[booeysboy]

Hi ive got this virus. Went through the list of things to do first in malaware removal thread but some downloads wouldnt work as i kept getting errors. I did manage to download hijackthis and made a log. Could someone please advise me what to do next? thank u
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27: VIRUS ALERT!, on 09/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\PCPrivacyCleaner\pcpc.exe
C:\WINDOWS\system32\lphc5e3j0el7e.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\WINDOWS\system32\pphc5e3j0el7e.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: sqvgnrpx - {DB62CC01-ECD2-492E-BCE6-57B0AD8A8D59} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GUI] C:\D-Link\AirPlusG+\AirPlus.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCPrivacyCleaner] C:\Program Files\PCPrivacyCleaner\pcpc.exe
O4 - HKLM\..\Run: [lphc5e3j0el7e] C:\WINDOWS\system32\lphc5e3j0el7e.exe
O4 - HKLM\..\Run: [SMrhc1e3j0el7e] C:\Program Files\rhc1e3j0el7e\rhc1e3j0el7e.exe
O4 - HKLM\..\Run: [9c6a844c] rundll32.exe "C:\WINDOWS\system32\hyjobswo.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1203878667940
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.co...s/msnchat45.cab
O21 - SSODL: fdxbameg - {D519BFAB-D85D-4E8C-A3C2-AA8552053850} - C:\WINDOWS\fdxbameg.dll
O21 - SSODL: fsrpknov - {C2BBF641-EB91-4A38-B1E3-FF6560EE8388} - C:\WINDOWS\fsrpknov.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6108 bytes

[Advertisements]

Hey booeysboy,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience.

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

[Ltangelic]

Hey booeysboy,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience.

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT

[Ltangelic]

Hey booeysboy,

Apologies for the delay, and thanks for sticking with me.

Your log is showing signs of infection, we need to run some tools to remove it.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run SmitfraudFix

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

2) Run Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Next reply (please include):

rapport.txt
DSS scan logs

[booeysboy]

Hi Ltangelic, sorry but i tried to download Smitfraudfix and Im getting an incomplete download error message in French (i think). Am not sure where its going wrong as i clicked the link and followed instruction from here?
What should I do now?
Sorry, Booeysboy

[Ltangelic]

Please try to get me a DSS scan log.

Thanks.

[booeysboy]

Hi I run DSS and it seems to scan but nothing opens afterwards? I have run this in normal mode should it be in safe mode?

Oh God now another thing! I tried to restart laptop but its now saying wondows failed to start, Fatal Error. I tried starting in safe mode and it does that but wont start up windows normally?
Sorry this just seems to get worse by the minute. Any ideas what to do next?
Thanks
B

Edited by booeysboy, 14 July 2008 - 04:38 AM.

[Ltangelic]

Hey booeysboy,

Seems like one or more of your system files are corrupted. We will need to do a Windows repair. This will not replace any data you have on your computer, so do not worry about backup. I will let you do a backup later if needed.

Please follow the instructions below carefully and post back if you are experiencing any problems.

• Boot your computer using Windows installation CD
• Press Enter to "Set up Windows XP now".
• Press F8 to agree to the EULA
• Ensure that your current installation of Windows XP is selected, then press R to repair Windows XP.

For more information, you can take a look here.

Please post back to inform me of how the repair was, and if it has solved the problem of BSOD. Thanks.

LT

[booeysboy]

Hi again, Unfortunately the laptop is a Dell Latitude C400 with no disk drive on the laptop. Is there another way I can do this without having to insert a disc?
Thanks again & sorry for all the probs so far

[Ltangelic]

Hey booeysboy,

Looks like we have to try booting using Last Known Good Configuration.

Reboot your computer. Press F8 before Windows start, and under the Advanced Windows Options, select Last Known Good Configuration (your most recent settings that worked) then Enter.

Please post back telling me if you have successfully performed the steps above and I'll tell you what to do next.

LT

[booeysboy]

Hi LT, I tried doing that and then I get a blue screen that says
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000022 (0x00000000 0x00000000).
The system has been shut down.

Thats exactly what happens in the normal mode also
B

[Ltangelic]

Alright, are you able to boot into safe mode?

[booeysboy]

Yes it will boot in safe mode

[Ltangelic]

Hey booeysboy,

That's good news.

Let's try running DSS again in safe mode.

Please download Deckard's System Scanner (DSS) to a USB drive or any removable disk from an uninfected computer and then save it to your desktop on the infected computer.

Note: Please ensure that your infected computer is disconnected from the Internet.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Rorschach112]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.