Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud-finance security question-please help!


  • Please log in to reply

#61
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Yes, safe to delete, if it will let you. I am still working on a manual fix also.

-=jonnyrotten=- :tazz:
  • 0

Advertisements


#62
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I will delete and rerun AVG.
  • 0

#63
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Also, go here. http://www.mozilla.com and download Firefox and use that in the meantime until we get you cleaned up. Firefox is an alternative browser to Internet Explorer, it is less vulnerable to these infections, and it's just all around a better browser. There is also a link in my signature to download it too. Make sure to only use that until you get cleaned, because this infection will never go away if Internet Explorer is used in the meantime. We should actually go through the previous procedure once more this time we the entire process has to be performed in Safe Mode. Make sure to read through it before booting into safe mode and download all programs that will be needed ahead of time so you will not have to go back to normal mode until the procedure is finished. I will await your next post and get the fix ready for you.

-=jonnyrotten=- :tazz:
  • 0

#64
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Actually,
I have moved to another computer to email, at least while at home. Running AVG one more time after about:buster and will send hijack after.

Nasty bug
  • 0

#65
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
latest hijack

Logfile of HijackThis v1.99.1
Scan saved at 9:55:21 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {88016CBA-8B05-A30D-B36A-7DB062043142} - C:\WINDOWS\system32\apivr32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://sra.carebrid...oterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098857008188
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msgw32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#66
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
BTW
sra.carebridge is a link to my hospital...
  • 0

#67
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Still getting the spyware (bad) popups so I guess I am stil infected.... :tazz:
  • 0

#68
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, yes you are still infected with the same thing. Make sure you have HostFileReader,
DelDomains,
and CleanUp!
on the infected computer and then reboot into Safe Mode.

Then get the instructions with the other computer and use those to fix the other one. It is critical that the infected computer does not come out of Safe Mode while we perform this fix.

Let me know when ready.

-=jonnyrotten=- :tazz:
  • 0

#69
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
OK. Have all the above. Am taking the computer to work (will not have internet access on it but on another) Will wait for latest instructions. Keep getting virus warnings from AVG. Moved one to vault. Then just clicked out. I will empty the vault before doing anything else.
  • 0

#70
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Step 1:

Please make sure that you can view all hidden files.

Click on start, then control panel, then administrative programs, then services. Look for a service called Remote Procedure Call (RPC) Helper. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.


Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

msgw32.exe


Step 3:

Now delete the following files:

C:\WINDOWS\system32\penkw.dll
C:\WINDOWS\system32\apivr32.dll
C:\WINDOWS\system32\msgw32.exe
C:\WINDOWS\system32\apivr32.dll


Step 4:

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\penkw.dll/sp.html#28129
O2 - BHO: (no name) - {88016CBA-8B05-A30D-B36A-7DB062043142} - C:\WINDOWS\system32\apivr32.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msgw32.exe" /s (file missing)


Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I
If 11F#`I exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I
If LEGACY_11F#`I exists then right click on it and choose delete from the menu.


If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.


Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]



Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.


Step 8:

Now run CleanUP! and click the "CleanUp!" button. when it is finished cleaning up it will ask you if you want to log off to finsish the process, say "NO" and reboot into normal mode. DO NOT open Internet Explorer, open up Firefox and post a new Hijack This log.

-=jonnyrotten=- :tazz:
  • 0

Advertisements


#71
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Have never used firefox. How do I go about that?

Thanks
  • 0

#72
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Click the "Download Now" link on http://www.mozilla.com and click. Once downloaded, double click the file to start the install process and once it is installed you will have a new Firefox icon on your desktop. Double click it and it opens up a browser that is similar to internet explorer. It's easy enough that you will be familiar with what you see.

-=jonnyrotten=- :tazz:
  • 0

#73
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Oops,

Somehow I missed your previous post on that. Sorry. And I neglected to do that step so will need to wait until later this evening to download that and be ready to launch after the latest try.

So, I will touch base in a few hours.

Thanks.
  • 0

#74
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Hey that's ok, remember you do not need to have firefox to perform the fix, you can go into safe mode and get firefox when it's all finished. In fact I would even download the install file on your other pc and transfer it to the infected one so you don't have to connect to the net at all. Everytime you connect to the internet while still infected it becomes worse.

-=jonnyrotten=- :tazz:
  • 0

#75
merbel

merbel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Good idea.
Will hopefully have you a new HiJack around 8 eastern time.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP