Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm@w32.linkbot I Think


  • This topic is locked This topic is locked
2 replies to this topic

#1 hemlock

hemlock

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 12 April 2007 - 12:59 PM

hi. my computer infected. i rename hijackthis.exe and make a scan. after that i made a scan with SmitfraudFix.exe i couldn't get rid of this trojans etc. when i reboot my computer there is always an iexplore.exe running in system folder and alg.exe is running. i will send my logs. thanx now.

Logfile of HijackThis v1.99.1
Scan saved at 20:24:22, on 12/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
h:\program files\internet explorer\iexplore.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\System32\ctfmon.exe
F:\hijackthis\ogan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O9 - Extra button: Arastir - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.stumbleupon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - H:\Program Files\Sygate\SPF\smc.exe

here is SmitfraudFix log.

SmitFraudFix v2.166

Scan done at 20:49:26.03, 12/04/2007
Run from H:\Program Files\Free Download Manager\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\PROGRA~1\FREEDO~1\fdm.exe
H:\WINDOWS\system32\cmd.exe
H:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» H:\


»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS

H:\WINDOWS\kl.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» H:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» H:\Documents and Settings\ogan


»»»»»»»»»»»»»»»»»»»»»»»» H:\Documents and Settings\ogan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» H:\DOCUME~1\ogan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» H:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csszf.exe"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 85.255.116.151
DNS Server Search Order: 85.255.112.20

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 85.255.116.151
DNS Server Search Order: 85.255.112.20

HKLM\SYSTEM\CCS\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CCS\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: DhcpNameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: DhcpNameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: DhcpNameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer=85.255.116.151,85.255.112.20
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.151 85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.151 85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.151 85.255.112.20


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:42 PM

Posted 13 April 2007 - 01:09 PM

Hello hemlock,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.

 If your system does not reboot, then reboot it manually.

Please boot into Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O17 - HKLM\System\CCS\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20


Close HijackThis, and click OK to proceed.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.

Reboot your computer again.

F:\hijackthis\ogan.exe


You currently have hijckthis on the F drive. You need to put Hijackthis on the root drive (the H:\ drive).


Please post the contents of the logfile C:\fixwareout\report.txt, a new HijackThis log and tell me how your computer is running.

Edited by SifuMike, 13 April 2007 - 01:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:42 PM

Posted 20 April 2007 - 04:38 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users