Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Member
    Join Date
    Jul 2006
    Posts
    8
    Points
    1

    Default Spyware/Internet Hijacker

    Hello! I was advised by the detective to post a new topic. I ran HiJackThis and checked it and the detective responded that there are some suspicous files that need to be fixed. It's telling me to do a series of things, however, the first thing is that I need to click on "Fixed checked" but I'm not sure what to check and what to keep. I'm generally good with computers, but I'm pretty dumb about reading paths and knowing if they are legit. Especially since all of this hit my computer. I'm not sure what to trust anymore. Would you mind helping me with it?

    I am pasting what I have on my notepad. It wouldn't let me attach the file. Hope that's ok.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:46:32 PM, on 7/21/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ishost.exe
    C:\WINDOWS\System32\isnotify.exe
    C:\WINDOWS\System32\issearch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\978b466d.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\ismon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [978b466d.exe] C:\WINDOWS\System32\978b466d.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [978b466d.exe] C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
    O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {202B4182-28FA-3059-E31A-2B680DEE22AD} - http://85.255.113.214/1/gdnUS2218.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {55A548B3-AFA8-41E3-8057-FD24931C6388} (FXExec Control) - http://216.87.37.188/app/FXCtrl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\System32\yephk.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

    Thanks you for your assistance. It is much appreciated.
    Juli

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi Juli

    You have 2 different infections...

    First, for this one ...

    C:\WINDOWS\System32\ishost.exe
    C:\WINDOWS\System32\isnotify.exe
    C:\WINDOWS\System32\issearch.exe
    C:\WINDOWS\System32\ismon.exe

    I am giving you 2 sets of instructions to run a malware removal program...

    The first set of instructions will find the bad files...
    The second set of instructions will delete the bad files...

    Both sets of instructions will generate a logfile, I need to see BOTH logfiles ... so save the first one somewhere you can find it again, and when you have the second one ... post them both in your next post here

    First instructions ... find files

    Download: SmitfraudFix.zip from :-

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

    1. Download to your desktop
    2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
    3. Double-click smitfraudfix.cmd
    4. Select 1 and hit Enter to create a report of the infected files
    5. find the C:\rapport.txt file and change the name of the text file to REPORT1.txt ... otherwise it will be overwritten when you run the next set of instructions.


    Second instructions ... delete files

    1. Reboot into >>>safe mode
    2. Double-click smitfraudfix.cmd
    3. Select 2 and hit Enter to delete infected files
    4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
    5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
    6. A reboot may be needed to finish the cleaning process.

    The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file + the C:\REPORT1.txt in your next post here... + a new hijackthis log.

    process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    If after running the program, you end up with a blank desktop background ... Right click the desktop > properties > desktop tab > & reset your background...

    ---
    second ... for the popups...

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/default s/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/default s/sp/*http://www.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/default s/su/*http://www.yahoo.com

    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll

    O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll

    O4 - HKLM\..\Run: [978b466d.exe] C:\WINDOWS\System32\978b466d.exe

    O4 - HKCU\..\Run: [978b466d.exe] C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe

    O16 - DPF: {202B4182-28FA-3059-E31A-2B680DEE22AD} - http://85.255.113.214/1/gdnUS2218.exe

    O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\System32\yephk.dll (file missing)


    Reboot then find and delete :-

    C:\WINDOWS\System32\978b466d.exe ... file

    C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe ... file

    C:\Program Files\Safety Bar ... folder

    PLEASE NOTE The local settings folder is a hidden folder.....Click here >>> How to Show Hidden/System Files

    Don't forget....

    Post the contents of the C:\rapport.txt file + the C:\REPORT1.txt in your next post here... + a new hijackthis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Jul 2006
    Posts
    8
    Points
    1

    Default THanks

    Thanks Steam! I will try this tonight and see what happens. Also, before I got this reply from you, I ran AVG on my computer and it detected Trojan Horse on my system I believe 8 times or so. I don't believe that AVG fixed it though. I'm not sure if this can be fixed by your recent instructions or not, but I will go ahead with what you have recommended anyway for the malware. I will let you know how it turns out and post the reports. Thanks a bunch!!!

    P.S. Sorry about the second thread!

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    I'm not sure if this can be fixed by your recent instructions or not, but I will go ahead with what you have recommended anyway for the malware.
    That is why we are here Steam's fix should work just fine , besure to follow his guidance to the letter.

    BG

  5. #5
    Member
    Join Date
    Jul 2006
    Posts
    8
    Points
    1

    Default I did what you recommended. . .

    Hi Steam! I did everything you recommended and we are almost there I think!

    I attached the logs you requested. The "found" file is Report1. The "deleted" file is Report2. And I have also attached a new HijackThis log.

    I got to your instructions to reboot and then find and delete 2 files and 1 folder. I deleted the last two on the list, but when I tried to delete C:\WINDOWS\System32\978b466d.exe a window popped up that said: "Cannot delete. . Access Denied. Make sure the disk is not full or write-protected & that the file is not currently in use." I didin't have anything else open at the time. I tried it two times and it would not delete either time.

    On the upside, my internet browser is running much faster than it was and it's not being directed to the security webpage anymore. However, I keep getting a window that pops up and looks like it was made to look "official" and safe, but the blue image on the left side changes each time it pops up so I know it's not part of my system. It always saya about the same thing, "System Integrity Scan Wizard! Warning: Your computer may have critical errors in Windows registry & file systems. . ." and it gets you to click "Next" to run a scan for errors. I have clicked on it a couple of different times and it just takes me to a webpage to download software. It pops up every 10 minutes or so with a different title to the window. It jus tpopped up again and said "Spyware Wizard" again with a different blue image meant to mimic the real windows designs.

    I can tell it's getting better though, thanks to your help! Hope I can get it back to normal.

    I can't tell if the logs attached so let me know if they didn't.

    Thank you so much for your help!
    Juli

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Please don't submit the logs as attachments, just cut and paste them.

    We want to see logs that look like your first post as they are much easier to read.

    Please open your "notepad" program, under the 'format" make sure that the "Word wrap" is checked.

    BG

  7. #7
    Member
    Join Date
    Jul 2006
    Posts
    8
    Points
    1

    Default Reports

    Sorry about that. Here are the logs:

    Report 1 (Found)
    Logfile of HijackThis v1.99.1 Scan saved at 11:59:15 AM, on 7/29/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [978b466d.exe] C:\WINDOWS\System32\978b466d.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [978b466d.exe] C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

    Report 2 (Deleted):
    SmitFraudFix v2.76 Scan done at 11:51:46.64, Sat 07/29/2006 Run from C:\Documents and Settings\JULISUE\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "coursings"="{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\ishost.exe Deleted C:\WINDOWS\system32\ismon.exe Deleted C:\WINDOWS\system32\isnotify.exe Deleted C:\WINDOWS\system32\issearch.exe Deleted C:\WINDOWS\system32\ixt?.dll Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\ts.ico Deleted C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted C:\DOCUME~1\JULISUE\FAVORI~1\Antivirus Test Online.url Deleted C:\Program Files\SpyQuake2.com\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End

    HijackThis Log:
    Logfile of HijackThis v1.99.1 Scan saved at 11:59:15 AM, on 7/29/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE:

    Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Alwil

    Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program

    Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton SystemWorks\Norton

    AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec

    Shared\ccApp.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD

    Creator 6\AudioCentral\RxMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\JULISUE\Local

    Settings\Application Data\978b466d.exe C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe C:\Program Files\ZyDAS

    Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe C:\Program Files\Roxio\Easy CD Creator

    6\AudioCentral\Playlist.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Alwil

    Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\wuauclt.exe

    C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: (no name) -

    {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: CNavExtBho Class -

    {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 -

    Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll O4 -

    HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy]

    "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program

    Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy

    CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator

    6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 -

    HKLM\..\Run: [978b466d.exe] C:\WINDOWS\System32\978b466d.exe O4 - HKLM\..\Run: [AVG7_CC]

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe]

    C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [978b466d.exe] C:\Documents and Settings\JULISUE\Local

    Settings\Application Data\978b466d.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =

    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program

    Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite

    Mind LC\eyeQ\ARLaunch.exe O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology

    Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner

    - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program

    Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

    Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program

    Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server

    (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service

    (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner

    (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager

    (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service:

    Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccPwdSvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) -

    Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service:

    iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto

    Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton

    AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -

    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService)

    - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service -

    Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

    Thanks

  8. #8
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    You got rid of the Smitfraud infection...good work!
    You still have a couple problems though. You are running three different antivirus applications in real time.

    You actually reduce your level of protection that way, and also run the risk of data loss from a complete system crash that the instability can cause. Please decide which to keep and uninstall the rest.

    Probably a bigger problem is the absence of the windows update protection.

    You still have a trojan and a rogue safety tool bar. You'll surely get infected again if we don't consider installing the XPSP2 updates. Any particular reason you haven't updated your windows? We need to finish cleaning up your computer before you do that, but I would like to hear from you as to why you haven't done that yet. Some folks have been reluctant because of a slow connection to the web and the download is huge. If that's the case, there is a free CD that you can order from Microsoft. Just let me know.

    In the meantime, please select and install one of these free Firewall applications:
    ZoneAlarm Free Version
    Outpost Free
    Kerio

    When the installation completes successfully, reboot the computer.

    Next, please download the KILLBOX, extract it to your desktop.

    Open killbox.exe.

    First click on Tools>Delete Temp Files.
    A box will open with a list of all user profiles.

    Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

    Temporary Internet Files
    Temp Files
    XP Prefetch

    If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

    Then, click on the Button titled "Delete Selected Temp Files".
    Exit by clicking the Button titled "Exit(Save Settings)".

    Once back into the main killbox program, check the box:

    Delete on Reboot

    Highlight all the entries in the quote box below and then copy them.
    Note: You're probably aware that both of these are the same file. However, they are in different locations...you must enter both exactly as they appear below:
    C:\WINDOWS\System32\978b466d.exe
    C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe
    Then in killbox click File>>Paste from Clipboard

    At this point the "All Files" button should be enabled so you can click it.
    Click the "All Files" button.

    Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

    A second message will ask to Reboot now? you will need to click No for now.
    Note: Killbox will let you know if a file does not exist.

    If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No until you've completed the instructions below.

    Please run HijackThis again and check the box next to the following entries:
    O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
    O4 - HKLM\..\Run: [978b466d.exe] C:\WINDOWS\System32\978b466d.exe
    O4 - HKCU\..\Run: [978b466d.exe] C:\Documents and Settings\JULISUE\Local Settings\Application Data\978b466d.exe


    Now, close all windows except for HijackThis then click Fix Checked.

    Reboot and post back a fresh HijackThis log. Thanks!
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.

  9. #9
    Member
    Join Date
    Jul 2006
    Posts
    8
    Points
    1

    Default Windows Updates

    The reason I haven't updated Windows is because a friend of mine built this computer for me a couple of years ago and when I try to run it, it does a check to make sure it is a registered version of the program. It comes back telling me it's not. My friend is out of the country and won't be back for a couple of weeks for me to ask him about this.

  10. #10
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    Did you complete the instructions?
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.

Page 1 of 2 12 LastLast