Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spy Sherrif Infection [RESOLVED]

Started by Scarlete , Mar 01 2006 12:09 PM

  • This topic is locked This topic is locked

#1
Scarlete
Posted 01 March 2006 - 12:09 PM

Scarlete

    Member

  • Member
  • PipPip
  • 21 posts
First infected this morning after visiting a website that I can't recall. Some poetry website. :/ myyearbook.com asked for cookies. Program downloaded itself and I got warnings of spyware infestation. I shut my computer down, disconnected internet (the hard way) and rebooted. Spy Sherrif started on startup and started to do a scan. I hit pause and googled what that program was. Followed all the handy dandy instructions and now.. here I am. (:

TIA!


My first hijack log appears to have disappeared into outerspace. :/ (I ran a search, only found a log created in September and the second one I did.)

But on to the others:

Spybot Report:

--- Search result list ---
Congratulations!: No immediate threats were found. ()


--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)


--- Startup entries list ---
Spybot-S&D Startup list report, 3/1/2006 10:55:25 AM

Located: HK_CU:Run, Shell
file: "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

Located: HK_LM:Run, NvCplDaemon
file: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

Located: HK_LM:Run, Wirehog
file: C:\Program Files\Wirehog\Run.lnk
MD5: 030337E49E022E5C26825A1EFA2F9358

Located: HK_LM:Run, nwiz
file: nwiz.exe /install

Located: HK_LM:Run, QuickTime Task
file: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Located: HK_LM:Run, HostManager
file: C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
MD5: D88962ADA17E876554BF03D977139148

Located: HK_LM:Run, SunJavaUpdateSched
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
MD5: 61A3A9D5D98BF0331DF5B716144A8100

Located: HK_LM:Run, SetIcon
file: \Program Files\SMSC\SetIcon.exe
MD5: 1DEE2BF22ECA27B3BBF91BA107DB07D8

Located: HK_LM:Run, iobi
file: C:\Program Files\Verizon\iobi\iobiClient.exe -AS

Located: Startup (common), Adobe Gamma Loader.lnk
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
MD5: 5CD0CD0EC4DC5DF459B3AC016764F5AA

Located: Startup (common), EPSON Status Monitor 3 Environment Check 2.lnk
file: C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
MD5: EFC3C2BF721894C125FE7720BF956358



--- Browser helper object list ---
Spybot-S&D Browser helper object report, 3/1/2006 10:55:26 AM

{77701e16-9bfe-4b63-a5b4-7bd156758a37}


--- ActiveX list ---
Spybot-S&D ActiveX report, 3/1/2006 10:55:29 AM

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
Class file: QTPlugin.ocx
Attributes: archive
Date: 4/5/2005 10:34:26 AM
MD5: CE3D865CCF4267C85934D9B7CA8521F2
Path: C:\Program Files\QuickTime\
Short name: QTPLUGIN.OCX
Size: 327736 bytes
Version: 0.6.0.4
Class name: QuickTime Object
CLSID database: legitimate software
Description: Apple Quicktime
Filename: QTPLUGIN.OCX
Download location: http://www.apple.com...ex/qtplugin.cab
Last modified: Thu, 09 Oct 2003 18:24:41 GMT
Version: 6,4,0,29

{166B1BCA-3F9C-11CF-8075-444553540000}
Class file: SwDir.dll
Attributes: archive
Date: 5/28/2004 1:38:00 AM
MD5: 408F53722D9C1280BF4EDD70341EA7F2
Path: C:\WINDOWS\system32\Macromed\Director\
Short name: SWDIR.DLL
Size: 54480 bytes
Version: 0.10.0.0
Class name: Shockwave ActiveX Control
CLSID database: unknown class
Description: Macromedia ShockWave Flash Player 7
Filename: SWDIR.DLL
Download location: http://fpdownload.ma...director/sw.cab
Last modified: Fri, 28 May 2004 13:17:26 GMT
Version: 10,0,1,4

{2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92}
Class file: nprhapengine.dll
Attributes: archive
Date: 11/19/2005 5:33:06 PM
MD5: 2753C749B77F9C9089B439664FA25262
Path: C:\Documents and Settings\gary\Application Data\Real\RhapsodyPlayerEngine\
Short name: NPRHAP~1.DLL
Size: 1191824 bytes
Version: 0.1.0.0
Class name: RhapsodyPlayerEngineCtrl Class
Download location: http://forms.real.co...ne_Inst_Win.cab
Last modified: Fri, 02 Dec 2005 23:53:05 GMT
Name: Rhapsody Player Engine
Version: 1,0,0,487

{33564D57-0000-0010-8000-00AA00389B71}
Download location: http://download.micr...922/wmv9VCM.CAB
Last modified: Tue, 01 Jul 2003 20:55:35 GMT
Version: 0,0,0,1

{33564D57-9980-0010-8000-00AA00389B71}
Download location: http://codecs.micros...386/wmv9dmo.cab
Last modified: Thu, 12 Dec 2002 21:29:19 GMT
Version: 0,0,0,1

{8AD9C840-044E-11D1-B3E9-00805F499D93}
Class file: npjpi150_06.dll
Attributes: archive
Date: 11/10/2005 1:22:10 PM
MD5: D2CF6BB5E9020E6707B62575F8083954
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Short name: NPJPI1~1.DLL
Size: 69746 bytes
Version: 0.5.0.0
Class name: Java Plug-in 1.5.0_06
CLSID database: legitimate software
Description: Sun Java
Filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
Download location: http://java.sun.com/...indows-i586.cab
Last modified: Wed, 16 Nov 2005 20:54:22 GMT
Name: Java Runtime Environment 1.5.0
Version: 5,0,60,5

{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Contains file: iuctl.dll
Path: C:\WINDOWS\System32\
Contains file: iuengine.dll
Attributes: archive
Date: 5/26/2005 4:16:24 AM
MD5: 57711736ECC25A00785A1B75C7B20459
Path: C:\WINDOWS\System32\
Short name:
Size: 198424 bytes
Version: 0.5.0.8
Download location: http://v4.windowsupd...8097.7144675926
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Version: 5,4,3790,14

{A8683C98-5341-421B-B23C-8514C05354F1}
Class file: FujifilmUploadClient.dll
Attributes: archive
Date: 4/25/2005 5:43:28 PM
MD5: C9949628A5C385FA9D24263103407631
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Short name: FUJIFI~1.DLL
Size: 3014656 bytes
Version: 0.1.0.0
Class name: FujifilmUploader Class
Contains file: FreeImage.dll
Attributes: archive
Date: 11/2/2004 4:18:00 PM
MD5: 176E71A9C75D975A5D29ED56D083C3CF
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Short name: FREEIM~1.DLL
Size: 974848 bytes
Version: 255.255.255.255
Contains file: FujifilmUploadClient.dll
Attributes: archive
Date: 4/25/2005 5:43:28 PM
MD5: C9949628A5C385FA9D24263103407631
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Short name: FUJIFI~1.DLL
Size: 3014656 bytes
Version: 0.1.0.0
Contains file: libcurl.dll
Attributes: archive
Date: 2/24/2005 7:41:46 PM
MD5: 7A046C3974936D29A1F92E96FE953FE0
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Short name:
Size: 233472 bytes
Version: 255.255.255.255
Contains file: msvcp71.dll
Attributes: archive
Date: 8/12/2003 5:17:04 PM
MD5: 561FA2ABB31DFA8FAB762145F81667C2
Path: C:\WINDOWS\system32\
Short name:
Size: 499712 bytes
Version: 0.7.0.10
Contains file: msvcr71.dll
Attributes: archive
Date: 2/25/2004 12:05:28 PM
MD5: 86F1895AE8C5E8B17D99ECE768A70732
Path: C:\WINDOWS\system32\
Short name:
Size: 348160 bytes
Version: 0.7.0.10
Contains file: SHFOLDER.DLL
Attributes: archive
Date: 8/4/2004 12:56:46 AM
MD5: 7C8F371C924DAA376217E553378275BA
Path: C:\WINDOWS\system32\
Short name:
Size: 25088 bytes
Version: 0.6.0.0
Download location: http://photo.walmart...ploadClient.cab
Last modified: Fri, 29 Apr 2005 14:53:35 GMT
Version: 1,0,0,0

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Class file: npjpi150_06.dll
Attributes: archive
Date: 11/10/2005 1:22:10 PM
MD5: D2CF6BB5E9020E6707B62575F8083954
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Short name: NPJPI1~1.DLL
Size: 69746 bytes
Version: 0.5.0.0
Class name: Java Plug-in 1.5.0_06
Download location: http://java.sun.com/...indows-i586.cab
Name: Java Runtime Environment 1.5.0
Version: 1.5.0.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Class file: npjpi150_06.dll
Attributes: archive
Date: 11/10/2005 1:22:10 PM
MD5: D2CF6BB5E9020E6707B62575F8083954
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Short name: NPJPI1~1.DLL
Size: 69746 bytes
Version: 0.5.0.0
Class name: Java Plug-in 1.5.0_06
Download location: http://java.sun.com/...indows-i586.cab
Name: Java Runtime Environment 1.5.0
Version: 1.5.0.6

{D27CDB6E-AE6D-11CF-96B8-444553540000}
Class file: Flash8.ocx
Attributes: archive
Date: 8/27/2005 1:38:56 PM
MD5: 900373C059C2B51CA91BF110DBDECB33
Path: C:\WINDOWS\system32\Macromed\Flash\
Short name: FLASH8.OCX
Size: 1435272 bytes
Version: 0.8.0.0
Class name: Shockwave Flash Object
CLSID database: legitimate software
Description: Macromedia Shockwave Flash Player
Download location: http://fpdownload.ma...ent/swflash.cab
Last modified: Fri, 02 Sep 2005 17:43:14 GMT
Version: 8,0,22,0


--- Process list ---
Spybot-S&D process list report, 3/1/2006 10:55:29 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 140 ( 4) \SystemRoot\System32\smss.exe
PID: 192 ( 964) C:\WINDOWS\explorer.exe
PID: 204 ( 140) csrss.exe
PID: 228 ( 140) \??\C:\WINDOWS\system32\winlogon.exe
PID: 272 ( 228) C:\WINDOWS\system32\services.exe
PID: 284 ( 228) C:\WINDOWS\system32\lsass.exe
PID: 432 ( 272) C:\WINDOWS\system32\svchost.exe
PID: 492 ( 272) svchost.exe
PID: 520 ( 192) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 536 ( 272) C:\WINDOWS\system32\svchost.exe


--- Browser start & search pages list ---
Spybot-S&D browser pages report, 3/1/2006 10:55:29 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
c:\secure32.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
c:\secure32.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
c:\secure32.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
c:\secure32.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---
Spybot-S&D winsock LSP report, 3/1/2006 10:55:29 AM

NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83})
Protocol ( 1) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 2) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 3) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 4) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 5) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 6) MSAFD NetBIOS [\Device\NetBT_Tcpip_{490CDDE4-5A38-4076-91AC-93FAF3E2DA66}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 7) MSAFD NetBIOS [\Device\NetBT_Tcpip_{490CDDE4-5A38-4076-91AC-93FAF3E2DA66}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 8) MSAFD NetBIOS [\Device\NetBT_Tcpip_{3EC90DA8-64F2-45C6-850F-7B57EA210D40}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 9) MSAFD NetBIOS [\Device\NetBT_Tcpip_{3EC90DA8-64F2-45C6-850F-7B57EA210D40}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (10) MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD763101-81E9-4296-AB09-4A3969F0E47E}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD763101-81E9-4296-AB09-4A3969F0E47E}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})


--------------------------------

C:\smitfiles.txt log:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/01/2006
The current time is: 10:28:47.20

Running from
C:\Documents and Settings\gary\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

secure32.html


~~~ Drive root ~~~

secure32.html
winstall.exe

~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 764 'explorer.exe'
Killing PID 764 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :tazz:


-----------------------------

Ewido Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:43:08 AM, 3/1/2006
+ Report-Checksum: 335F523C

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-682003330-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Cleaned with backup
HKU\S-1-5-21-682003330-113007714-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\xxwxv.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\vzbb.dll.old -> Adware.MegaSearch : Cleaned with backup
C:\WINDOWS\kl1.exe -> Dropper.Small.amd : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Logger.Small.dg : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Logger.Small.dg : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\System Volume Information\_restore{F55630C8-4AE9-4601-AEC2-C47055135FC0}\RP144\A0010578.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\System Volume Information\_restore{F55630C8-4AE9-4601-AEC2-C47055135FC0}\RP144\A0010598.exe -> Not-A-Virus.Hoax.Win32.Renos.bm : Cleaned with backup
D:\Keyboard Logger\Keyspy.exe -> Not-A-Virus.Monitor.Win32.PanteraLog : Cleaned with backup
D:\Keyboard Logger\kh.dll -> Not-A-Virus.Monitor.Win32.PanteraLog : Cleaned with backup


::Report End


-----------------------------

Second HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:49 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Wirehog\wirehog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\Verizon\iobi\iobiClient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft....0&plcid=0x0409
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Wirehog] C:\Program Files\Wirehog\Run.lnk
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\SetIcon.exe
O4 - HKLM\..\Run: [iobi] C:\Program Files\Verizon\iobi\iobiClient.exe -AS
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Edited by Scarlete, 02 March 2006 - 03:50 PM.

  • 0

Advertisements

#2
Crustyoldbloke
Posted 01 March 2006 - 12:15 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I am working on your fix
  • 0

#3
Scarlete
Posted 01 March 2006 - 12:17 PM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

I am working on your fix


(: thanks! :tazz: I wrapped the different logs in quotes, so hopefully it's easier to look at.

Jen
  • 0

#4
Crustyoldbloke
Posted 01 March 2006 - 12:28 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Jen and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have some CWS malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

You do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Download:
AVG ANTIVIRUS FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

Is Wirehog a deliberate installation?

Please disable Ewido Guard from running as it will hinder our attempts to change anything. Open Ewido>Status and remove the Guard option. You may be required to reboot for the change to take effect.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
CWShredder
cwsserviceemove.reg file
AntiPuper

Open AntiPuper by secured2k, and follow the on-screen instructions to sweep your PC for infections and clean your Wininet.dll file. When it has finished it will reboot your PC

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
c:\secure32.html
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Utilities uncheck Ewido Security Suite log, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look.
  • 0

#5
Scarlete
Posted 01 March 2006 - 01:03 PM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Hello Jen and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.


Of course you are! :tazz: <3

Thanks, I'll get started on this asap! I've got Admin rights on the computer, though I work through a subset identity. I'll do all of this under Admin. (this computer has Admin and *one* identity - I'm pretty sure the other identity has admin rights, but I'm letting you know. )

I'll be back shortly. (as shortly as weebits allow)
  • 0

#6
Scarlete
Posted 01 March 2006 - 06:38 PM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Re: Wirehog - Yeah, I mean to have that. I have it access my audio folder when I bother to plug it in. (:

Everything seems to be working much faster and cleaner now. I had already gone to tools in the internet options to reset my home page, so those entries weren't in the hijack log just prior to this one.

With CCleaner - I got an error that said: Could not detect wininet.dll file or McAfee Engine/DAT to clean wininet.dll -- I had uninstalled McAfee at some point, so that might explain that.

Re: PendingFileRenameOperatons prompt - Yes, I got that.

Sorry it took so long, the weebits kept me from doing much of anything after this morning. (:

Thanks!
Jen

New Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:18:59 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Wirehog\wirehog.exe
C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SMSC\SetIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft....0&plcid=0x0409
O4 - HKLM\..\Run: [Wirehog] C:\Program Files\Wirehog\Run.lnk
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\SetIcon.exe
O4 - HKLM\..\Run: [iobi] C:\Program Files\Verizon\iobi\iobiClient.exe -AS
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


  • 0

#7
Crustyoldbloke
Posted 02 March 2006 - 02:40 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Jen

It is looking better but not quite clean; there is still a CWS infection present.

Please open CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about

Please re-open HiJackThis and scan. Check the box next to the entry listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Now I must turn my attention to your wininet.dll which appears to have been infected by Puper.

Click start>run and type cmd

Type (or cut and paste):

copy c:\windows\system\wininet.dll c:\windows\desktop

Reboot. Scan the desktop folder with eTrust Web Scanner. When done, make sure the box is checked for wininet.dll and click cure.

Reboot to command prompt and delete system\wininet and oleadm (oleext), then copy clean wininet from desktop.

del c:\windows\system\wininet.dll

del c:\windows\system\oleadm.dll (oleext.dll)

copy c:\windows\desktop\wininet.dll c:\windows\system

If all of that fails, go here and download the file:

Wininet.dll

Please post a fresh HJT log from normal mode and I'll take another look.
  • 0

#8
Scarlete
Posted 02 March 2006 - 10:32 AM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok. (:

I've run CWShredder and checked for updates. It said I had the latest version. When I did a fix (etc) it said my system was clean. Here's a copy of that log:

I'm going to go into my start menu (er, or whatever.. ) and disable run on start-up of wirehog, aol, and probably iobi *and* qttask (because I am in hate with it.) I need to find out what seticon is. :/ :tazz:

**** Run Keys ****

RUN: [Wirehog] C:\Program Files\Wirehog\Run.lnk
RUN: [nwiz] nwiz.exe /install
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [HostManager] C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
RUN: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
RUN: [SetIcon] \Program Files\SMSC\SetIcon.exe
RUN: [iobi] C:\Program Files\Verizon\iobi\iobiClient.exe -AS
RUN: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


**** Browser Helper Objects ****



**** IE Toolbars ****



**** IE Extensions ****

IEExt: []


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Page:
Default Search: http://www.microsoft...=ie&ar=iesearch
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar: http://search.msn.com/spbasic.htm
Search Page: http://www.microsoft...=ie&ar=iesearch


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{490CDDE4-5A38-4076-91AC-93FAF3E2DA66}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{490CDDE4-5A38-4076-91AC-93FAF3E2DA66}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3EC90DA8-64F2-45C6-850F-7B57EA210D40}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3EC90DA8-64F2-45C6-850F-7B57EA210D40}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD763101-81E9-4296-AB09-4A3969F0E47E}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DD763101-81E9-4296-AB09-4A3969F0E47E}] DATAGRAM 2


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [http://www.apple.com...x/qtplugin.cab]
{166B1BCA-3F9C-11CF-8075-444553540000} [http://fpdownload.ma...irector/sw.cab]
{2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} [http://forms.real.co...e_Inst_Win.cab]
{33564D57-0000-0010-8000-00AA00389B71} [http://download.micr...22/wmv9VCM.CAB]
{33564D57-9980-0010-8000-00AA00389B71} [http://codecs.micros...86/wmv9dmo.cab]
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} [http://www3.ca.com/s...fo/webscan.cab] C:\WINDOWS\arclib.dll C:\WINDOWS\Downloaded Program Files\webscan.dll
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/...ndows-i586.cab]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://acs.pandasoft...ree/asinst.cab]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupd...097.7144675926]
{A8683C98-5341-421B-B23C-8514C05354F1} [http://photo.walmart...loadClient.cab] C:\WINDOWS\system32\msvcr71.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\libcurl.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FreeImage.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FujifilmUploadClient.dll
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [http://java.sun.com/...ndows-i586.cab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/...ndows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.ma...nt/swflash.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[Autocomplete] C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
[Avg7Alrt] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Avg7UpdSvc] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[AVGEMS] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[EpsonBidirectionalService] C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
[EPSONStatusAgent2] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[ewido security suite control] D:\Program Files\ewido anti-malware\ewidoctrl.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[ose] "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{E865A36F-11CF-4347-9B01-E40A2DCA7CBC}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant]
SEARCH: [CustomizeSearch]
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://google.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Check_Associations] Yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [Enable Browser Extensions] yes
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [Search Bar] http://search.msn.com/spbasic.htm
IEOPT: [FormSuggest PW Ask] no
IEOPT: [StatusBarWeb]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [AutoSearch]
IEOPT: [LastCheckedHi] +=Ćs
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Default_Page_URL]
IEOPT: [Use Custom Search URL]
IEOPT: [Default_Page_URL]
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Search Page] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar]
IEOPT: []
IEOPT: [BigBitmap] custom\38vrzn_static.bmp
IEOPT: [SmallBitmap] custom\22vrzn_static.bmp
IEOPT: [Check_Associations] yes



Onward..
I ran hijack, did fix as requested. Did other thingies and when I typed in cmd I got an error that said: "System cannot find file specified"

I attempted to do eTrust scanner, but it kept bogging out and I figured that since I don't have this file, it was moot anyway and went on to "if all else fails".

And, so I did.

I then moved the freshly downloaded wininet.dll to the window\system folder, ran hijack again and came back here. I figure I've probably got more work to do, eh? :)

*slaps pets my computer*

Here's the latest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:20:41 AM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SMSC\SetIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft....0&plcid=0x0409
O4 - HKLM\..\Run: [Wirehog] C:\Program Files\Wirehog\Run.lnk
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132963960\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\SetIcon.exe
O4 - HKLM\..\Run: [iobi] C:\Program Files\Verizon\iobi\iobiClient.exe -AS
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks again!

Jen
  • 0

#9
Crustyoldbloke
Posted 02 March 2006 - 10:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Jen

Well everything looks OK but I am a little concerned that your system doesn't recognise the command CMD. I have to assume that if you did everything as instructed, there is something wrong with your system files. That being the case we best sort them out.

Please run System File Checker, to make sure all of your protected files are not corrupt. The scan will automatically replace any corrupt files that it finds.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the programme, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:My Computer
Tools
Folder Options
View
"Check" Hide protected operating system files.
How is your PC running? Please post a fresh (final?) HJT log from normal mode for checking.
  • 0

#10
Scarlete
Posted 02 March 2006 - 11:29 AM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I think it did understand the command CMD, only, I didn't have the file for it to copy. I did the start>run>type cmd, and it gave me the cmd prompt. I only got the error when I typed copy c:\windows\system\wininet.dll c:\windows\desktop. Does that clear that up any or am I not getting your point? Totally possible, ya know.. hehe.

I'll be doing what you asked and will be back here shortly. ;D

Thanks!
  • 0

Advertisements

#11
Crustyoldbloke
Posted 02 March 2006 - 12:28 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Well better safe than sorry. If the command prompt appeared then that is quite normal - thank goodness.

It sounds as though the wininet.dll was not there but that would give you an error message - weird.
  • 0

#12
Scarlete
Posted 02 March 2006 - 02:35 PM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Quick question before I run this,

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:


If I'm not able to find my disc, is this a problem?
  • 0

#13
Crustyoldbloke
Posted 02 March 2006 - 02:47 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
It's about as big a problem as you can get. If ever you have to do a recovery you'll need it.

You best just post a fresh HJT log from normal mode for a checkover. Is your PC running OK and shutting down and restarting OK?
  • 0

#14
Scarlete
Posted 02 March 2006 - 03:01 PM

Scarlete

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
XD

Yeah, it's fine starting and rebooting. Now, in the past just shutting it down was problematic in that it would just restart itself. I haven't checked that in a while, though.

I'll get Gary to find the disc for me, though I'm loath to use it.
  • 0

#15
Crustyoldbloke
Posted 02 March 2006 - 03:25 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
It sounds OK now, so just post the latest HJT log and I'll check it over and give you the all clear with future advice.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP