Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

spyware infection, logs after doing malware removal steps


  • Please log in to reply

#1
diverseo

diverseo

    Member

  • Member
  • PipPip
  • 28 posts
hi, back again, laptop has been running very slow, backgroung was changed and ie7 would close when trying to go to a web page, seems much better after following steps, please can you check if i have got rid of everything.........here are logs

Logfile of HijackThis v1.99.1
Scan saved at 05:25:12 AM, on 2006/11/30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dxtconf.exe
C:\WINDOWS\system32\fsdconf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ASWL2K.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark Asus\Desktop\spyware removal geeks\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\system32\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [brwdiag] C:\WINDOWS\system32\brwconf.exe
O4 - HKLM\..\Run: [ijtdiag] C:\WINDOWS\system32\ijtconf.exe
O4 - HKLM\..\Run: [deidiag] C:\WINDOWS\system32\deiconf.exe
O4 - HKLM\..\Run: [dxtdiag] C:\WINDOWS\system32\dxtconf.exe
O4 - HKLM\..\Run: [fsddiag] C:\WINDOWS\system32\fsdconf.exe
O4 - HKLM\..\Run: [isrdiag] C:\WINDOWS\system32\isrconf.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3BFFDB8-6B6F-4A66-AC66-00CD95D9B13E}: NameServer = 192.168.2.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7D341B-AAE4-4923-A267-7048432465AA}: NameServer = 192.168.0.200
O20 - AppInit_DLLs: e1.dll libdcabi.dll confbrw.dll brwstat.dll confaud.dll audstat.dll diagijt.dll statijt.dll diagdei.dll statdei.dll diagcre.dll statcre.dll diagdxt.dll statdxt.dll diagfsd.dll statfsd.dll diagisr.dll statisr.dll
O20 - Winlogon Notify: audmgr - audmgr32.dll (file missing)
O20 - Winlogon Notify: brwmgr - brwmgr32.dll (file missing)
O20 - Winlogon Notify: deiconf - cfgdei.dll (file missing)
O20 - Winlogon Notify: dxtconf - C:\WINDOWS\SYSTEM32\cfgdxt.dll
O20 - Winlogon Notify: fsdconf - C:\WINDOWS\SYSTEM32\cfgfsd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ijtconf - cfgijt.dll (file missing)
O20 - Winlogon Notify: isrconf - C:\WINDOWS\SYSTEM32\cfgisr.dll
O20 - Winlogon Notify: vsutmsgi - C:\WINDOWS\system32\vsutmsgi.dll (file missing)
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe




Incident Status Location

Virus:W32/Spamta.LK.worm Disinfected Operating system
Virus:W32/Spamta.LB.worm Disinfected C:\WINDOWS\system32\audprf32.dll
Virus:Trj/SpamtaLoad.BP Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB6562-x86.zip[Update-KB6562-x86.exe]
Virus:Trj/Spamtaload.AR Disinfected Local Folders\Deleted Items\This is not shown on TV.\picture8421..gif. exe
Virus:Trj/SpamtaLoad.AL Disinfected Local Folders\Deleted Items\Livan War real pictures.\picture703.zip[picture703.jpg .exe]
Virus:Trj/SpamtaLoad.AL Disinfected Local Folders\Deleted Items\Error\text.zip[text.dat.cmd]
Virus:Trj/SpamtaLoad.AL Disinfected Local Folders\Deleted Items\Livan War real pictures.\picture4093..gif. exe
Virus:Trj/SpamtaLoad.AL Disinfected Local Folders\Deleted Items\Mail Transaction Failed\file.zip[file.log.scr]
Virus:Trj/SpamtaLoad.AL Disinfected Local Folders\Deleted Items\Livan War real pictures.\picture218.zip[picture218.gif .exe]
Virus:Trj/SpamtaLoad.BE Disinfected Local Folders\Deleted Items\Mail delivery Error\attach4687..txt. exe
Virus:Trj/SpamtaLoad.BE Disinfected Local Folders\Deleted Items\Mail Delivery System\text.zip[text.msg.scr]
Virus:Trj/Spamtaload.AR Disinfected Local Folders\Deleted Items\test\body.zip[body.log.cmd]
Virus:Trj/Spamtaload.AI Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB9562-x86.zip[Update-KB9562-x86.exe]
Virus:Trj/SpamtaLoad.BL Disinfected Local Folders\Deleted Items\test\document.zip[document.txt.cmd]
Virus:Trj/SpamtaLoad.BL Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB7640-x86.zip[Update-KB7640-x86.exe]
Virus:Trj/SpamtaLoad.BH Disinfected Local Folders\Deleted Items\hello\doc.zip[doc.dat.pif]
Virus:Trj/SpamtaLoad.BH Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB2236-x86.zip[Update-KB2236-x86.exe]
Virus:Trj/SpamtaLoad.BP Disinfected Local Folders\Deleted Items\picture\readme.zip[readme.elm.cmd]
Virus:Trj/SpamtaLoad.BP Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB578-x86.zip[Update-KB578-x86.exe]
Virus:Trj/SpamtaLoad.N Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB6281-x86.zip[Update-KB6281-x86.exe]
  • 0

Advertisements


#2
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
===========================

Download AVG Anti-Spyware from http://www.ewido.net/en/download/ and save that file to your desktop. Note: This is NOT the Anti Virus from AVG.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
o Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
o Select "Automatically generate report after every scan"
o Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
5. If you have any infections you will be prompted. Then select "Apply all actions."
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the log from AVG and a new HiJack log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP