Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

hijackthis log(not sure if posting in right area)


  • Please log in to reply
8 replies to this topic

#1 jennyg

jennyg

    Authentic Member

  • Authentic Member
  • PipPip
  • 57 posts

Posted 20 February 2007 - 09:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:23:40 PM, on 2/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Security\isamntr.exe
C:\Program Files\Internet Security\pmsnrr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Internet Security\pmmnt.exe
C:\Program Files\Internet Security\isamini.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chad1\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Internet Security\isadd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Internet Security\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: JNtEGgkciyc - {94E300DC-3E49-AA76-2520-6C7894078340} - C:\WINDOWS\System32\iedu.dll (file missing)
O21 - SSODL: didynamia - {8329660f-e248-4872-98cc-fb9c4fec7ba8} - C:\WINDOWS\System32\xkrdk.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Advertisements

Register to Remove


#2 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 21 February 2007 - 04:40 AM

Hi, looking at your log back ASAP

#3 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 21 February 2007 - 04:41 AM

Hi jenny,

I'm Gary R, I'll be glad to help you with your computer problems.

As an introduction, please note I don't know everything, what I do know has taken me years to learn and I'm happy to pass on this information to you, but bear in mind that I'm also fallible. I do have a very knowlegable group behind me who I can ask if needs be.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
You are running Windows with Service Pack 1 fitted, the current update Service Pack is Service Pack 2. You'll need to update once we're finished if you're not to get re-infected.

DO NOT UPDATE TO SERVICE PACK 2 UNTIL WE GET YOUR COMPUTER CLEAN, IT WILL CAUSE LOTS OF PROBLEMS.

OK, lets get down to things. You look to have one of the many Smitfraud infections on your computer.

Please download ATF Cleaner by Atribune and save it to your Desktop. (Do not run it yet)

Please download SmitfraudFix (by S!Ri) and extract it to your Desktop. (Do not run it yet)

Please download AVG Anti-Spyware.
  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.
  • At the top of the main screen click Update.
  • Then in the Manual Update section, click on Start Update.
[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

Do not run a scan with AVG Anti-Spyware yet.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please boot your computer into Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account (as long as it is an account with Administrator privileges).
Once in Safe Mode
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #2 - Clean by typing 2, then press Enter.
  • You will be prompted with: Registry cleaning - Do you want to clean the registry?
  • Type Y, then press Enter, to remove the Desktop background and clean infected registry keys.
  • The tool will now check if wininet.dll is infected.
  • You may be prompted to replace the infected file.
  • If prompted, type Y, then press Enter.
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
  • A text file will appear onscreen, with results from the cleaning process.
  • Please copy/paste the content of that report into your next reply. The report can also be found at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

Clean out your Temp files.
  • 1st Ensure your Internet Browser is closed.
  • Double click ATF-Cleaner.exe to run the program.
  • Check the following boxes:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch
    • Recycle Bin
    • Java Cache
  • The rest are optional - if you want to remove the lot, check Select All.
  • Now click Empty Selected.
  • When you get the Done Cleaning message, click OK.
Run a scan with AVG.
  • Click on Scanner
    • Click on the Settings tab, and set the following settings.
      • How to act
      • Click on Recommended actions, and set to Quarantine.
    • How to scan
      • Check all options.
    • Possibly unwanted software.
      • Check all options.
    • Reports
      • Check Automatically generate report after every scan.
      • Uncheck Only if threats were found.
    • What to scan
      • Check Scan every file.
  • Click on the Scan tab.
    • Click on Complete System Scan and the scan will begin.
    • When the scan has finished
    • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the Apply all Actions button.
Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Open the SmitfraudFix folder again
  • Double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3, then press Enter.
(Note: If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.)

Please post the following logs.
  • c:\rapport.txt
  • AVG log
  • A new HijackThis log
You may need several replies to post the requested logs, else they might get cut off.

Edited by Gary R, 21 February 2007 - 04:59 AM.


#4 jennyg

jennyg

    Authentic Member

  • Authentic Member
  • PipPip
  • 57 posts

Posted 21 February 2007 - 09:53 PM

SmitFraudFix v2.144

Scan done at 22:05:13.39, Wed 02/21/2007
Run from C:\Documents and Settings\chad1\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8329660f-e248-4872-98cc-fb9c4fec7ba8}"="didynamia"

[HKEY_CLASSES_ROOT\CLSID\{8329660f-e248-4872-98cc-fb9c4fec7ba8}\InProcServer32]
@="C:\WINDOWS\System32\xkrdk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8329660f-e248-4872-98cc-fb9c4fec7ba8}\InProcServer32]
@="C:\WINDOWS\System32\xkrdk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:45:50 PM 2/21/2007

+ Scan result:



HKU\S-1-5-21-1659004503-861567501-839522115-1003\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 10:51:47 PM, on 2/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\v6.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\chad1\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: JNtEGgkciyc - {94E300DC-3E49-AA76-2520-6C7894078340} - C:\WINDOWS\System32\iedu.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 waterfalls

waterfalls

    Silver Member

  • Validating
  • PipPipPip
  • 416 posts

Posted 21 February 2007 - 11:32 PM

Hi -

You will need to print these directions because, part of the time, you will be working in Safe Mode without an Internet connection.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll (file missing)
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - Startup: .protected
O21 - SSODL: JNtEGgkciyc - {94E300DC-3E49-AA76-2520-6C7894078340} - C:\WINDOWS\System32\iedu.dll (file missing)


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

• Navigate to and delete the following files (in bold text) if present:
C:\WINDOWS\System32\v6.exe
C:\WINDOWS\System32\iedu.dll
C:\Documents and Settings\chad1\StartMenu\Programs\Startup\.protected

• Reboot to Normal Mode.

• Please download HostsXpert 3.7 - Hosts File Manager
- Create a new folder: C:\HostsXpert
- Unzip the file to C:\HostsXpert
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
- Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
- Click "Make Hosts Writable?" in the upper right corner (If available).
- Click Restore Microsoft's Hosts file and then click OK.
- Click the X to exit the program.

• Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. Since you already have the Yahoo Toolbar, REMOVE the checkmark when provided with the option.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select these items:

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

• Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
• Post back with the log from SuperAntispyware and a new HijackThis log.

Edited by waterfalls, 21 February 2007 - 11:46 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 jennyg

jennyg

    Authentic Member

  • Authentic Member
  • PipPip
  • 57 posts

Posted 22 February 2007 - 03:02 PM

SUPERAntiSpyware Scan Log
Generated 02/22/2007 at 03:59 PM

Application Version : 3.5.1016

Core Rules Database Version : 3187
Trace Rules Database Version: 1197

Scan type : Complete Scan
Total Scan Time : 00:13:47

Memory items scanned : 314
Memory threats detected : 0
Registry items scanned : 4500
Registry threats detected : 0
File items scanned : 18526
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\chad1\Cookies\chad1@ad.yieldmanager[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@doubleclick[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@mb[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@revsci[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@sextracker[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@goclick[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@upspiral[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@adultfriendfinder[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@sexclon[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@pro-market[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@findwhat[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@www.windowsmedia[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@adbrite[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@statcounter[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@advertising[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@stat.dealtime[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@ehg-mgmmirageoperations.hitbox[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@atdmt[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@xxxcounter[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@ad[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@www.upspiral[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@media.fastclick[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@mediaplex[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@overture[1].txt
C:\Documents and Settings\chad1\Cookies\chad1@hitbox[2].txt
C:\Documents and Settings\chad1\Cookies\chad1@counter15.sextracker[1].txt

Trojan Downloader-SystemAlert.Process
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP160\A0028762.DLL

Trojan.Media-Codec
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP160\A0028766.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP161\A0028792.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP163\A0028820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0028967.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0028981.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0028995.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0029010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0029033.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP164\A0029034.EXE

Malware.SpyDawn
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CE574C73-68CD-4ED8-8643-F5460351F653}\RP160\A0028774.EXE

Trojan.VXGame-Gen
C:\WINDOWS\SYSTEM32\DLH9JKD1Q8.EXE





Logfile of HijackThis v1.99.1
Scan saved at 4:02:34 PM, on 2/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chad1\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 23 February 2007 - 06:00 AM

Merged threads, please use Posted Image not Posted Image ;)

#8 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,510 posts

Posted 23 February 2007 - 08:24 AM

As Waterfalls has progressed this thread, I'll withdraw. Gary R

#9 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 24 March 2007 - 07:42 AM

Due to a lack of a responce this topic is now closed.

If you wish it reopened, please send us an email (Click for address) with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

To help keep your PC clean follow the recommendations here by shelf life.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users