Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

smitfraud trojan, heres my hijack this log

Started by smeke , Jul 18 2005 06:40 PM

  • Please log in to reply

#1
smeke
Posted 18 July 2005 - 06:40 PM

smeke

    Member

  • Member
  • PipPip
  • 27 posts
ive got this trojan and it shows me the security warning screen on my desktop telling me to use my spysweeper etc...

here is my log i really hope you can help me

Logfile of HijackThis v1.99.1
Scan saved at 07:36:10 p.m., on 18/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\outpostupdate.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Archivos de programa\AnalogX\POW\pow.exe
C:\Archivos de programa\Ares Lite Edition\Ares.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jacobo Smeke\Mis documentos\Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\System32\dumprep.exe
C:\WINDOWS\System32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DE166F65-4A6D-4780-9F85-DFD3EBA3F5D7} - C:\WINDOWS\System32\nbem.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - Startup: POW!.lnk = C:\Archivos de programa\AnalogX\POW\pow.exe
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c401.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114563178095
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F551F1D7-53FA-416B-8B25-58A85D8F97A0} (GrabMailAddresses Class) - http://www.zorpia.com/grabmail.cab
O18 - Filter: text/html - {6CEC2C9F-F7E6-42E2-8118-E4196F773897} - C:\WINDOWS\System32\nbem.dll
O18 - Filter: text/plain - {6CEC2C9F-F7E6-42E2-8118-E4196F773897} - C:\WINDOWS\System32\nbem.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Perculator
Posted 24 July 2005 - 03:47 PM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Welcome to Geeks to Go!

Sorry for the delay, the forums are very busy.

If you still need help, please post back here in this topic with a fresh log using HijackThis.

Also do this please:
Open HijackThis
Go to Open the Misc Tools Session
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.

If you solved the problem, please let me know.
  • 0

#3
Perculator
Posted 24 July 2005 - 03:52 PM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Welcome to Geeks to Go!

Sorry for the delay, the forums are very busy.

If you still need help, please post back here in this topic with a fresh log using HijackThis.

Also do this please:
Open HijackThis
Go to Open the Misc tools Session
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.

If you solved the problem, please let me know.
  • 0

#4
smeke
Posted 24 July 2005 - 06:49 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
thanks for the answer, i think the virus is off but i cant eliminate all the spyware, and im not sure if its gone, so ill put the uninstall list anyway :tazz:

Adobe Acrobat 5.0
AnalogX POW!
Ares 1.8.1
AXE corazones Screen Saver
Creative Jukebox Driver
Creative MediaSource
Creative NOMAD Jukebox Zen Xtra
ewido security suite
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Shockwave Player
Messenger Plus! 3
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
MP3 Converter Simple
MSN Messenger 7.0
Norton SystemWorks 2003
Norton WMI Update
Search Assistant Uninstall
Spybot - Search & Destroy 1.4
  • 0

#5
Perculator
Posted 25 July 2005 - 01:34 AM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
As i could see multiple infections, in your log, i want to advise you, to post a fresh hijack this log too.
  • 0

#6
smeke
Posted 25 July 2005 - 01:48 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ok then, thanks for the help; here's my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 02:46:11 p.m., on 25/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\AnalogX\POW\pow.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jacobo Smeke\Configuración local\Archivos temporales de Internet\Content.IE5\7V15D192\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DE166F65-4A6D-4780-9F85-DFD3EBA3F5D7} - C:\WINDOWS\System32\nbem.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe
O4 - Startup: POW!.lnk = C:\Archivos de programa\AnalogX\POW\pow.exe
O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c401.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114563178095
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F551F1D7-53FA-416B-8B25-58A85D8F97A0} (GrabMailAddresses Class) - http://www.zorpia.com/grabmail.cab
O18 - Filter: text/html - {60F8E128-2AF7-4E5A-AD3A-F9E9D44792EF} - C:\WINDOWS\System32\nbem.dll
O18 - Filter: text/plain - {60F8E128-2AF7-4E5A-AD3A-F9E9D44792EF} - C:\WINDOWS\System32\nbem.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
  • 0

#7
Perculator
Posted 26 July 2005 - 04:27 PM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
you got a nasty infection there, i'll post a fix tomorrow, because it's now over midnight now here
  • 0

#8
Perculator
Posted 27 July 2005 - 12:09 PM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Hello, a lot of work but remain calm.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later, Because in parts of this fix we will not have acces to the internet.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY.
Download CWShredder.
Download SpSeHjfix.
Download and install CleanUp! Here
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Save all of these files somewhere you will remember like to the Desktop.

Place a shortcut to Panda ActiveScan on your desktop.


Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Install Cleanup. You dont need to do anything with it right now, we will use it later on.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Start hijack this and put a check at the following lines

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll/space.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DE166F65-4A6D-4780-9F85-DFD3EBA3F5D7} - C:\WINDOWS\System32\nbem.dll (file missing)

O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\se.dll,DllInstall

O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe

O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\System32\outpostupdate.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c401.cab

O18 - Filter: text/html - {60F8E128-2AF7-4E5A-AD3A-F9E9D44792EF} - C:\WINDOWS\System32\nbem.dll

O18 - Filter: text/plain - {60F8E128-2AF7-4E5A-AD3A-F9E9D44792EF} - C:\WINDOWS\System32\nbem.dll

Now Click Fix Checked
and close Hijack this


Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

    Run about:buster again following the same instructions as above, this time without the restart at the end.

    Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

    Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.


    We need to make sure all hidden files are showing so please:
    [list] * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.
And remove the following files
C:\WINDOWS\System32\outpostupdate.exe
C:\WINDOWS\System32\nbem.dll



Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it’s done, press Close.
The program will now ask you to log out or restart, but click NO
First we’re doing something else

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows’ Normal mode

And click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log, the result of SpSeHjfix , the Aboutbusterlogs (2x) and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#9
smeke
Posted 27 July 2005 - 06:56 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hello ive just finished doing what i had to do, ill post my logs in the next post, but i have a situation here, i just rebooted my comp and now im stuck with the classic windows theme, and i cant change it :S help me please!
  • 0

#10
smeke
Posted 27 July 2005 - 07:19 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Logfile of HijackThis v1.99.1
Scan saved at 08:14:46 p.m., on 27/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\AnalogX\POW\pow.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jacobo Smeke\Mis documentos\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: POW!.lnk = C:\Archivos de programa\AnalogX\POW\pow.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114563178095
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F551F1D7-53FA-416B-8B25-58A85D8F97A0} (GrabMailAddresses Class) - http://www.zorpia.com/grabmail.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 07:43:31 p.m., 27/07/2005
+ Report-Checksum: D2C65FE1

+ Scan result:

No infected files!


::Fin Report

(7/27/05 06:55:02 p.m.) SPSeHjFix started v1.1.2
(7/27/05 06:55:02 p.m.) OS: WinXP (5.1.2600)
(7/27/05 06:55:02 p.m.) Language: español
(7/27/05 06:55:02 p.m.) Win-Path: C:\WINDOWS
(7/27/05 06:55:02 p.m.) System-Path: C:\WINDOWS\System32
(7/27/05 06:55:02 p.m.) Temp-Path: C:\DOCUME~1\JACOBO~1\CONFIG~1\Temp\
(7/27/05 06:55:04 p.m.) Disinfection started
(7/27/05 06:55:04 p.m.) Bad-Dll(IEP): c:\docume~1\jacobo~1\config~1\temp\se.dll
(7/27/05 06:55:04 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:04 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:04 p.m.) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\jacobo~1\config~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
(7/27/05 06:55:04 p.m.) Stealth-String not found
(7/27/05 06:55:04 p.m.) No locked Files to delete. End without Reboot
(7/27/05 06:55:52 p.m.) Disinfection started
(7/27/05 06:55:52 p.m.) Bad-Dll(IEP): c:\docume~1\jacobo~1\config~1\temp\se.dll
(7/27/05 06:55:52 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:52 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:52 p.m.) Bad IE-pages: (none)
(7/27/05 06:55:52 p.m.) Stealth-String not found
(7/27/05 06:55:52 p.m.) No locked Files to delete. End without Reboot
(7/27/05 06:55:53 p.m.) Disinfection started
(7/27/05 06:55:53 p.m.) Bad-Dll(IEP): c:\docume~1\jacobo~1\config~1\temp\se.dll
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) Bad IE-pages: (none)
(7/27/05 06:55:53 p.m.) Stealth-String not found
(7/27/05 06:55:53 p.m.) No locked Files to delete. End without Reboot
(7/27/05 06:55:53 p.m.) Disinfection started
(7/27/05 06:55:53 p.m.) Bad-Dll(IEP): c:\docume~1\jacobo~1\config~1\temp\se.dll
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) Bad IE-pages: (none)
(7/27/05 06:55:53 p.m.) Stealth-String not found
(7/27/05 06:55:53 p.m.) No locked Files to delete. End without Reboot
(7/27/05 06:55:53 p.m.) Disinfection started
(7/27/05 06:55:53 p.m.) Bad-Dll(IEP): c:\docume~1\jacobo~1\config~1\temp\se.dll
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) UBF: 5 - UBB: 2 - UBR: 16
(7/27/05 06:55:53 p.m.) Bad IE-pages: (none)
(7/27/05 06:55:53 p.m.) Stealth-String not found
(7/27/05 06:55:53 p.m.) No locked Files to delete. End without Reboot


(7/27/05 06:56:13 p.m.) SPSeHjFix started v1.1.2
(7/27/05 06:56:13 p.m.) OS: WinXP (5.1.2600)
(7/27/05 06:56:13 p.m.) Language: español
(7/27/05 06:56:13 p.m.) Win-Path: C:\WINDOWS

AboutBuster 5.0 reference file 31
Scan started on [27/07/2005] at [06:51:17 p.m.]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 06:51:48 p.m.


AboutBuster 5.0 reference file 31
Scan started on [27/07/2005] at [06:52:57 p.m.]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 06:53:23 p.m.


THOSE WERE ALL THE LOGS I GOT
  • 0

Advertisements

#11
Perculator
Posted 28 July 2005 - 07:09 AM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Hello,

Start hijack this and put a check at the following line

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com

Now click Fix Checked
And close hijack this

***
Download the Hoster Here
Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***
Your Xp-style will be back after you do the following

Download XP Styles by Miekemoes.

Unzip it and MOVE the luna.msstyles which is present in that folder you unzipped to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.

If not, reboot first, and try again to select Windows XPstyle

After you rebooted the computer run hijack this and tell me if your computer is allright now.
  • 0

#12
smeke
Posted 28 July 2005 - 03:01 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
PERCULATOR GOD BLESS YOU lol thank you so much for your help, my computer functions perfectly now, and its all thanks to you, thank you for taking the time and patience 2 help me, i really appreciate it, you are a noble soul lol.

anyway here is my final hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 03:59:41 p.m., on 28/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\AnalogX\POW\pow.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jacobo Smeke\Mis documentos\Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: POW!.lnk = C:\Archivos de programa\AnalogX\POW\pow.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114563178095
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F551F1D7-53FA-416B-8B25-58A85D8F97A0} (GrabMailAddresses Class) - http://www.zorpia.com/grabmail.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
Perculator
Posted 29 July 2005 - 03:03 PM

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
You did a great job too!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0

#14
smeke
Posted 10 August 2005 - 05:56 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello perculator, i fixed the Windows XP Theme with the download you gave me, but the files' theme did not change lol, i just see a white background i dont know if you understand so ill just put an image, to see if you can help me.

apart from that my computer has been functioning perfectly, i took all the security measures you told me to, and i ordered Windows SP2 to have better protection. Thank You.

Attached Thumbnails

  • panel.JPG

  • 0

#15
smeke
Posted 10 August 2005 - 10:04 PM

smeke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
oh i fixed it, thanks anyway :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP