[howardjska]

The computer infected with the trojan-spy is pretty much out of commision due to the Windows Explorer error window. Once it pops up, nothing is accessable on the desktop... I wish i knew how to use the HijackThis program without crashing my computer so i didnt have to bug you all. So, I thought i would just leave it to the pros.


Logfile of HijackThis v1.99.1
Scan saved at 5:58:41 PM, on 7/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ares\Ares.exe
C:\bsw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\DOCUMENTS AND SETTINGS\REGINA\DESKTOP\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Regina\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {564EC66E-5A1B-51D4-1DB0-5080C23DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/ pcash/loader.chm::/loader.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3315447_disk.dll

Edited by howardjska, 21 July 2005 - 07:05 PM.

[Advertisements]

Hello and welcome to Geeks To Go.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 2 +++++

Update HiJackThis

• Open HiJackThis
• Click Open the Misc Tools Section
• Click Check for update online

+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

~Kristy

[Kristy]

Hello and welcome to Geeks To Go.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 2 +++++

Update HiJackThis

• Open HiJackThis
• Click Open the Misc Tools Section
• Click Check for update online

+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

~Kristy

[howardjska]

For your step one instructions, i ran an online virus scan but i used Spy Ferret because i already has it on my computer and i couldnt get any of your suggested virus scan sites to work (mainly because im running on firefox and they all require internet explorer to work, which is not at my disposal at this moment). And im pretty sure Spy Ferret has done what the others would have done. If you absolutely need the results from the places you suggested then i could probably get them for you, but for now this is all i could get...

results of Spy Ferret:



- CWS: Registry Key (Registry Key)

- Ibis Toolbar: Registry Key (Registry Key)

- Ibis Toolbar: Registry Key (Registry Key)

- IBIS Toolbar: Settings (Registry Key)

- BHO: Mega! Search: best-search.us hijacker - BHO\{8BC63466B-FFB0-4435-ACE3-FACA6CD77816} (Registry Key)

- Parasite BHO: Mega! Search:best-search.us hijacker - C:\DOCUME~1\Regina\LOCALS~1\Temp\MegaHost.dll (File)

- Parasite BHO: Mega! Search: best-search.us hijacker HKCR\CLSID\{8BC6346B-FFB0-4453-ACE3-FACA6CD77816} (Registry Key)

- StartSearches.net (Trojan.Smitfraud.c): Spyware File (File)

- StartSearches.net (Trojan.Smitfraud.c): Spyware File (File)

- TwainTech: Registry Key (Registry Key)

- UnknownBHO: Threat (File)




I followed your step 2 instructions and it said "You have the latest version of HijackThis 1.99.1" so im assuming everything is fine there.



Step 3: I got the new logfile like the one before right after i updated HijackThis.

Here it is...



Logfile of HijackThis v1.99.1
Scan saved at 7:23:25 PM, on 7/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ares\Ares.exe
C:\bsw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Regina\Desktop\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\Regina\LOCALS~1\Temp\MegaHost.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {01CAB655-0560-4617-BF41-6E114899C669} - C:\WINDOWS\System32\wldr.dll (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {564EC66E-5A1B-51D4-1DB0-5080C23DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/...hm::/loader.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3315447_disk.dll




... And last but not least i got the uninstall list you had me get...



6000 Sound Effects
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
AOL Instant Messenger
Ares 1.8.1
Cool Edit Pro 2.0
Finale 2005
HijackThis 1.99.1
IrfanView (remove only)
Mozilla Firefox (1.0.1)
Mozilla Thunderbird (1.0.2)
NavExcel Search Toolbar (remove only)
SpyFerret 4.33.6003
Trojan Remover 6.4.1
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Yahoo! Toolbar



And by the way i cant mention how thankful i am that your helping me with this... after about six days i was wondering if anyone would help because i saw everyone else getting assistance by that time... so thanks alot!!!

Edited by howardjska, 26 July 2005 - 08:37 PM.

[Kristy]

Hello howardjska,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

~Kristy

[howardjska]

I currently cannot download the windows update because my computer is not properly registered... I tried it anyways and it said i have a pirated windows xp. But its actually not pirated, I installed the same windows onto my f'd up computer that i have on the computer i am currently using because i was too cheap to buy a seperate xp for each computer. I currently have a new one but i cant switch to it untill i get rid of the trojan... so im basically in a catch 22 right?

[Kristy]

While we understand that you may not have been aware, your copy of Windows is not legitimate. Unfortunately, we are unable to help you any further on this site, as we have a strict policy we adhere to in only helping people who have legitmate copies of Windows. Thank you for understanding.