Post by: cammac2 on July 22, 2005, 11:07:14 AM
-------
Quote
First, download and install CleanUp! but do not run it yet *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.-----
Download, install, and update Ewido Security Suite
Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido
Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Once in Safe Mode, Run Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
After you're done running Cleanup! follow the instructions below
Run Ewido.
When I try to run Ewido, I get the message:
C:\Program Files\ewido\security suite\SecuritySuite.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
I get the same message when I try to reinstall the program.
My HiJackThis logfile (wouldn't open on infected computer - Same message as above - copied it to another computer):
Logfile of HijackThis v1.99.1
Scan saved at 11:43:49 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
I REALLY would like not to have to reformat - the computer seems to be working - just has the ugly SpySheriff shell running - (except I have no Start button and Control-Alt-Delete won't work; nor will the power button) I have to Unplug my computer to restart - Rebooted into Normal mode, but looks the same...
Thank you!!
Post by: cammac2 on July 22, 2005, 01:36:05 PM
I also saw an "uninstall SpySheriff" executable in SpySheriff folder, but I didn't fall for that!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I'm kind of stuck, because I don't know what to do if my computer won't let me install the very programs I need to clean it. CleanUp! seems to be the only one I can run.
Thanks for any advice...
Post by: cammac2 on July 24, 2005, 07:43:15 AM
If I can't run the programs suggested to get rid of this, is it safe to go to Add/remove programs and remove SpySheriff?
I'm kind of stuck until I get some advice...
Thank you!
Post by: guestolo on July 24, 2005, 12:50:16 PM
Can I have you repost a fresh Hijackthis log please
I want to ensure of any changes
I'll be able to look at your new log later today
Post by: cammac2 on July 24, 2005, 05:18:13 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:15:29 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Post by: guestolo on July 24, 2005, 08:17:46 PM
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
==Download and UNZIP to the desktop or a folder
DelDomains.zip (http://\"http://www.geekstogo.com/modules.php?modid=5&action=download&id=40\")
So you now have Deldomains.inf extracted
We'll need this later
==Download SmitRem.zip (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\")
UNZIP the folder within to your desktop.
We'll need this later
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Disconnect from the Internet
Access your add/Remove programs via Control Panel and remove if found
SpySheriff
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Set Windows To Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Find and delete these files or folders if found
FILES
C:\WINDOWS\System32\ysu.dll
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\sgf.exe
C:\WINDOWS\System32\symcsvc.exe
C:\winstall.exe
C:\WINDOWS\vr_sys.dll
Folders
C:\Program Files\SpySheriff
C:\Program Files\saar
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.
==Open the SmitRem folder>>Make sure you unzipped this, then double click the RunThis.bat file to start the tool. Read and Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
Remain in safe mode if prompted
The tool will create a log named smitfiles.txt>>Located here C:\smitfiles.txt
I'll need to see it later
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART back to Normal mode
Back in Windows
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
Post back new Hijackthis log and the log from SmitRem>>C:\smitfiles.txt
Post by: cammac2 on July 25, 2005, 05:28:43 AM
On reboot, SpySheriff still seems to have my computer....
----------
Logfile of HijackThis v1.99.1
Scan saved at 10:16:17 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\winstall.exe
C:\WINDOWS\System32\l?ass.exe
C:\MivaMia\BIN\Mia.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
--------------------------
smitfiles.txt:
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Dating.lnk
SpySheriff
Install.dat
SpySheriff.lnk
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
Post by: guestolo on July 25, 2005, 09:06:13 AM
I would really like to know why you couldn't run HIjackthis
What error messages??
Try this again please
But this time disable Spybot's Tea Timer
Open Spybot>>Click on MODE>>>ADVANCED >> Click YES to the prompt
Click on TOOLS in the left menu
RESIDENT>>Uncheck Resident Tea Timer
Follow the prompt to disable tea timer
Close Spybot
Leave this disable until clean please
Then go back and follow all the instructions I gave you the first time, including files and folders to delete
Allow Hijackthis to fix any entry I recommended for fixing
Let me know what you couldn't remove afterwards, and any error messages
Post back fresh logs of Hijackthis and SmitRem
Post by: cammac2 on July 25, 2005, 08:00:37 PM
1. I could not turn off SpyBot's TeaTimer, because i cannot launch the program. As I mentioned earlier, some programs give me the error:
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
SpyBot is one of the programs; ewido is another--same message whether I try to run the application or run the installer.
--------
2. When I start the computer, I get this message:
Windows cannot find "C:\WINDOWS\System32\Kernels32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, Click the Start button, and then click Search.
-------------
3. Also, remember that I cannot restart the computer - I have no Start button, and ctrl-alt-del has no effect. The power button has no effect. I must unplug the computer in order to "restart"
---------------------
I followed your instructions again, with these results:
1. When I ran smitRem, I followed the prompts, but I did not get the "up to 3 hours" disk cleanup. it was more like 2 seconds.
2. The 5 error messages that HijackThis gave all ENDED the same:
Please email me at [email protected], reporting the following:
*What you were trying to fix when the error occurred, if applicable
*How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE Version: 6.0.2800.1106
HijackThis version: 1.99.1
This message has been copied to your clipboard. Click OK to continue the rest of the scan.
(Note: I am not running Windows NT - I am running Windows XP Pro)
The 5 messages were:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9-Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nerInstall.cab) (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab)\")
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing))
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing))
Error #5 - Invalid procedure call or argument
----
Then HijackThis gets to O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)and I get the warning:
HijackThis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer Windows AND all Windows Explorer windows before continuing for the best chance of success.
I clicked OK.
----------------------------------------------------
Here are my logs:
smitfiles.txt
------------
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
--------------------------------------------
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:55:20 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------------------------------------
Thank you!
Post by: guestolo on July 26, 2005, 12:09:14 AM
Can you do the following for a test please
Open Notepad
Hold Down the Windows key on the keyboard and press R
Type in notepad
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wupd"=-
"Windows installer"=-
"SNInstall"=-
"Lerm"=-
"Wcosvbwo"=-
"SpySheriff"=-Double click on fix.reg and allow to add or merge to the registryDoes that work?
After you do the above, restart the computer, but do it in this manner
Again with the Windows key and the R key
Type in
SHUTDOWN -r -t 01
Hit OK
If notepad won't work, try saving it in wordpad
Again in the Run Command type wordpad
Save the file format as a text file and name it fix.reg
It must have the .reg extension
If that won't work, can you open the Run command and type in regedit
Does the registry open?
If not try typing in regedit.com
Can I see a new Hijackthis log in Normal mode later please
Also, please try this .exe fix please, may not be any help but won't hurt to try
Save this to your desktop, double click on it
Can you open programs you couldn't before, you may have to restart the computer
first
http://www.grisoft.cz/softw/70/filedir/uti....dir/fixreg.com (http://\"http://www.grisoft.cz/softw/70/filedir/util/avg_rem_sup.dir/fixreg.com\")
Post by: cammac2 on July 26, 2005, 12:36:07 PM
OK -
windows key - R brought up the Run window (yea!) but:
1. Could not run notepad - same message as before
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
2. Also, Could not run wordpad or or regedit or regedit.com - same message
3. BUT - the shutdown command WORKED.
4. I saved the fix.reg to another computer and brought it back over to the infected (I'm using a flashdrive) --Same message as above
5. I saved the fixreg.com executable to the desktop - when I double-click on it, a window with a black background flashes for a split second, then disappears. The window takes up the upper-left quarter of the screen. I clicked on it a few times so I could maybe get a persistant image as it flashed, and it appears that the window title is Commands and Settings.
PS. Microsoft Word, Excel, Pagemaker all open. Acrobat does nothing when clicked; Dreamweaver gives the "application failed to start" message Notepad, of course gives error message as well. (those are the only apps I tried)
6. when I launch Internet Explorer, it brings up a local page:
C:\WINDOWS\blank.mht
The content is for something called TNS SEARCH - TopNetSearch - "Let's begin Your Internet adventures!"
------------
harumph! adventures, Indeed...
---------------
My HijackThis log (in NORMAL mode)
Logfile of HijackThis v1.99.1
Scan saved at 1:25:33 PM, on 7/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab (http://\"http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab\")
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you!
Post by: guestolo on July 27, 2005, 01:44:49 AM
This is almost a must to see what else is hiding
From my signature below try one at Panda's please
Just before running the scan
If at all possible
Can you do the following
From the run command
type in taskmgr.exe
See if that brings up the taskmanager
Under the processes tab end process on the following if running
winstall.exe
elat.exe
and then finally
explorer.exe
All your icons will disappear, don't worry about it
Close task manager
and then run the scan at Panda's
If that won't work for you
Can you open Hijackthis>>Open Misc tools section>>Open Process manager
Kill the above processes
If it still won't work, carry on with the scan at Panda's
Are you able to run this version of Hijackthis and fix the entries I asked?
Just save it too a different folder and give it a try
http://computercops.biz/zx/Merijn/hijackthis1982.zip (http://\"http://computercops.biz/zx/Merijn/hijackthis1982.zip\")
It's a zipped file, so you will have to unzip it first
Post by: cammac2 on July 27, 2005, 09:36:38 AM
2. Was not able to run task manager from the Run window (same error as before) but was able to run it from HijackThis. I noticed that this was one of the processes:
WINDOWS\System32\l?ass.exe
But you did not ask me to remove it, so I did not
-------------------
3. Hijack This Errors: Same 5 as noted in an earlier post
Hijack This log: (in NORMAL mode, log saved after I "fixed Checked")
Logfile of HijackThis v1.98.2
Scan saved at 10:25:09 AM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\WINDOWS\Explorer.exe
C:\HJT3\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxSzNn
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab (http://\"http://adserver.sharewareonline.com/adserver/Install.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab (http://\"http://www.my-etrust.com/Support/PestScanner/pestscan.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
----------------------
ActiveScan Report
Incident Status Location
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/azesearch No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\LEISURE\Anime sites.url
Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
Adware:adware/cws.searchmeup No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Car Insurance.url
Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\!update.exe
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\Gambling
Adware:adware/spywareno No disinfected HKEY_CURRENT_USER\SOFTWARE\SNO
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\1906902093.exe
Virus:Trj/Pdpinch.Q Disinfected C:\WINDOWS\system32\abc.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\l?ass.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\vxgame1.exe
Virus:Trj/Downloader.DSV Disinfected C:\WINDOWS\system32\vxgame2.exe
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\system32\vxgame3.exe
Virus:Trj/Clicker.HA Disinfected C:\WINDOWS\system32\vxgame4.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\vxgamet1.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq1.exe
Virus:Trj/Downloader.DHI Disinfected C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Trj/Downloader.CRY Disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq8.exe
Virus:Trj/Downloader.DEW Disinfected C:\WINDOWS\system32\web.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\zolker005.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb005.dll
-------
Thank you...
Post by: guestolo on July 27, 2005, 09:09:35 PM
I see you have a Regcleaner installed, can you access the registry with it
What version is it exactly
Let's try the following
I should of had you end process on l?ass.exe, it is a bad guy, but not the one causing your worst problems
Panda's may of taken care of it if it weren't running
With process manager of Hijackthis
End process on the following
C:\WINDOWS\System32\l?ass.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe <--I'm not sure what this is related too, we'll worry about it later
Can you delete any backups made by Hijackthis 1.99.1
Also remove your version of Hijackthis 1.99.1
Redownload it from my signature below
Save to a different folder on your drive
Don't get rid of Hijackthis 1.98.2
Could you also delete your version of SmitRem folder
I need you to redownload it, let's make sure it's the latest version
==Download SmitRem.zip (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\")
UNZIP the folder within to your desktop.
==Download the Killbox by Option^Explicit (http://\"http://www.downloads.subratam.org/KillBox.zip\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* UNZIP it to your desktop or a folder
Let's see if you can run Killbox
But first Open the Run command and type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- svchost.exe (moto)
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Run Pocket KillBox.exe
In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C
Killbox files to highlight between dotted lines
===================================================
C:\WINDOWS\SYSTEM32\vx.tll
C:\DOCUMENTSANDSETTINGS\ADMINISTRATOR\FAVORITES\LEISURE\Animesites.url
C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Car Insurance.url
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCALSETTINGS\TEMP\!update.exe
C:\winstall.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\Gambling
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINDOWS\system32\l?ass.exe
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\zolker005.dll
C:\WINDOWS\system32\ztoolb005.dll
C:\WINDOWS\vr_sys.dll
C:\WINDOWS\svchost.exe
===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer doesn't restart
Please Restart it now manually into Safe Mode
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
==Open the SmitRem folder>>Make sure you unzipped this, then double click the RunThis.bat file to start the tool. Read and Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
Remain in safe mode if prompted
The tool will create a log named smitfiles.txt>>Located here C:\smitfiles.txt
I'll need to see it later
Try running Ewido again, let's see if it will work now
In safe mode
Try running Hijackthis 1.99.1 again
If it will run can you try fixing these entries please
If not use 1.98.2, not all will be visible
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxSzNn
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Fix checked with all other windows closed
Afterwards
Try this with Hijackthis 1.99.1
Open Misc tools section>>Open "Delete an NT service">>type the following into the box and then hit OK
moto
If asked to reboot, reboot now back to Normal mode
If in use and won't remove go back to services.msc and stop "svchost.exe (moto) from running again and then try the above
Back in Normal
Can you go to this link
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard drive
C:\PROGRA~1\SOFTWA~1\soproc.exe <-file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results which includes name of file
Do the same with this file, Panda's didn't find anything wrong with it but I would like to check for myself
C:\WINDOWS\SYSTEM32\wininet.dll <-file
Can you also do the following please
Delete your versions of notepad.exe
from the C:\Windows and C:\Windows\System32 folders
Download the file I uploaded notepad_xp.zip
Unzip it to both the Windows and System32 folders
I want to see why you can get a Hijackthis log to work, but not run Notepad from the run command
Try opening Notepad now
Also, if notepad won't open, can you Open Hijackthis>>Open Misc tools Section>>Open Hosts file Manager>>Click the "Open in Notepad" button
Does a Hosts text file open?
If so can you copy and paste that text file back here
Post a fresh hijackthis log and the text file from RunThis.bat
Crossing my fingers, but also include the Report from Ewidos if you happen to get it to run
Post by: cammac2 on July 28, 2005, 02:08:02 PM
2. I ended both processes
3. Can you delete any backups made by Hijackthis 1.99.1 Also remove your version of Hijackthis 1.99.1 Redownload it from my signature below Save to a different folder on your drive
Don't get rid of Hijackthis 1.98.2
DONE
4. Could you also delete your version of SmitRem folder. I need you to redownload it, let's make sure it's the latest version
DONE
5. But first Open the Run command and type in services.msc Hit OK
In the next window, look on the right hand side for this service
name---- svchost.exe (moto)
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
ERROR message:
(Window Title- Microsoft Management Console)MMC failed to initialize because it was installed incorredtly or because a portion of the registry has become corrupted. Make sure the file Mmcndmgr.dll is registered by running "regsvr32%SystemRoot%\sytem32\mmcndmgr.dll".
----------
6. Run Pocket KillBox.exe DONE
7. RunThis.bat DONE
8. Try running Ewido again, let's see if it will work now
WON'T RUN = same message as always
9. Try running Hijackthis 1.99.1 again
If it will run can you try fixing these entries please
hijackthis 1.99.1
These files were not in the list
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
NO ERRORS were generated
-----
10. Open Misc tools section>>Open "Delete an NT service">>type the following into the box and then hit OK
moto
ERROR message:
The service 'moto' is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window.
I tried to disable it with HijackThis, but same message.
11. Jotti's Online Malware scan - scan results
------
File: soproc.exe
Status: OK
MD5 df0f13ebfc629ed43b66fe391f3b8e28
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
12.
Quote
I want to see why you can get a Hijackthis log to work, but not run Notepad from the run command
I've never opened a HT log on the infected computer - I copy it to my flash drive and bring it to another computer.
BUT I downloaded your attached notepad and deleted the two existing and replaced it with yours. Same error as before
------
13. host text file - won't open in notepad, but the only listing is:
127.0.0.1 localhost
-------
-------
Logfile of HijackThis v1.99.1
Scan saved at 11:05:55 AM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab (http://\"http://adserver.sharewareonline.com/adserver/Install.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab (http://\"http://www.my-etrust.com/Support/PestScanner/pestscan.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------
-----------
SMITREM LOG FILE:
smitRem log file
version 2.2
by noahdfear
The current date is: Thu 07/28/2005
The current time is: 11:03:26.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
-------
Thank you
Post by: guestolo on July 28, 2005, 11:16:48 PM
Navigate to C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Delete mmcndmgr.dll
Restart your computer
This file will be replaced when you restart
Go to the run command again copy and paste the following in bold
regsvr32 C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Hit OK
Restart again into safe mode
try entering services.msc again
Disable svchost.exe (moto) if possible
Continue
In safe mode
run hijackthis and fix checked this entry
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Boot back to normal mode
Back in Normal mode
Could you also Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/ (http://\"http://www.trojanhunter.com/trojanhunter/\")
This is good for 30 days
After installation you will have to manually update the Latest Ruleset
Important>>
Go to this link
http://www.trojanhunter.com/trojanhunter/updating/ (http://\"http://www.trojanhunter.com/trojanhunter/updating/\")
Download the Latest Ruleset to desktop
Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter
Restart into safe mode and
Run a full system scan
Let it clean what it finds
Save a log later, it's been some time since I had it installed, but I believe the option
is in the menu bar
and then restart your computer back into Normal mode
Back in Normal mode
Post a fresh hijackthis log and a log from TrojanHunter please if you can run it
Post by: cammac2 on August 02, 2005, 01:28:40 PM
1. Navigate to C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Delete mmcndmgr.dll
Restart your computer
DONE
2.Go to the run command again copy and paste the following in bold
regsvr32 C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Hit OK
GOT ERROR MESSAGE:
LoadLibrary("C:\WINDOWS\SYSTEM32\mmcndmgr.dll") failed - This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
3: Restart again into safe mode
try entering services.msc again
ERROR MESSAGE:
MMC failed to initialize because it was installed incorrectly or because a portion of the registry has become corrupted. Make sure the file mmcndmgr.dll is registered by running "regsvr32 %SystemRoot%\SYSTEM32\mmcndmgr.dll
4. Disable svchost.exe (moto) if possible
COULD NOT
5. Boot back to normal mode
Back in Normal mode
Could you also Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/ (http://\"http://www.trojanhunter.com/trojanhunter/\")
Trojanhunter.exe won't run. SAME MESSAGE: "This application has failed to start because the application configuation is incorrect. Reinstalling the application may fix this problem"
------
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 1:12:18 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl8.asp\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp (http://\"http://go.compaq.com/1Q00CDT/0409/bl7.asp\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab (http://\"http://gate.x10.com/control/xvidnx.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab (http://\"http://adserver.sharewareonline.com/adserver/Install.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx (http://\"http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx\")
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab (http://\"http://www.my-etrust.com/Support/PestScanner/pestscan.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you
Post by: guestolo on August 02, 2005, 09:39:09 PM
Do you have your Windows CD handy
Let's do the following please
Read this page on how to do a Windows Repair
http://www.michaelstevenstech.com/XPrepairinstall.htm (http://\"http://www.michaelstevenstech.com/XPrepairinstall.htm\")
Read it carefully, follow the instructions closely
Let's hope you can get everything running afterwards
Then can you post a fresh hijackthis log from Normal mode please
Post by: Griff on August 10, 2005, 09:27:04 AM
C:/Program Files/auss/
C:/Program Files/ubnn/ahla.exe
C:/Program Files/ubnn/osol/
Some of the files mentioned were different names and some in different locations than i found in hijack log.
i followed your instructions and im glad i found this thread or i may have been looking at a full reinstall. Thanks for the info and help.
Also to anyone who is looking into this dont run cleaner without hijackthis.exe or else you may end up deleting windows cd key registration i found out the hard way and had to repair windows ust ot log on.
Post by: guestolo on August 10, 2005, 07:58:24 PM
I'll lock this topic
Post by: guestolo on August 16, 2005, 10:14:04 PM
Post by: cammac2 on August 18, 2005, 01:00:17 PM
Post by: Guest on August 19, 2005, 08:16:50 AM
Don't worry about the last instructions right now
I'll take a look at your log later and we'll go from there
That was me
~guestolo~
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on August 28, 2005, 11:00:00 AM
I'll lock this topic
cammac2, if you still need a hand, please start a new post