Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Your System is Infected" Desktop Malware [RESOLVED]


  • This topic is locked This topic is locked

#1
Medic-on-Fire

Medic-on-Fire

    New Member

  • Member
  • Pip
  • 5 posts
Hi, I have spent the better part of the afternoon attempting to rid my system of a nasty piece of malware I came across earlier this morning. After reading many of the posts on this site on this topic, I have downloaded several new Antispy applications with only minimal success. I have been able to clear the message (Your system is Infected, yada, yada, yada) from the Desktop, however, I am unable to adjust any of the properties in the Desktop Properties Panel and I am stuck with a blue-grey screen. I have also attempted to download the about:buster software by RubbeR DuckY, however, I have experienced one error message after another when attempting to open the applicaiton.

I sure would appreciate any and all assistance with this matter!

Thanks!

HJT Log Follows:
________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 5:02:42 PM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Screen Calendar\scrcal.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\My Documents\My Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Screen Calendar] "C:\Program Files\Screen Calendar\scrcal.exe" -m
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\DOCUME~1\default\LOCALS~1\Temp\2E.tmp
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
Medic-on-Fire

Medic-on-Fire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sam~

Hello & thanks for your reply! I am away from my office at the present time, however, I am still in need of some assistance with my recent malware issues. I will post a fresh HJT Log in the morning on 10/08/05. I look forward to any help you can provide, as I would greatly like to get my system up & running strong again.

Again, thanks for your help....I look forward to working with you!

:tazz:
  • 0

#4
Medic-on-Fire

Medic-on-Fire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sam~

The problems I am having persist! Urgh! :tazz: As promised, I have run another system scan using HJT.

The fresh log follows:
________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:06:16 AM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Screen Calendar\scrcal.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\default\My Documents\My Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Screen Calendar] "C:\Program Files\Screen Calendar\scrcal.exe" -m
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\DOCUME~1\default\LOCALS~1\Temp\2E.tmp
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

_______________________________________________

Again, thanks for your assistance!
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Me too. Just post when you can. I'll be around. :)

Ooops, looks like I just passed you while you were posting. :tazz:

Let's get you fixed up!


First we need to download and prepare some tools that we will need to fix your problem.
  • Please download SmitRem.zip
    • Save the file to your desktop.
    • Right click on the file and extract it to it's own folder on the desktop.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download Adaware SE 1.06
    Install Adaware and check for updates, but don't run it yet.

  • Place a shortcut to Panda ActiveScan on your desktop.

=============


Now that you have the right tools we can start fixing your problem.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============


Once in Safe mode, follow these steps:
  • Open the smitRem folder, then double click the RunThis.bat file to start the tool.
    • Follow the prompts on screen.
    • Wait for the tool to complete and disk cleanup to finish.
    • The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  • Open Ad-aware and do a full scan. Remove everything that it finds.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop.
    • Close Ewido.
  • Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

  • Reboot back into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

  • Save the Panda scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let me know if any problems persist.

Edited by Buckeye_Sam, 08 October 2005 - 08:28 AM.

  • 0

#6
Medic-on-Fire

Medic-on-Fire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sam~

Hi and thanks for your helpful information! I have followed your instructions to the letter and I think I have experienced a little progress! :tazz: I did run into one little problem while I was running the Panda ActiveScan, however, which was that I never found the AutoClean box. Suffice it to say, not one of the five infections that were located by Panda ActiveScan were disinfected.

The good news, though, is that I have finally regained control over my desktop themes again. I'm not sure if it's just me or not, but the preloaded Windows images seem to be slightly distorted when placed in the background (almost as though there aren't enough pixels to cover the full size of the screen adequately). This isn't really all that big of a deal, just more of an annoyance.

My only concern now is how to take care of some of the infections I located through the various system scans. I will post the logs, as you requested, and I will wait to hear back from you before proceeding with any other "treatment".

Again, thanks so much for your help!

**** Logs to follow****
__________________________________________________________

Panda Scan:


Incident Status Location

Spyware:spyware/petro-line No disinfected C:\Documents and Settings\default\Favorites\SITES ABOUT\Credit counseling.url
Adware:Adware/WindowEnhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\default\My Documents\My Applications\backups\backup-20051004-153344-338.inf
Adware:Adware/SearchAid No disinfected C:\System Volume Information\_restore{3BF730E8-581A-4B75-8FF3-430BB54D0354}\RP274\A0059018.exe
Adware:Adware/SearchAid No disinfected C:\System Volume Information\_restore{3BF730E8-581A-4B75-8FF3-430BB54D0354}\RP274\A0059019.exe
_____________________________________________________

HTJ Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:52:54 PM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Screen Calendar\scrcal.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\My Documents\My Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Screen Calendar] "C:\Program Files\Screen Calendar\scrcal.exe" -m
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

____________________________________________________________

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:18:55 PM, 10/8/2005
+ Report-Checksum: FD1C5DB7

+ Scan result:

C:\WINDOWS\SYSTEM32\ntfu.exe -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\SYSTEM32\ipbj32.exe -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\fjinml.dat -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\systh32.exe -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\ldddjr.dat -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\hcuqbi.dat -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\fxgvsl.dat -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\wnlhyl.log -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\gubjzr.dat -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\psjntg.dat -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\onwnav.log -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\zhhxwi.log -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\lamitd.txt -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\hgosuy.log -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\eawonf.txt -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\Documents and Settings\default\Cookies\default@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned without backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned without backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.9:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.16:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned without backup
:mozilla.18:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned without backup
:mozilla.26:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.27:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.28:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.29:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.30:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.31:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.32:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.33:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.34:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.35:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.36:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.37:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned without backup
:mozilla.38:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
:mozilla.40:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.41:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.42:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned without backup
:mozilla.43:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.44:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.46:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.47:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\m79fts79.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
C:\System Volume Information\_restore{3BF730E8-581A-4B75-8FF3-430BB54D0354}\RP274\A0059017.dll -> Spyware.SearchPage : Cleaned without backup


::Report End
__________________________________________________________

I hope this was everything you were looking for. Please let me know which direction I should take next.

Thanks again!
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You're just missing one log. The log from Smitrem, which should be located at C:smitfiles.txt
Please post it in your next reply.


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing



Delete these files.

C:\Documents and Settings\default\Favorites\SITES ABOUT\Credit counseling.url
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
C:\Documents and Settings\default\My Documents\My Applications\backups\backup-20051004-153344-338.inf




Reboot and post a new hijackthis log and the smitrem log.
  • 0

#8
Medic-on-Fire

Medic-on-Fire

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sam~

Once again, thank you for your tremendous assistance...GTG has truly become one of the most useful sites on the net in my opinion!

I have once again followed your instructions and the requested log files follow:

__________________________________

Smitrem Log:


smitRem log file
version 2.6

by noahdfear

The current date is: Sat 10/08/2005
The current time is: 15:58:34.90

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:

____________________________________

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:32 PM, on 10/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\WlanMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\Hotsync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\default\My Documents\My Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

_________________________________________________

Hope everything looks okay!
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log is clean! :tazz:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP