This is my Logfile from Hijack This. I have an error in my task bar next to
clock that says: "Your Computer Is Infected." It gives me a link to click on and it opens a website with a program to purchase to clean up the system and delete the viruses/ads, etc... Please let me know what this may be and how to go about fixing this problem. If I have to do a re-install of Windows that is fine, I have all of my info on this Sony Vaio laptop saved on my desktop computer. Thanks Guys. My email is:
removed to prevent SPAM

-Andy


Logfile of HijackThis v1.99.1
Scan saved at 12:32:58 AM, on 3/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Downloaded Programs\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hpCD52.tmp
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

This post has been edited by rmurphy: Mar 22 2006, 12:17 AM

Hi there, and welcome to Geekstogo. I'm Ryan, and I'll be helping you fix your computer.

Can you please post the entire HiJack This log for me? If that is the entire log, was it taken in Safe Mode or with things disabled in MSCONFIG?

Can you also tell me what program its trying to sell you?

-Ryan

Hi Ryan, thanks for the reply. I really appreciate your help with this problem I am having.
This was the entire log file from Hijack This. It wasn't in safe mode, and to my knowlege there was nothing disbled in MSCONFIG.
I am currently at work, I will post the information including the exact error message with the program it is launching when I click on the error message. I should be home in about 3-4 hours. Thanks Ryan!

Hi Ryan, yeah, the log that I posted was the entire log from Hijack This, it wasn't in Safe Mode, and I didn't mess with anything in MSCONFIG. I ran Hijack This again and it had the same log. The program itself gave me two errors, but I didn't do anything with them, I wasn't sure what they were. To let you know these problems occured after I turned on the computer and when I clicked on my login a box came up that told me I had to valitate/register my windows. I pushed cancel on this and it just took me back to the opening screen to log in again. I clicked OK on the box to go ahead and activate/register, (sorry, I don't remember exactly what it said.) It asked for my CD code for Windows XP. I put this in (from my XP Home CD thatt I purchased sometime ago.) I have been using this XP for almost a year now with that laptop and never had any problems. Anyways, when I put in the CD code it said there was an error and it gave me this phone number to call: (888-571-2048) a rep. answered the phone and asked what the problem was. I explained it to her, she asked me for my CD code, and then she gave me this code to put in where it prompted me to from the error box I was getting (Code Removed.) I put this in and windows then loaded fine. I couldn't log onto our roadrunner with my wireless card, I had to plug in a hard line for it to work. A couple of days later I recieved the message I first wrote to you about. It is:
"Your computer is infected!
Possible harmful infection was detected on your PC. The system will now download and install the most efficient spyware removal program to prevent private data loss and your identity theft. Click here to protect your PC from the biggest spyware threats."
At first I ignored this thinking it was some sort of popup or something, but I couldn't find how to get rid of it through task manager or anywhere else. The icon looks like the "windows update" icon and flashs back and forth to a red circle with a white x in the middle. When I double click on this icon I get a blank screen pop up with the title: "C:\Windows\Temp\h91746.exe, and a smaller box pops up entitled: "16 bit MS-DOS Subsystem" with "C:\Windows\Temp\h91746.exe. The NTVDM CPU has encountered an illegal instruction. CS:0d9b IP: 01d4 OP: 63 83 65 2f 31 Choose "close" to terminate the application."
When I open the internet it goes to (www.securitysafeguards.net) On this page it says things like:
Title: "Warning! Spyware Detected."
"Attention! Your sytem is under control of remote computer with IP addess 227.4.167.118. The remote computer has access to the following folders on your PC:
Windows\System32
Program Files\Internet Explorer
My Documents
Drive C:\ files
Click here to download official anti-spyware software.
YOUR PRIVATE INFO IS COLLECTED BY: W32.Sinnaka.A@mm
Your IP Address: 65.32.43.32
Your Country: United States
They know your using: Mozilla\4.0
Operating System: OS Windows
Risk status for further investigation: Very High Risk
Time of investigation: Wed Mar 22 20:23 PST 2000. The page ahs a lot of hypertext links for different Adaware programs..."
Also, this took away my favories from my Internet Explorer.

I hope that I haven't just confused you with all of the text I have been typing. I just wanted to give you as much info as possible. Thanks!
-Andy

This post has been edited by rmurphy: Mar 23 2006, 01:06 PM

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot your PC.

If you would please, rescan with HijackThis, and post a fresh log, the contents of smitfiles.txt and the Ewido Log in this same topic, and let us know how your system's working.

-Ryan

Hey Ryan, I did as you suggested. Here is the info you requested:

First, the Hijack This! Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:56 PM, on 3/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloaded Programs\Hijack This\HijackThis.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe




Second, the Smitfiles Text Log:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 03/23/2006
The current time is: 20:21:38.58

Running from
C:\Documents and Settings\Andy\Desktop\SmitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\System32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1052 'explorer.exe'
Killing PID 1052 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\System32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!




Third, the Ewido Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:17:02 PM, 3/23/2006
+ Report-Checksum: A51A868A

+ Scan result:

[620] C:\WINDOWS\System32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bz : Cleaned with backup
C:\Documents and Settings\Andy\Cookies\andy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Andy\Cookies\andy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Downloaded Programs\Hijack This\backups\backup-20060319-020236-959.dll -> Downloader.Zlob.iu : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2218.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.it : Cleaned with backup
C:\WINDOWS\system32\ginuerep.dll -> Not-A-Virus.Hoax.Win32.Renos.bz : Cleaned with backup


::Report End




Thanks Ryan!!
After doing what you suggested, the flashing icon, and popup box went away! And the wireless card is being recognized and works great again! I'm not sure exactly what we did, but it worked wonders. It's another language, and I'm glad that there are people like yourself that know this language and are willing to help us out when a problem arises. I can't thank you enough!!

-Andy

Before posting the first HiJack This log, did you fix any of the items yourself?

Please select one firewall and one antivirus program and install them.

• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus (these are also free for personal use):

• AVG Anti-Virus
• Avast Home Edition

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

After you have installed one of each, please post a new HiJack This log.

-Ryan

This post has been edited by rmurphy: Mar 24 2006, 11:20 PM

Sorry for the delay Ryan, I will post that new info ASAP. I am at work now, but I'll post it when I get home this evening. Thanks again for all of your help. I have access to free McAfee through my University, would you recommend for or against this? I'll post tonight, thanks!!
-Andy

You'd be better off going with one of the ones I listed. McAfee tends to use more resources and slow down your system. The ultimate choice is up to you though.

-Ryan

Ryan, sorry for the delay. Here is my newest Hijack This log (30Mar06.)

I tried the AVAST anti-virus, but it slowed the system down very much. My desktop has the Mcafee, which I get free from the university and it seemed to work fine so I'll try it on this laptop and see how it goes. Thanks for your help, let me know if there are any more steps to take. I'm off to try and figure out the best settings for sending video to my ipod.....this process has been interesting and time consuming trying to find the best settings.. Talk to you again, here's the log file:


Logfile of HijackThis v1.99.1
Scan saved at 8:37:56 PM, on 3/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloaded Programs\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe



THANKS!

-Andy

This is interesting. Even though you have stuff installed on the computer, only two things are shoing up in HiJack This. Let's see if an Uninstall list can shed any light.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

-Ryan

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.