[bbmorales]

Hi everybody.

I´ve been with some malware running thru my pc lately.
Some days before, I´ve just been infected with SmitFrud, cleaned it, but since then all my Internet Explorer bars (i mean the tool bar, buttons, etc... all bars) are gone. The IE opens websites, but it´s much harder to use it with no bars...

Please, I someone can, take a look at my log.

Logfile of HijackThis v1.99.1
Scan saved at 19:03:42, on 21/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Mozilla\mozilla.exe
E:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ufrgs.br:3128
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {507E2ABD-A43C-C2E3-989D-363E8788D288} - C:\WINDOWS\atlym32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msbk32.exe] C:\WINDOWS\system32\msbk32.exe
O4 - HKLM\..\RunOnce: [winso32.exe] C:\WINDOWS\system32\winso32.exe
O4 - HKLM\..\RunOnce: [sysvh.exe] C:\WINDOWS\sysvh.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk.disabled
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3po.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe (file missing)

Thanks in advance.

[Advertisements]

The first step to clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. In Windows 98*admin you can also go to IE, Tools, Internet Options, Temproary Internet Files section, Delete Files and check Off Line Content
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

You may want to use CCleaner found here www.ccleaner.com

I would recommend one of the anit-spyware cleaners first
Reboot in Safe Mode

Microsoft WIndows Anti-spyware
http://www.microsoft...re/default.mspx

Ad-aware se
http://www.lavasoft....ftware/adaware/

For Ad-ware se run a Full System Scan and ADS scan

Then
HJT
Do NOT connect to the internet for the following
Close all windows
Open HJT and scan
If you wish to remove these entries then place checkmark(s) beside the entries below, once all entries have been checked press Fixed Check
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\khqwk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nipod.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {507E2ABD-A43C-C2E3-989D-363E8788D288} - C:\WINDOWS\atlym32.dll
O4 - HKLM\..\Run: [msbk32.exe] C:\WINDOWS\system32\msbk32.exe
O4 - HKLM\..\RunOnce: [winso32.exe] C:\WINDOWS\system32\winso32.exe
O4 - HKLM\..\RunOnce: [sysvh.exe] C:\WINDOWS\sysvh.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3po.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe (file missing)




Reboot
Repost a new HJT log file

Confirm these folders or files are deleted
C:\WINDOWS\system32\nipod.dll
C:\WINDOWS\system32\khqwk.dll/
C:\WINDOWS\atlym32.dll
C:\WINDOWS\system32\msbk32.exe
C:\WINDOWS\system32\winso32.exe
C:\WINDOWS\sysvh.exe

Edited by nommork, 21 April 2005 - 04:22 PM.

[bbmorales]

Hi folks.

Just did what you told me, and I seem to have success on my cleaning duty.
But, just one detail to be added: the winso32.exe uses an admnistrative tool, a service called "Workstation NetLogon Service". When I was cleaning, on safe mode, I did shut it down, and I think this is very important to keep it away.

Ah, I scanned my pc with AGV too. Was very helpful (45 viruses, most of it were Trojans).

Anyway, my HJT log:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\GetRight\GETRIGHT.EXE
C:\Arquivos de programas\Mozilla\mozilla.exe
C:\WINDOWS\system32\mmc.exe
E:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ufrgs.br:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.3000.1001\pt-br\msntb.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe (file missing)

Even having cleanaed my pc, I´m still with no IE bars...
If someone knows what I can do about it, please tell me.

And, another doubt: is there anyway to hide that "console" (I don´t really know what is that) on Mozilla Browser? I mean that window, just below the navigator main window, 'cause it takes a lot of my screen when browsing...

Thanks.