[Njord]

Hi Malware Removal Specialst ,

I having trouble with these ware.
My wallpaper turn into Blue Screen Error ..
I have my anti-virus to stop the progress but
don't why somehow the virus program don't works.
The main problem is i am able to log into normal
window mode but it will reboot by itself after 30 sec
before the my window can load all the task bar program.

I am able to log into safe mode. But after i did a virus scan
no spy or ad ware are found. I am using panda anti-vuris
program. I hijacked my pc the log look clean to me.
Have delete wp.bmp but cannot find any wp.exe .
I had delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

So after these few step , i boot to normal.
The blue screen had disappear but no luck window cannot fully load.
Reboot my computer again and again ..

Pls
If you need my log in the safe mode , i will try to post mine today,
as currently i'm using my office computer to post these thread.

Edited by Njord, 19 May 2005 - 10:30 AM.

[Advertisements]

Download and doubleclick:
http://www.bleepingc...g/smitfraud.reg

Hopefully that will make your desktop usable again.

We will need a HijackThis log for further help.

Regards,

[Metallica]

Download and doubleclick:
http://www.bleepingc...g/smitfraud.reg

Hopefully that will make your desktop usable again.

We will need a HijackThis log for further help.

Regards,

[Njord]

Dear Metallica ,
i cannot get into normal window mode ...
But i can use hijack on the safe mode ...
So you need my log in safe mode ???
I think i have try the smitfraud.reg before.
But i will try again tonite ...
Oh Metallica will these command work
RUN - SHUTDOWN -A
I have read these in other forum today , will
stop the windows from rebooting ???

[Metallica]

Shutdown -a will do that, but not under all circumstances and not indefinetely.

A HijackThis log in safe mode will do.
Smitfraud.reg was altered yesterday, and the new version might help.
Transfer it per floppy to the infected computer if necessary.

Regards,

[Njord]

Hi Metallica ,
Thanks for the quick reply ..
Will post my log tonite and patch the Smitfraud.reg.
I will use my brother's pc to post my result .
Thanks Again !!!

[Metallica]

OK. I'll check back later today.

Regards,

[Njord]

Dear metallica ,
I have found a solution to log into normal.
I went into sfae mode uninstall my anti-virus program.
Reboot the pc and it went into normal mode without
rebooting non-stop.

Here's mine log , I guess the log is already clean.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:17 PM, on 5/24/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Fion\My Documents\My Share Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.c...GamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...404/mcfscan.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

[Metallica]

Good job.

Two loose ends as far as I can see.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)

O20 - Winlogon Notify: drct16 - drct16.dll (file missing)

Reboot and check if they stay away.

Regards,

[Njord]

Morning Metallica ,
Will fix R3 and O20 tonite.
I had did an online virus scan last nite.
The scan had discovered some adware and trojan
on my harddisk.
Some had been disfected some had not.
I had already delete those files that had not disfected.
But problem i had was some of the files had renamed itself ,
so what can i do. The scan result only shown as renamed.
It never mention if the files had already disfected or not.
Will post the Scan Result tonite for your perusal.

Oh almost forgot , i download THE CLEANER
i did a scan in normal mode but anything was
found.So must i try a scan in safe mode.

Edited by Njord, 24 May 2005 - 08:50 PM.

[Metallica]

The virusscan should not be thrown off by the name changes.

If TheCleaner can't find anything in normal mode it won't find anything in safe mode either.

Post a new HijackThis log when you are done.

Regards,

[Njord]

Evening Metallica ,
Here's my mine log

Logfile of HijackThis v1.99.1
Scan saved at 9:21:18 PM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Documents and Settings\Fion\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.c...GamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...404/mcfscan.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

[Metallica]

Looks good to me.

How's the computer behaving?

Regards,

[Njord]

Here is the online anti-virus result.
Hopefully is not too messy for you.

Adware:Adware/Lop No disinfected
C:\Documents and Settings\Fion\My Documents\My Share Folder\New Folder\lopremover.exe

Adware:Adware/BlueScreenWarning No disinfected C:\RECYCLER\S-1-5-21-1078081533-1450960922-725345543-1000\Dc4.exe

Virus:Trj/Downloader.CQI Disinfected
C:\WINNT\loadnew.exe

Virus:Bck/Haxdoor.CF Disinfected
C:\WINNT\ms1.exe

Virus:Trj/Dropper.FQ Disinfected
C:\WINNT\ms2.exe

Adware:Adware/CWS.Searchmeup No disinfected
C:\WINNT\ms3.exe

Virus:Bck/Haxdoor.A Renamed
C:\WINNT\system32\fltr.a3d

Virus:Bck/Haxdoor.A Renamed
C:\WINNT\system32\i.a3d

Virus:Bck/Haxdoor.CF Disinfected C:\WINNT\system32\mszx23.exe

Virus:Bck/Haxdoor.A Renamed
C:\WINNT\system32\p2.ini

Adware:Adware/Startpage.WS No disinfected
C:\WINNT\system32\paytime.exe

Virus:Bck/Haxdoor.A Renamed
C:\WINNT\system32\redir.a3d

Adware:Adware/CWS.Yexe No disinfected C:\WINNT\system32\Services\{446D8675-413B-410A-A2E5-EE68E56B6A85}\SECURITY.DLL

Adware:Adware/CWS.Yexe No disinfected C:\WINNT\system32\Services\{446D8675-413B-410A-A2E5-EE68E56B6A85}\SECURITY.EXE

Adware:Adware/CWS.Yexe No disinfected C:\WINNT\system32\Services\{446D8675-413B-410A-A2E5-EE68E56B6A85}\SVCHOST.DLL

Virus:Bck/Haxdoor.A Renamed
C:\WINNT\system32\tnfl.a3d

Virus:Bck/Haxdoor.A Renamed C:\WINNT\system32\vdmt16.sys

Adware:Adware/BlueScreenWarning No disinfected C:\WINNT\system32\wldr.dll

Virus:Trj/LowZones.EZ Disinfected
C:\WINNT\tool1.exe

[Njord]

Looks good to me. 

How's the computer behaving?

Regards,

Well , so far so good
Oh i just download firefox.
Is the browser good ???
Hey metallica , how can i become one of you guys.
Is there any requirement ???

Edited by Njord, 25 May 2005 - 07:33 AM.

[Metallica]

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\wldr.dll
C:\WINNT\ms3.exe
C:\WINNT\system32\paytime.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Then delete this folder:
C:\WINNT\system32\Services\{446D8675-413B-410A-A2E5-EE68E56B6A85}

Regards,