PM

One other thing
The home page is hijacked
An internet security warning page is now the home page.
The warning refers to W32.Myzor.FK@yf as the virus which has infected my computer.
It recommends that I click OK to download official software...

#3 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:44 AM

Posted 25 February 2007 - 08:49 PM

Welcome to BC :thumbsup:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Posted Image
Select option #1 - Search by typing 1 and press Enter
Posted Image
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Microsoft MVP Consumer Security--2007-2010

#4 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 February 2007 - 06:32 AM

Many many thanks for your quick reply.

This is the log which I have copied and pasted

SmitFraudFix v2.144

Scan done at 21:37:23.70, Mon 26/02/2007
Run from C:\Documents and Settings\AAAA\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\AAAA


C:\Documents and Settings\AAAA\Application Data


Start Menu


C:\DOCUME~1\AAAA\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Video Access ActiveX Object\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End

I will look forward to hearing from you

regards

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:44 AM

Posted 26 February 2007 - 08:02 AM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Posted Image
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Wia

==================================

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.


In your next reply, please include a fresh, panda activescan log and rapport log. Thanks.

Edited by sjpritch25, 26 February 2007 - 08:04 AM.

Microsoft MVP Consumer Security--2007-2010

#6 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 February 2007 - 08:06 AM

I ran Adware after starting up in safe mode.
It identified problems but then cleared them.

However when I restarted the messages came back again and Adware identified more problems and asked if I want Adware to clear them on a restart. I clicked OK but I suspect the spyware/adware will continue to recur.

Here is another log just run

SmitFraudFix v2.144

Scan done at 23:12:38.32, Mon 26/02/2007
Run from C:\Documents and Settings\AAAA\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\AAAA


C:\Documents and Settings\AAAA\Application Data


Start Menu


C:\DOCUME~1\AAAA\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Video Access ActiveX Object\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End

thanks

#7 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 February 2007 - 08:25 AM

Sorry if I am 'jumping the gun' and doing unnecessary things but ... set out below is a HiJackThis log (in case it is of help)

Logfile of HijackThis v1.99.1
Scan saved at 11:33:22 PM, on 26/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\WINNT\explorer.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ochayecollies.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bnesproxy.int.minterellison.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

again, many thanks

#8 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 February 2007 - 10:17 AM

Sorry

I missed your post of 11.02pm (my time).

I have now run smitfraudfix and selected clean. It could not clean the registry (jumped to the next phase).
It finished.
I ran it again with the same results.

The log follows

SmitFraudFix v2.144

Scan done at 0:03:41.01, Tue 27/02/2007
Run from C:\Documents and Settings\AAAA\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

I downloaded and ran the Panda Program. It is running as I post this message. It has been running for about 50 minutes and has scanned around 180,000 files. It has identified 1 spyware and 1 hacking tools and rootkits.

Is seems to be a little over one third done - so maybe there is another few hours to go. As it is 1.15am here I will let it run over night and post the results in about 7 hours time.

I will also then run the HijackThis scan and post the results.

Would you like me to run another rapport log as well?

thanks again

#9 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 February 2007 - 05:13 PM

Hello again.

Here is the Activscan report (from Panda)

Incident Status Location

Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\AAAA\Cookies\aaaa@ccbill[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\AAAA\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\inf\cnect.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINNT\inf\wdlt.exe
Virus:Generic Trojan Not disinfected C:\WINNT\infr.exe[cnb.inf]
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINNT\infr.exe[cnect.exe]
Potentially unwanted tool:Application/X-Scan.A Not disinfected C:\WINNT\infr.exe[conjb.exe]
Virus:Trj/Agent.DIL Not disinfected C:\WINNT\infr.exe[dllcache.exe]
Potentially unwanted tool:Application/HideExec.A Not disinfected C:\WINNT\infr.exe[nrc.exe]
Virus:Generic Trojan Not disinfected C:\WINNT\infr.exe[ptf.inf]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINNT\infr.exe[wdlt.exe]
Potentially unwanted tool:Application/X-Scan.A Not disinfected C:\WINNT\infr.exe[plugin\070-ntpass.xpn]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\Process.exe
Adware:Adware/WUpd Not disinfected C:\WINNT\tqp.exe[svchost.exe]

Here is the HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:19:20 AM, on 27/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ochayecollies.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bnesproxy.int.minterellison.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Just in case I ran the Smitfraudfix search again and here is the fresh log

SmitFraudFix v2.144

Scan done at 8:21:45.29, Tue 27/02/2007
Run from C:\Documents and Settings\AAAA\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\AAAA


C:\Documents and Settings\AAAA\Application Data


Start Menu


C:\DOCUME~1\AAAA\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End


I will look forward to hearing from you again.
Thank you for the time you are taking helping me.

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:44 AM

Posted 26 February 2007 - 07:22 PM

Bitdefender Online Virus and Malware Scan
  • Click on I Agree.
  • A ActiveX warning box will appear, click on Install.
  • Under Select What You Want To Check For Viruses.
  • Please Check My Computer and Click Ok.
  • Now Click On Click Here To Scan
  • Next, Click on Click here to export the scan report
  • Save it to your Desktop as [b]Bitdefender.txt.
  • In your next reply, please include the Bitdefender log and a fresh Hijackthis log.

Microsoft MVP Consumer Security--2007-2010

#11 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 27 February 2007 - 05:39 PM

here is the bitdefender scan result

BitDefender Online Scanner



Scan report generated at: Wed, Feb 28, 2007 - 03:38:33





Scan path: C:\;D:\;







Statistics

Time
04:27:35

Files
421369

Folders
2506

Boot Sectors
2

Archives
11739

Packed Files
56316




Results

Identified Viruses
7

Infected Files
9

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
9




Engines Info

Virus Definitions
393775

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0001
Infected with: Virtool.MediaInject.A

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0001
Disinfection failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0001
Deleted

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)
Update failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0003
Infected with: Virtool.MediaInject.A

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0003
Disinfection failed

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\File Cabinet\downloads\malwaresetup.exe=>(NSIS o)=>bzip2_solid_nsis0009=>(NSIS o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>cnb.inf
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Infected with: Trojan.HackTool.XScan.23

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>conjb.exe
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>dllcache.exe
Infected with: Backdoor.Irc.Mirc.BG

C:\WINNT\infr.exe=>(RAR Sfx o)=>dllcache.exe
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>dllcache.exe
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Infected with: Virtool.Hidrun.A

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>nrc.exe
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Infected with: Trojan.Spy.Delf.AR

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>ptf.inf
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Detected with: Application.Xscan.2.3

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Disinfection failed

C:\WINNT\infr.exe=>(RAR Sfx o)=>plugin\070-ntpass.xpn
Deleted

C:\WINNT\infr.exe=>(RAR Sfx o)
Update failed

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_solid_nsis0001
Infected with: Trojan.SillyDl.IT

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_solid_nsis0001
Disinfection failed

C:\WINNT\tqp.exe=>(NSIS o)=>bzip2_solid_nsis0001
Deleted

C:\WINNT\tqp.exe=>(NSIS o)
Update failed



Here is the HiJackThis scan result



Logfile of HijackThis v1.99.1
Scan saved at 8:44:51 AM, on 28/02/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.ochayecollies.com/
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer =


O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) -

{9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [vptray] C:\Program

Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program

Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinPatrol]

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AUTOCHK.LNK =

C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk =

C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender

Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.c

ab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.c

ab
O20 - Winlogon Notify: NavLogon -

C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation -

C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner

- C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation

- C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown

owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus

Server) - Symantec Corporation - C:\Program

Files\NavNT\rtvscan.exe


Thanks again

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:44 AM

Posted 27 February 2007 - 08:08 PM

How is everything running???
Microsoft MVP Consumer Security--2007-2010

#13 ochaye

ochaye
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 28 February 2007 - 09:54 AM

no more pop ups at this stage
no virus message
Adware reveals no objects
many the threat is gone?

#14 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:44 AM

Posted 28 February 2007 - 04:19 PM

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) -{9B7AA30F-8FEF-4896-8DA0-D858AE072976} - (no file)

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


==========================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • If you don't have a Firewall installed, please choose from the following:
  • If you don't have a Anti-Virus installed, please download the following free program:
  • Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown
    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  • Anti-Spyware Programs I Recommend:
  • For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users