Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Yet another one!


  • This topic is locked This topic is locked

#1
BlackVinyl

BlackVinyl

    Member

  • Member
  • PipPip
  • 46 posts
Hello people,
I'm new to this forum but like most people I need help yesterday!
After spending a week trying to remove a hijacking/spyware prog from my work pc, I ended up giving up and just backing up and reformatting the sucker....(who was the sucker?)

Nevertheless, all was back to normal after 5 hours of reinstalling the o/s and other required progs. I even created a backup of the system (which is still located on the HD). Also, for the first time ever, I created an ERD just in case anything like that happened again.

Well, low and behold, one weekend later I come to work and find the pc infected again. This time with a different strain. Something along the lines of smitfraud...whatever that is.

This issue is a little different from the other. With this one, Windows will not even start up as per normal. Just before completion of startup, an error pops up...
"explorer.exe has generated erros and will be closed by Windows. You will need to restart the program. An error log is being created." ...and they continue to be generated. One after another, after another, after another.
Whilst this is happening, the desktop is blue (like the dreaded blue screen) with an exception error in the centre listing "A fatal error has occurred in IE caused by Trojan-Spy.HTML.smitfraud.c" as well as some other crap.

The important thing is that I do not have access to my Start Menu, task bar or desktop items...although they are all visible at times. I cannot browse files to search or nothing. I only have some functionality via Task Manager. The same applies in Safe Mode.

After a lengthy process of using a 2nd pc to dowbload HJT, copy to floppy and transfer to infected pc via task manager, I managed to create a log file, copy to floppy and back to other pc to post on this forum.

If anyone has the time and willingness to help me, I would appreciate it greatly!

The log file details are as follows:

Logfile of HijackThis v1.99.1
Scan saved at 3:21:56 PM, on 14/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\explorer.exe
C:\trojfix\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.anz.com.au
O15 - Trusted Zone: http://www.commbank.com.au
O15 - Trusted Zone: http://www.emailcash.com.au
O15 - Trusted Zone: http://www.footytips.com.au
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thanks in advance.

BV
  • 0

Advertisements


#2
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
:tazz:

I AM GETTING NOWHERE...FAST!!!

After reading most of the posts on this topic, I downloaded and installed smitfraud.exe and cleanup. I ran them both in SAFE mode, smitfraud 1st and then cleanup, I then rebooted and had the same problem. Nothing has changed.

I generated another HJT log as shown below...

Can somebody please advise so that I can remove this 'FN' thing from my pc. I would really love to avoid reformatting again if possible.

ANY POSITIVE HELP IS APPRECIATED.

Oh, if somebody knows how to get in touch with the developers of these trojans, please let me know as I would dearly like to pay them a visit, to show them my gratification ;)

Thank you.

PS. Great forum. I never realised how many people are constantly affected by these dreaded things. Someone should develop a prog that scans and protects from these things, all in one. That way we don't have to DL smitfraud, cleanup, killbox, HJT etc. etc.
  • 0

#3
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OOPS!!!

I added the log file as an attachment using the provision when replying to posts, but it didn't include anything.

So here it is the old fashioned way...

Logfile of HijackThis v1.99.1
Scan saved at 2:20:15 PM, on 15/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\trojfix\HJT\HijackThis.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.anz.com.au
O15 - Trusted Zone: http://www.commbank.com.au
O15 - Trusted Zone: http://www.emailcash.com.au
O15 - Trusted Zone: http://www.footytips.com.au
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Sorry.

BV
  • 0

#4
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
;)
I am still to receive any assistance. I can only assume everyone is busy with other matters. I hope their matters get sorted soon so mine can get a bit of a look.

Sorry people, I don't mean to sound as is if mine is the only problem that exists.
As most of you are aware, these trojan issues can be very annoying and time consuming to say the least.

Good luck with your probs.
I will go looking for a stick of dynamite to insert into the CD ROM... ;)

Cheers,

BV :tazz:
  • 0

#5
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
PLEASE PLEASE PLEASE!!!

:tazz:

THERE ARE ONLY 2 PC'S IN THIS SMALL OFFICE AND NOW THE SECOND PC SEEMS TO HAVE THE SAME VIRUS/TROJAN.
ALTHOUGH, ON THIS PC I CURRENTLY STILL HAVE ACCESS TO INTERNET EXPLORER AND WINDOWS EXPLORER...BUT FOR HOW LONG I DO NOT KNOW!

PLEASE SOMEBODY RESPOND WITH SOME ASSISTANCE AS SOON AS YOU POSSIBLY CAN!

THANKS.

BV ;)
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi BV. Please run another hijack this log and post it in this thread and I'll take a look at it. A lot may have happened to it between the original posting date and today. Thanks. :tazz:
  • 0

#7
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Coachwife6,
Sorry for the delay and thank you for looking at my pc related issue.
I doubt much has changed since the last log as I don't really use that pc, simply because it's frustrating.

However, nonetheless, here is the log for you to analyze.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:15 PM, on 27/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\trojfix\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.anz.com.au
O15 - Trusted Zone: http://www.commbank.com.au
O15 - Trusted Zone: http://www.emailcash.com.au
O15 - Trusted Zone: http://www.footytips.com.au
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

If you can help me, that would be greatly appreciated as it will prevent me from formatting... again!

If there is a slight delay in replying to you, please understand that I am half way round the world in Australia and the only time I get to do anything on the infected pc, is when I am home at night. The pc was at work but I took it home to try and solve the problem.

Thanks for listening/reading.

Cheers,

BV
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot and give me a new hijack this log. I'm working right now, so this will be done in spurts. :tazz:
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download CWShredder Here, unzip it, and save it on the Desktop. Please do not run it yet, though.

Run CWShredder to fix your CWS problem.

Please set your system to show
all hidden files; please see here if you're unsure how to do this.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll


Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINNT\system32\hp9ACB.tmp (file missing)
C:\WINNT\web\related.htm
C:\WINNT\q556549255_disk.dll

Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Please reboot and post a fresh HijackThis log and we will take another look to see how we did.
  • 0

#10
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi,
Ok, your first instructions were to dl deldomains and then install and provide you with a HJT log.

Here you go.Logfile of HijackThis v1.99.1
Scan saved at 11:44:29 PM, on 27/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\trojfix\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Hopefully, while you are looking at this, I will be following your next steps with CWShredder file, HJT and deleting those specified files.

One question though, you asked me to dl CWShredder, unzip to desktop but don't run it. Then your very next line requests to run it. Do I run it now or not?

Awaiting your reply.

Thank you.

BV
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Follow these instructions now. :tazz:

Run CWShredder to fix your CWS problem.

Please set your system to show
all hidden files; please see here if you're unsure how to do this.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINNT\system32\hp9ACB.tmp (file missing)
C:\WINNT\web\related.htm
C:\WINNT\q556549255_disk.dll
Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Please reboot and post a fresh HijackThis log and we will take another look to see how we did.
  • 0

#12
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OK.

I ran CWS and nothing was found to delete. I saved the log if you wish to see it.

I couldn't show all files because explorer was not operational, everything that I had to do I did via task manager and new task. However, I ran HJT and all the files you listed I could see and I followed your instructions.

I rebooted in safe mode and tried to find the other 3 files, but I only found 2. The one I couldn't find was...

C:\WINNT\system32\hp9ACB.tmp (file missing)

After deleting those two and rebooting, I had access to explorer so we have a chieved something at least....Thank you.

I arranged it to see all files and I still could not find the file above.
Nevertheless, I ran Killbox and selected delete on reboot for that file and got the following error...

PendingFileRenameOperations Registry Data has been removed by External Process.

I don't know what this means.

Not even 2 mins later the pc locked up.
I re-booted and generated a HJT log.

Here it is...Logfile of HijackThis v1.99.1
Scan saved at 12:55:40 AM, on 28/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\System32\svchost.exe
C:\trojfix\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Also, my desktop is blue like the dreaded blue screen of death with some stupid text in the centre suggesting I have the smitfraud virus.

I try to select my display properties, but I only have 3 tabs unlike the usual 6.

What Next?

Cheers.

BV

PS. I refrained from deleting one of the entries from HJT because it's a start page I want to keep. I frequent this site often and I assumed you just accepted it as irrelevant.
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

suggesting I have the smitfraud virus


Is this the first time you've seen this?
  • 0

#14
BlackVinyl

BlackVinyl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi,
No it's not the first time I have seen this.

The 1st post I made to open this topic explains what I was seeing on my desktop instead of the usual.

Basically, after every re-boot, the pc is fine until I log in as me. From there the screen changes and the options tabs on the display properties have been reduced from 6 to 3.

What would you like me to do next?

At least I have control over Windows Explorer again. We seem to be getting somewhere.
Thanks for your time. :tazz:

BV ;)
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Sorry, I dropped the ball on that one. Didn't go back and read your first post. :tazz:

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard
AdwareDelete


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\zloader3.exe
C:\WINNT\System32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\wp.bmp
C:\WINNT\System32\perfcii.ini
C:\WINNT\System32\oleadm.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\System32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\system32\oleadm32.dll


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\LogFiles
C:\Program Files\Security IGuard
C:\Program Files\PSGuard
C:\Program Files\AdwareDelete

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP