Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help with spyware [CLOSED]

Started by Bilsed421 , Dec 24 2005 12:40 PM

  • This topic is locked This topic is locked

#1
Bilsed421
Posted 24 December 2005 - 12:40 PM

Bilsed421

    Member

  • Member
  • PipPip
  • 32 posts
Hey i need help with this spyware called Spy Sheriff. It has infected my computer with a spyware that i can't use the desktop on my computer and is using safe mode.

Here's the log:Logfile of HijackThis v1.99.1
Scan saved at 12:38:54 PM, on 12/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\n\Spy Sweeper\WRSSSDK.exe
H:\n\security suite\SecuritySuite.exe
H:\Bilal\Dap\pt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dial
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "H:\bilal\dap\q\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "I:\daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adtech2006] c:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [HostsMan] H:\n\HostsMan\hm.exe -s
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\System32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: axxt32 - C:\WINDOWS\SYSTEM32\axxt32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: fldrsys - {8AFEA6C7-6FB3-49C8-AC19-7D8866F8E47F} - fldrsys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - H:\n\security suite\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - H:\MCAFEE~1.0-R\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - H:\n\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Plz reply....
  • 0

Advertisements

#2
Excal
Posted 24 December 2005 - 01:36 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Bilsed421 and welcome to GeeksToGo! My name is Excal and I will be helping you.

Lets see if we can get you up and running for christmas :)

These scans are done in safe mode, so you can stay in safe mode until the end :tazz:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS

Download smitRem.exe© by noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "H:\bilal\dap\q\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adtech2006] c:\windows\adtech2006a.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

c:\secure32.html
c:\windows\adtech2006a.exe

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Remove all it finds.

11. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

12. Next go to Control Panel click appearance and themes>click Display > Desktop Tab> click Customize Desktop > Web tab > Uncheck anthing in there if present.

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#3
Bilsed421
Posted 25 December 2005 - 01:48 PM

Bilsed421

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I took all the steps that u told me but when i go to the normal mode it gives me the blue screen again after a little while. So i don't if the spyware is gone or not.
  • 0

#4
Excal
Posted 26 December 2005 - 10:07 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log.
  • 0

#5
Bilsed421
Posted 26 December 2005 - 01:32 PM

Bilsed421

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thanks for all ure help.

Here's teh Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:37:28 PM, 12/25/2005
+ Report-Checksum: 576FB27F

+ Scan result:

C:\WINDOWS\Temp\~486910.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~754322.tmp -> Downloader.WinTool : Error during cleaning


::Report End

Here's the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:47 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\n\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
H:\n\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
I:\daemon\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\VVSN\VVSN.exe
H:\n\Spy Sweeper\SpySweeper.exe
F:\Adcalls\Dialer.exe
F:\Adcalls\AdsView.exe
C:\WINDOWS\System32\rsvp.exe
H:\Bilal\Winamp3\Winamp\winamp.exe
H:\Fire\firefox.exe
H:\Bilal\Dap\pt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dial
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "I:\daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: axxt32 - axxt32.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: fldrsys - {8AFEA6C7-6FB3-49C8-AC19-7D8866F8E47F} - fldrsys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - H:\n\security suite\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - H:\MCAFEE~1.0-R\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - H:\n\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Here's smitfiles.txt


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 12/25/2005
The current time is: 13:50:32.35

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

zlbw.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of explorer.exe

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

zlbw.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe


~~~ Miscellaneous Files/folders ~~~



winstall.exe

~~~ Wininet.dll ~~~

wininet.dll is missing!!
  • 0

#6
Excal
Posted 26 December 2005 - 01:54 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You say you get a blue screen what exactly is happening.

open Hijackthis and do a scan. Please check off the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O20 - Winlogon Notify: axxt32 - axxt32.dll (file missing)
O21 - SSODL: fldrsys - {8AFEA6C7-6FB3-49C8-AC19-7D8866F8E47F} - fldrsys.dll (file missing)

click FIX CHECKED then close Hijackthis

please reboot


Use start>Search to find this file and let me know the whole path of all the results:
windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

wininet.dll

Please post those results along with a fresh HiJackthis log.
  • 0

#7
Bilsed421
Posted 26 December 2005 - 03:58 PM

Bilsed421

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Here's the Activescan log:


Incident Status Location

Adware:Adware/WeatherCast Not disinfected C:\Program Files\VVSN\VVSN.exe
Virus:Trj/Downloader.GXS Not disinfected Operating system
Adware:adware/spysheriff Not disinfected C:\winstall.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\kl.exe
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\teller2.chk
Adware:adware/isearch Not disinfected C:\WINDOWS\tool2.exe
Adware:adware/savenow Not disinfected C:\PROGRAM FILES\VVSN
Adware:adware/cws Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Favorites\-Autos-
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:Adware/BrilliantDigitalNot disinfected C:\!KillBox\bdcore.dll.updpnd
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\bi5.inf
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\biH.inf
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\biU.inf
Adware:Adware/nCase Not disinfected C:\!KillBox\ezStub3.dll.tcf
Hacktool:HackTool/Disilitra.B Not disinfected C:\!KillBox\ntsrv.exe
Adware:Adware/KeenValue Not disinfected C:\!KillBox\PerfectNavUninstall.exe
Adware:Adware/nCase Not disinfected C:\!KillBox\Xcite.dll.tcf
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\xmltok.dll
Adware:Adware/WinTools Not disinfected C:\!KillBox\~493151.tmp
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-43f24dd4.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-43f24dd4.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-43f24dd4.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-43f24dd4.zip[NewURLClassLoader.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-6f7c5fa4.zip[InstallerApplet.class]
Virus:W32/Mabutu.A.worm Not disinfected Archive Folders\Sent Items\FW: Important\details.zip[details.txt .scr]
Virus:W32/Mabutu.A.worm Not disinfected Hotmail\Inbox\Important\details.zip[details.txt .scr]
Adware:Adware/ClockSync Not disinfected C:\Documents and Settings\Syed Khalid.FAMILY\Local Settings\Temp\VVSNInst.exe
Virus:Trj/Moli.CG Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Trj/Eiro.N Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Adware:Adware/WeatherCast Not disinfected C:\Program Files\VVSN\VVSN.exe
Virus:Trj/Downloader.GXS Not disinfected C:\WINDOWS\system32\fldrsys.dll
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~486910.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~493151.tmp
Adware:Adware/WinTools Not disinfected C:\WINDOWS\Temp\~754322.tmp
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\tool2.exe
Adware:Adware/SpySheriff Not disinfected C:\winstall.exe
Adware:Adware/SaveNow Not disinfected F:\ov\bear\Installer\saveinstwm.exe
Virus:W32/Mabutu.A.worm Not disinfected Archive Folders\Sent Items\FW: Important\details.zip[details.txt .scr]
  • 0

#8
Bilsed421
Posted 26 December 2005 - 04:03 PM

Bilsed421

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Here's the Hijack log after teh fixing:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:54 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\n\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
H:\n\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
I:\daemon\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webshots\WebshotsTray.exe
H:\Bilal\Winamp3\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
H:\Bilal\Dap\pt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.sbc.com/dial
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "I:\daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - H:\n\security suite\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - H:\MCAFEE~1.0-R\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - H:\n\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#9
Excal
Posted 26 December 2005 - 04:25 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
doh, it seems your reinfected again.

You need an antivirus up and running. Download this good free one and do a complete scan with it:


AVG
  • 0

#10
Bilsed421
Posted 26 December 2005 - 04:45 PM

Bilsed421

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Should i send u another log after scaning with avg?
  • 0

#11
therock247uk
Posted 27 December 2005 - 01:50 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Excal is away at the moment and cant reply yes send another log after.
  • 0

#12
therock247uk
Posted 19 January 2006 - 06:50 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP