Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

plz help me [RESOLVED]

Started by smit.sanu , Jul 24 2005 01:26 AM

This topic is locked

#1
smit.sanu

Posted 24 July 2005 - 01:26 AM

Member

Member
39 posts

i am rely fad up of this virus it comes agian and agian tough i am using NAV 2004 and i update it once a week and corrupts display adpter settings and makes deault background wallpaper with this one and it cannot be changed plz someone help
here's the link for that wallpaper

http://www.megaupload.com/?d=355YV2J9

plz someone let me know its remedy and what to do :tazz:

Edited by smit.sanu, 24 July 2005 - 01:28 AM.

#2
greyknight17

Posted 24 July 2005 - 06:33 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

#3
smit.sanu

Posted 25 July 2005 - 08:21 AM

Member

Topic Starter
Member
39 posts

here is the hijack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:54 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - Startup: BRPReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {9EAC0102-5E61-2312-BC2D-000000000000} - http://www.awmdabest...btd/5111/td.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = adi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.10.1.1

#4
greyknight17

Posted 25 July 2005 - 10:59 AM

Malware Expert

Visiting Consultant
16,560 posts

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

#5
smit.sanu

Posted 26 July 2005 - 10:42 AM

Member

Topic Starter
Member
39 posts

here's the logfile of

1.) CWshedder

**** Run Keys ****

RUN: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
RUN: [TaskMonitor] C:\WINDOWS\taskmon.exe
RUN: [SystemTray] SysTray.Exe
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
RUN: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
RUN: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
RUN: [Logitech Utility] LOGI_MWX.EXE
RUN: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
RUN: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe

**** Browser Helper Objects ****

BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar1.dll

**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX
TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll

**** IE Extensions ****

IEExt: [@shdoclc.dll,-866]
IEExt: [Run DAP] C:\PROGRA~1\DAP\DAP.EXE
IEExt: [Microsoft AntiSpyware helper] C:\PROGRA~1\DAP\DAP.EXE

**** Hosts File Entries ****

**** IE Settings ****

Default Page: http://www.microsoft...er=6&ar=msnhome
Default Search: http://www.microsoft...=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm

**** IE Context Menu (Right click) ****

IEContext: [&Google Search] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
IEContext: [Cached Snapshot of Page] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
IEContext: [Similar Pages] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
IEContext: [Backward Links] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
IEContext: [Translate into English] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
IEContext: [&Download with &DAP] C:\PROGRA~1\DAP\dapextie.htm
IEContext: [Download &all with DAP] C:\PROGRA~1\DAP\dapextie2.htm

**** Layered Service Providers ****

LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp

**** Blocked Control Panel Items ****

BLOCKED: []

**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso4.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]

**** Windows Services ****

**** Custom IE Search Items ****

SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm

**** Complete IE Options ****

IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Show_ChannelBand] no
IEOPT: [LastCheckedHi]
IEOPT: [FullScreen] no
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Window_Placement] ,
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Disable Script Debugger] yes
IEOPT: [AutoSearch]
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Save Directory] C:\My Documents\baby stages\
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [conc]
IEOPT: [Toolbars_Placement]
IEOPT: [Default_Page_URL] http://www.microsoft...er=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Custom_Key] MICROSO
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]

2.) SPSeHjfix

(7/26/05 6:34:55 PM) SPSeHjFix started v1.1.2
(7/26/05 6:34:55 PM) OS: Win98SE A (4.10.2222)
(7/26/05 6:34:55 PM) Language: english
(7/26/05 6:34:55 PM) Win-Path: C:\WINDOWS
(7/26/05 6:34:55 PM) System-Path: C:\WINDOWS\SYSTEM
(7/26/05 6:34:55 PM) Temp-Path: C:\WINDOWS\TEMP\
(7/26/05 6:35:02 PM) Disinfection started
(7/26/05 6:35:02 PM) Bad-Dll(IEP): c:\windows\temp\se.dll
(7/26/05 6:35:02 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\GLJF.DLL
(7/26/05 6:35:02 PM) Searchassistant Uninstaller - Keys Deleted
(7/26/05 6:35:02 PM) UBF: 4 - UBB: 0 - UBR: 14
(7/26/05 6:35:02 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(7/26/05 6:35:02 PM) UBF: 4 - UBB: 0 - UBR: 13
(7/26/05 6:35:02 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/26/05 6:35:02 PM) Stealth-String not found
(7/26/05 6:35:02 PM) File added to delete: c:\windows\system\gljf.dll
(7/26/05 6:35:02 PM) File added to delete: c:\windows\temp\se.dll
(7/26/05 6:35:02 PM) Reboot
(7/26/05 6:35:48 PM) SPSeHjFix 2nd Step
(7/26/05 6:35:48 PM) Stealth-String not present. Disinfection succesfully
(7/26/05 6:35:53 PM) Cleaned

3.) New logile of Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 6:38:03 PM, on 7/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - Startup: BRPReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {9EAC0102-5E61-2312-BC2D-000000000000} - http://www.awmdabest...btd/5111/td.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = adi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.10.1.1

One more problem in Win XP my cablenet software is working but no net applications are running (ie) no IE 6.0 (SP1) and yahoo msg 7 (beta) and others are not working plz also tell me remedy to this problem

And IE 6 is now not opening in Win 98 after scanning with SPSeHjfix

Edited by smit.sanu, 26 July 2005 - 10:45 AM.

#6
greyknight17

Posted 26 July 2005 - 10:57 AM

Malware Expert

Visiting Consultant
16,560 posts

There's another infection here, let's try to remove that also. If you still can't go online after that, we will try some other method to restore the connection.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {171BBF00-F9ED-11D9-BB3A-00115B1F273D} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {9EAC0102-5E61-2312-BC2D-000000000000} - http://www.awmdabest...btd/5111/td.cab
===================================================

Delete C:\WINDOWS\SYSTEM\outpostupdate.exe if it exists.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Upload this file (BRPReminder.exe - search for it) to http://virusscan.jotti.org and report back what it found.

#7
smit.sanu

Posted 26 July 2005 - 10:41 PM

Member

Topic Starter
Member
39 posts

new log files

1.) Smitfiles.txt

smitRem log file
version 2.2

by noahdfear

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~ wininet.dll ~~~~

wininet.dll Present!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~ wininet.dll ~~~~

wininet.dll Clean!!

2.) Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 9:11:53 AM, on 7/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: BRPReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = adi.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.10.1.1

well BRPremider is my birthday reminder exe file

but in y WINXP the internet problem still exists thai it is unable to connect to the net via IE 6 and yahoo and my cablenet services are working fine in XP plz see to this

And finally The AV program form ur side and protection from such viruses again as it was 4th time PC was infected from such a thing and every time i was formatting the PC

#8
smit.sanu

Posted 26 July 2005 - 10:42 PM

Member

Topic Starter
Member
39 posts

#9
smit.sanu

Posted 26 July 2005 - 10:43 PM

Member

Topic Starter
Member
39 posts

Attached Files

Untitled2.txt 54.11KB 77 downloads

Edited by smit.sanu, 27 July 2005 - 12:34 AM.

#10
greyknight17

Posted 27 July 2005 - 02:09 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, you have to be a little more clear on all of this. Can you get online now or not?

Where is the Panda log? That's the online virus scan. No need for Ewido since it won't work on Windows 98.

Is this a internet setting that you recognize?

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = adi.com

If that's ok, then:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#11
smit.sanu

Posted 28 July 2005 - 06:08 AM

Member

Topic Starter
Member
39 posts

well adi.com is my cablenet service provider so no problem with that.
Just one more thing i have downloaded WinsockXP which register keys for internet but everytime i have to this run the progran in Xp then restar the PC and then net connection gets start is there any permanent solution for it.
let me know the best anti Virus software that should be installed to protect from viruses and torjansmitfraud.c like spyware.

And Panda online scan is not working and nor its security dialog box is opening.

Edited by smit.sanu, 28 July 2005 - 06:10 AM.

#12
greyknight17

Posted 28 July 2005 - 10:54 AM

Malware Expert

Visiting Consultant
16,560 posts

Let's try registering Internet Explorer's DLL files. Go to Start->Run and copy and paste the following into the Run box and hit OK (go to Start->Run again for each one):

regsvr32 Shdocvw.dll
regsvr32 Shell32.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Urlmon.dll

Restart and see if that repairs the internet connection.

I'm still confused a little here. You are talking about two Windows system here. Your log says you have Windows 98 and you keep mentioning Windows XP. So which computer is having the problem?

OK, try this also:
Go to Start->Run and type in sfc and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

There is no best antivirus software out there. One that I recommend using is Grisoft AVG. As far as I know, there is no antivirus program (not currently) that can protect you from smitfraud. Try using the antispyware programs instead. They might be able to help prevent this from happening again.

#13
smit.sanu

Posted 28 July 2005 - 09:26 PM

Member

Topic Starter
Member
39 posts

ok let me clear you the things

1.) Win 98 was infected from smitfraud.c so in the log files it was showing OS as Win 98

2.) I have installed Win Xp sp2 seperately so my Lan connection was not getting started then i downloaded utility form your site
the utility was named as Winsock32.... it started the things but every time before starting net connection i have to run this program
then it restarts the PC and then again i have to enter my Ip address etc and then net connection starts.

So i am asking solution for this problem.

Edited by smit.sanu, 28 July 2005 - 09:41 PM.

#14
greyknight17

Posted 28 July 2005 - 10:36 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, got it now.

Did you do the other suggestions I mentioned previously? Didn't work?

Give me a HijackThis log in the Windows XP account - NOT Windows 98. I want to see that log also.

#15
smit.sanu

Posted 29 July 2005 - 12:10 AM

Member

Topic Starter
Member
39 posts

here's the log file of Hijack this for Xin XP

Logfile of HijackThis v1.99.1
Scan saved at 11:35:07 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\PROGRA~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{68C42F5A-A245-4FF6-9E04-A7480685DE90}: Domain = adi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{68C42F5A-A245-4FF6-9E04-A7480685DE90}: NameServer = 10.10.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = adi.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = adi.com
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe