[Vikrant]

Hi,

I have a red icon on my tolobar that says ' Your computer is infected' when I move my mouse pointer over it. On double clicking, the system attempts to contact the psguard website. However, my machine(Windows 98) seems to be working fine presently. But I would definitely like to get rid of the irritating icon , and the spyware program(if present)and was hoping that someone here could let me know how to do this. I did go to Symantec's website yesterday and edited the registry/deleted the psguard program, and the icon disappeared only to come back upon the next boot.


Below is my HJT log file.

Any assistance would be really appreciated .

Vikrant



Logfile of HijackThis v1.99.1
Scan saved at 2:11:33 PM, on 10/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDMXM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {CF740F01-3F0F-11DA-8485-4445551CC5F8} - C:\WINDOWS\SYSTEM\MKIF.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {45231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\E7W7E56F\epl28[1].cab
O16 - DPF: {65231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\C96JKXEN\epl132[1].cab
O18 - Filter: text/html - {CF740F00-3F0F-11DA-8485-44453A506063} - C:\WINDOWS\SYSTEM\MKIF.DLL
O18 - Filter: text/plain - {CF740F00-3F0F-11DA-8485-44453A506063} - C:\WINDOWS\SYSTEM\MKIF.DLL

[Advertisements]

Let's clean the first infection:

Download CWShredder

If you do not have a zip program please download the evaluation version of Winzip.

Download SpSeHjfix.zip to the desktop. Then right click on the desktop and select new >folder, name it spfix unzip SpSeHjfix.zip into the new folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Once it is finished run CWShredder - Hit The FIX button!

Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

[didom]

Let's clean the first infection:

Download CWShredder

If you do not have a zip program please download the evaluation version of Winzip.

Download SpSeHjfix.zip to the desktop. Then right click on the desktop and select new >folder, name it spfix unzip SpSeHjfix.zip into the new folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Once it is finished run CWShredder - Hit The FIX button!

Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

[Vikrant]

Hi Dick,

Thanks for your help. I have done as instructed and it worked perfectly! Here are my new HJT and SpSeHjfix log files.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:02 AM, on 10/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDMXM.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {45231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\E7W7E56F\epl28[1].cab
O16 - DPF: {65231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\C96JKXEN\epl132[1].cab


SpSeHjfix Log:

(10/20/05 11:00:44 AM) SPSeHjFix started v1.09
(10/20/05 11:00:44 AM) OS: Win98SE A (4.10.67766446)
(10/20/05 11:00:44 AM) Language: english
(10/20/05 11:00:51 AM) Disinfect started
(10/20/05 11:00:51 AM) Bad-Dll(IEP): (not found)
(10/20/05 11:00:51 AM) Bad-Dll(IEP) in BHO: (not found)
(10/20/05 11:00:51 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\MKIF.DLL
(10/20/05 11:00:51 AM) Searchassistant Uninstaller - Keys Deleted
(10/20/05 11:00:51 AM) UBF: 6
(10/20/05 11:00:51 AM) UBB: 1
(10/20/05 11:00:51 AM) FilterKey: HKCR\text/html (deleted)
(10/20/05 11:00:51 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(10/20/05 11:00:51 AM) FilterKey: HKCR\CLSID\{CF740F00-3F0F-11DA-8485-44453A506063} (deleted)
(10/20/05 11:00:51 AM) FilterKey: HKCR\text/plain (deleted)
(10/20/05 11:00:51 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(10/20/05 11:00:51 AM) FilterKey: HKCR\CLSID\{CF740F00-3F0F-11DA-8485-44453A506063} (error while deleting)
(10/20/05 11:00:51 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF740F01-3F0F-11DA-8485-4445551CC5F8} (deleted)
(10/20/05 11:00:51 AM) BHO-Key: HKCR\CLSID\{CF740F01-3F0F-11DA-8485-4445551CC5F8} (deleted)
(10/20/05 11:00:51 AM) UBR: 3
(10/20/05 11:00:51 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(10/20/05 11:00:51 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(10/20/05 11:00:51 AM) Stealth-String not found:
(10/20/05 11:00:51 AM) File added to delete: c:\windows\system\mkif.dll
(10/20/05 11:00:51 AM) File added to delete: c:\windows\system\mkif.dll
(10/20/05 11:00:51 AM) File added to delete: c:\windows\temp\se.dll
(10/20/05 11:00:51 AM) Reboot
(10/20/05 11:01:55 AM) SPSeHjFix 2nd Step
(10/20/05 11:01:56 AM) RunServicesOnce-Key: (edited)
(10/20/05 11:02:03 AM) Cleaned


The system does not direct me to the CoolWebSearch page anymore..please do let me know what else I should be doing to take care of other problems-and to get complete respite from the browser hijacking programs(if still present).

Vikrant

[didom]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download CCleaner and install it. (Please do not run the CCleaner utility yet.)

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Place a shortcut to Panda ActiveScan on your desktop.


Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Scan again with HijackThis and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {45231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\E7W7E56F\epl28[1].cab
O16 - DPF: {65231111-1111-1111-1111-111177773458} - file://C:\WINDOWS\Tempor~1\Content.IE5\C96JKXEN\epl132[1].cab

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete these files (if they are still there):
Files:
C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\web\related.htm
c:\windows\system\msdmxm.exe
C:\WINDOWS\SYSTEM\intel32.exe

Start CCleaner, click Run CCleaner (bottom right)


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log and the contents of the smitfiles.txt (C:\smitfiles.txt) log by using Add Reply.
Let us know if any problems persist.

[Vikrant]

Hi there.

Thanks once again. I did as instructed, and the three logs(HJT, Activescan and smitfiles) all show presence
of malware-mainly intel32.exe or infected files. I also deleted tthe intel32.exe program through HJT in safe mode, as well as manually but it always comes back and places the red icon on my desktop toolbar.

Here are the HJT, Activescan and smitfiles logs. I have marked the starting and ending points for convenience.

HJT Log:

________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 8:00:44 AM, on 10/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DXVID.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [dxvid] c:\windows\system\dxvid.exe /nocomm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_46214] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 46214
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

_______________________________________________________________________________

Activescan Log:

_______________________________________________________________________________

Incident Status Location

Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\INTEL32.EXE
Spyware:Spyware/Dluca No disinfected C:\WINDOWS\SYSTEM\DXVID.EXE
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\INTEL32.EXE
Spyware:Spyware/Dluca No disinfected C:\WINDOWS\SYSTEM\DXVID.EXE
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\OLEADM.DLL
Virus:W32/Smitfraud.B Disinfected Operating system
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM\intel32.exe
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\oleadm.dll
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\msits.exe
Dialer:dialer.baj No disinfected C:\WINDOWS\internt.exe
Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt
Spyware:spyware/dluca No disinfected Windows Registry
Virus:Defo Disinfected C:\SUHDLOG.DAT
Virus:Trj/LowZones.JF Disinfected C:\WINDOWS\SYSTEM\gxlib.exe
Adware:Adware/Fastvideoplayer No disinfected C:\WINDOWS\SYSTEM\vmplay.dll
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\intel32.exe
Spyware:Spyware/Dluca No disinfected C:\WINDOWS\SYSTEM\dxvid.exe
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\oleadm.dll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Virus:Bck/Galapoper.BR Disinfected C:\WINDOWS\SYSTEM\latest.exe
Virus:Bck/Galapoper.BR Disinfected C:\WINDOWS\SYSTEM\sysvcs.exe
Virus:Trj/LowZones.JF Disinfected C:\WINDOWS\Downloaded Program Files\msits.exe
Dialer:Dialer.CUC No disinfected C:\WINDOWS\internt.exe
Dialer:Dialer.ABR No disinfected C:\HijackThis\backups\backup-20051020-151809-338.inf
Dialer:Dialer.ABR No disinfected C:\HijackThis\backups\backup-20051020-151809-889.inf
__________________________________________________________________________________


smitfiles Log:


__________________________________________________________________________________

mitRem log file
version 2.7

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll
wp.bmp


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleadm.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~






~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!
____________________________________________________________________________________


I hope things appear better than from where we started. It would be great if we could eliminate the remaining malware programs also.

Thanks,

Vikrant

[didom]

Step #1

Please download the Killbox.
Please do NOT run it yet.

• Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  
• Once in Safe Mode, please run Killbox.
  
• Select "Delete on Reboot".
  
• Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  C:\WINDOWS\SYSTEM\INTEL32.EXE
  C:\WINDOWS\SYSTEM\DXVID.EXE
  C:\WINDOWS\SYSTEM\INTEL32.EXE
  C:\WINDOWS\SYSTEM\DXVID.EXE
  C:\WINDOWS\SYSTEM\OLEADM.DLL
  C:\WINDOWS\SYSTEM\intel32.exe
  C:\WINDOWS\SYSTEM\oleadm.dll
  C:\WINDOWS\DOWNLOADED PROGRAM FILES\msits.exe
  C:\WINDOWS\internt.exe
  C:\WINDOWS\switchagreement.txt
  C:\SUHDLOG.DAT
  C:\WINDOWS\SYSTEM\gxlib.exe
  C:\WINDOWS\SYSTEM\vmplay.dll
  C:\WINDOWS\SYSTEM\intel32.exe
  C:\WINDOWS\SYSTEM\dxvid.exe
  C:\WINDOWS\SYSTEM\oleadm.dll
  C:\WINDOWS\SYSTEM\latest.exe
  C:\WINDOWS\SYSTEM\sysvcs.exe
  C:\WINDOWS\Downloaded Program Files\msits.exe
  C:\WINDOWS\internt.exe
  C:\HijackThis\backups\backup-20051020-151809-338.inf
  C:\HijackThis\backups\backup-20051020-151809-889.inf
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
  
  If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  
  
• Let the system reboot.

Step #2

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [dxvid] c:\windows\system\dxvid.exe /nocomm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot again

Step #3

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

[Vikrant]

Hi,

Thanks for the quick reply. I did as directed, and I now have a !KillBox folder that contains the malware
programs. However, these don't seem to be running now.

Here are the HJT, Activescan and KillBox logs.

Please do let me know if things are alright now, the Activescan log still reports an infection in Windows Registry (the first entry)....

Thanks once again,

Vikrant




HJT Log:

__________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:29:41 AM, on 10/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

____________________________________________________________________________

KillBox Log:

____________________________________________________________________________


Pocket Killbox version 2.0.0.265
Running on Windows 98
was started @ Friday, October 21, 2005, 11:07 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM\INTEL32.EXE


# 2 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM\intel32.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM\oleadm.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\internt.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\switchagreement.txt


# 6 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM\vmplay.dll


# 7 [Delete on Reboot]
Path = C:\HijackThis\backups\backup-20051020-151809-338.inf


# 8 [Delete on Reboot]
Path = C:\HijackThis\backups\backup-20051020-151809-889.inf


I clicked Exit @ 11:08:29 AM
__________________________________________________________________________


Activescan Log:

__________________________________________________________________________

Incident Status Location

Spyware:spyware/dluca No disinfected Windows Registry
Dialer:Dialer.ABR No disinfected C:\!KillBox\backup-20051020-151809-889.inf
Dialer:Dialer.ABR No disinfected C:\!KillBox\backup-20051020-151809-338.inf
Adware:Adware/Fastvideoplayer No disinfected C:\!KillBox\vmplay.dll
Dialer:Dialer.CUC No disinfected C:\!KillBox\internt.exe
Spyware:Spyware/Smitfraud No disinfected C:\!KillBox\oleadm.dll
Spyware:Spyware/Smitfraud No disinfected C:\!KillBox\intel32.exe
____________________________________________________________________________

[didom]

Step #1

Find and delete thhis folder (if it is still there):
C:\!KillBox <= this folder


Step #2

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{da9a0b1e-9b7b-11d3-b8a4-00c04f79641c}]
[-HKEY_CLASSES_ROOT\interface\{da9a0b1d-9b7b-11d3-b8a4-00c04f79641c}]
[-HKEY_CLASSES_ROOT\interface\{da9a0b1f-9b7b-11d3-b8a4-00c04f79641c}]
[-HKEY_CLASSES_ROOT\nsupdatelite.nsupdatelitectrl]
[-HKEY_CLASSES_ROOT\nsupdatelite.nsupdatelitectrl.1]
[-HKEY_CURRENT_USER\software\carpediemvars]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run micro update]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run od-gays33]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\system\ieaccess2.dll]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices micro update]
[-HKEY_LOCAL_MACHINE\software\alifestyle\dialer installdir]
[-HKEY_LOCAL_MACHINE\software\alifestyle\dialer int327777.exe]
[-HKEY_LOCAL_MACHINE\software\alifestyle\dialer int327777.sdb]
[-HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{da9a0b1e-9b7b-11d3-b8a4-00c04f79641c} ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run dluxjp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run dsb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run hotaction_jp]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run micro update]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run orgycam]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run sexcams_au]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run xxxmovie_se]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.


Step #3

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

[Vikrant]

Hi,

I merged the fix.reg with my machine's registery, and here are the Activescan and HJT logs. Please
do let me know how to address the remaining issues also.

Thanks for helping me out!

Vikrant


Activescan Log:

_____________________________________________________________________________


Incident Status Location

Spyware:spyware/dluca No disinfected Windows Registry
_____________________________________________________________________________


HJT Log:

_____________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 3:14:06 AM, on 10/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab


______________________________________________________________________________

[didom]

I don't think we can fix that registry issue, but it shouldn't be any problem...

How is your computer running?

[Vikrant]

Hi Dick,

The computer is running much better now. Thanks so much for helping me out.
I hope I don't run into problems such as these again...

Thanks once again,

Vikrant

[didom]

This log looks clean!

• Don't forget to re-hide all files and folders. To re-hide all files and folders:
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
• This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
  
  Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.
  
  Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.
  
  This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts.
  
  Please post back if you are still having any problems....

[didom]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.