[lkegley9]

Alright I have an instance of iexplore running under Task Manager and for some reason, I can't stop it from running. There are no other suspicious programs running under Task manager, and I also downloaded Security Task Manager and there isn't anything suspicious under there. I don't know what the problem is, and I've tried deleting many foreign DLLs that I've never had before, but the same thing happens. Another thing that occurs is down in my taskbar, there is an icon that looks like a security shield with two alternating icons, a red shield with X mark and a blue shield with a ? mark, and the occasional popup bubble saying "System Alert" and then telling me I have possible malware that I should uninstall.

If you want a HijackThis log, let me know and I'll put that up in a post.

I think I figured it out. Its a backdoor trojan, called Eterok.C I believe. The ways to remove it requires a Windows XP startup disc, of which I don't have. If anyone has this problem, try using the Windows Recovery Console in your Windows startup disc. Do a google search if you don't know what the recovery console is. I'll need to see if I can find someone with a startup disk.. >_>

[racenutalways]

Hello lkegley9 , sounds like you been hit with Smitfraud infection. Windows Recovery Console will not work in this instance.

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
  
• Doubleclick on the HJTsetup.exe icon on your desktop.
  
• By default it will install to C:\Program Files\Hijack This.
  
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
  
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[lkegley9]

The reason I believe its Eterok.C or whatever, is because I found something called arm32.dll in a HijackThis scan, and I googled it and it said it belonged to that backdoor trojan. But here's the log anyway.

HA! I feel stupid. That log file was one I did on my other computer. I completely forgot the fact that I wasn't on the infected computer.. Sorry, now that is the real log.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:52 PM, on 7/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\AirLink101\AWLC3026\WlanCU.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxcccoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://swinnet.swinerton.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Airlink101 802.11g Cardbus Utility.lnk = C:\Program Files\AirLink101\AWLC3026\WlanCU.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://swinnet.swinerton.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\msloglo.dll
O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documents\Settings\arm32.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe

Let me know if you need anything else. No need to dumb things down, I should be able to understand any instructions you give me.

[racenutalways]

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documents\Settings\arm32.dll

Please be aware that it is possible for this setting to have been legitimately changed by a Computer Manufacturer or the Administrator of machine. If you do not recognize the address, then you should have it fixed.
O14 - IERESET.INF: START_PAGE_URL=http://swinnet.swinerton.com

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files hightlighted in red (if present):

C:\Documents and Settings\All Users\Documents\Settings\arm32.dll


After that, Reboot.

Post a new HJT log in your next reply.

You have a suspicious file that I need to get more information more:
Jotti File Submission:

• Please go to Jotti's malware scan
  
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\System32\msloglo.dll
  
  
• Click on the submit button
  
  
• Please post the results in your next reply.

Java is outdated, this needs to be kept updated as it poses a security vulnerability.

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  
• If you are unable to update you can manually update by going here:
  http://www.java.com/en/download/manual.jsp
  
  
• After the reboot, go back into the Control Panel and double-click the Java Icon.
  
• Under Temporary Internet Files, click the Delete Files button.
  
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files
  
  
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  
• Click OK to leave the Java Control Panel.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please go HERE to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[Ryan]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.