hijackthis log -> smart security virus

[coche]

hi guys,
i've read the threads in here regarding the smart security virus and still haven't been able to get rid of the bugger! although many of the advice is pretty helpful it still hasn't helped me finalize it. my web is still hijacked (search engines display odd results), my browser is having problems downloading stuff (cant update anything in microsofts site) and overall its a bit slower.

thanks in advance for your help

coche

heres the hijackthis log




Logfile of HijackThis v1.99.0
Scan saved at 10:21:23 AM, on 1/19/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\Services\{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08}\SVCHOST.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\COCHE\Application Data\eetu.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Macromedia\Flash MX 2004\Flash.exe
C:\DOCUME~1\COCHE\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\COCHE\LOCALS~1\Temp\~e5d141.tmp
C:\WINDOWS\System32\cidaemon.exe
C:\HIJACKTHIS\HijackThis.exe
C:\WINDOWS\jabsrv.exe
C:\WINDOWS\jchsrv.exe
C:\WINDOWS\slsfsrv.exe
C:\WINDOWS\kdwlsrv.exe
C:\WINDOWS\yzmtsrv.exe
C:\WINDOWS\knwxsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erraticadesign.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08}\SVCHOST.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YzafSrv32] C:\WINDOWS\yzafsrv.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\COCHE\Application Data\eetu.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DeskColor.lnk = C:\Program Files\DeskColor\DeskColor.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105829836695
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0ED217DD-9367-4B54-9515-281BDF89F81B}: NameServer = 151.202.0.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{0ED217DD-9367-4B54-9515-281BDF89F81B}: NameServer = 151.202.0.84
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Alias Documentation Server - Unknown - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SPM License Server - Unknown - C:\WINDOWS\System32\spm\spmd.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[guestolo]

Download and Install Windows CleanUp! by StevenGould
Install for now but Don't run a scan yet
This will clean all your temp folders, cookies, prefetch folder, etc....

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't let it run a scan yet

 Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Restart your computer into SAFE MODE

In safe mode Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\System32\Services\{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08}\SVCHOST.EXE
C:\Documents and Settings\COCHE\Application Data\eetu.exe
C:\DOCUME~1\COCHE\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\COCHE\LOCALS~1\Temp\~e5d141.tmp
C:\WINDOWS\jabsrv.exe
C:\WINDOWS\jchsrv.exe
C:\WINDOWS\slsfsrv.exe
C:\WINDOWS\kdwlsrv.exe
C:\WINDOWS\yzmtsrv.exe
C:\WINDOWS\knwxsrv.exe

Find and delete these files or folders in boldif they exist

FILES
C:\WINDOWS\jabsrv.exe
C:\WINDOWS\jchsrv.exe
C:\WINDOWS\slsfsrv.exe
C:\WINDOWS\kdwlsrv.exe
C:\WINDOWS\yzmtsrv.exe
C:\WINDOWS\knwxsrv.exe
C:\WINDOWS\yzafsrv.exe
C:\Documents and Settings\COCHE\Application Data\eetu.exe
c:\counter.cab
wmiprvsc.exe <--do a search for this one, it may not exist

FOLDERS
C:\WINDOWS\System32\Services\{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08}

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08}\SVCHOST.EXE

O4 - HKLM\..\Run: [YzafSrv32] C:\WINDOWS\yzafsrv.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\COCHE\Application Data\eetu.exe

O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Open Windows CleanUp! and click on the CleanUp button
Let it Finish Scanning for files and when it prompts you to Log off
Don't do so at this time, close out the program and stay in safe mode

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal Mode

You should do an Online virus scan at either or both of these
Trend Micros
http://housecall.trendmicro.com/  >>Set to Autoclean
and/or
Pandas
http://www.pandasoftware.com/activescan/co...n_principal.htm

Post back with a fresh Hijackthis log afterwards
Do what you can before posting back a fresh log, if you can't download Windows Cleanup you should manually delete the contents of your temp folders
or do a Disk Cleanup in safe mode

Could you also let me know what other subfolders you have in this folder
C:\WINDOWS\System32\Services <--this folder

[Guest]

thank you very much, im gonna give all this a try right now.

cheers!

c

[Guest]

hi guestolo

ive downloaded all the stuff you mentioned before, restarted the pc in safe mode and ran the hijackthis part, the problem is that is will not let me kill any of the processes .
for the scvhost (theres 2 of them>  c:\windows\system32\svchost.exe)
the message i get is the fllowing:
the selected process could not be killed, it may have already closed or it may be protected by windows.
this process might be a service, which you can stop from the services applet in admin tools...
went into admin tools but couldnt see any names i could recognize, and i wouldnt dare to erase anything, not knowing how little i know about this...
also, in c:\windows\system32 there are well over 1000 exe files (from a to z) all with the same time stamp, i cant delete them cause they crash the explorer.
ohhh my this is starting to look to me like a lost cause.
i appreciate your help a lot
and again, thanks in advance

c

[Guest]

quick correction, all those crazy files are not in the system32 folder, theyre in the c:\windows folder..
my bad

c

[guestolo]

Sorry guest
c:\windows\system32\svchost.exe <--that is a legitimate file, don't try and delete it

I want you to look for C:\WINDOWS\System32\Services subfolder
Open it up and let me know what other folders are in there besides
{1DFB9463-85AD-4CD8-A6F4-37670A7F9A08} this one
Don't confuse the 2

[coche]

guestolo, you are a lifesaver! i greatly appreciate it.
i managed to erase all those extra exe files i mentioned before (it was well over 4k files!) and followed your instructions step by step afterwards.

theres no other subfolders in the system 32\services folder.
but ive noticed 5 other files in teh system32 folder (usxxcxzcb.exe, izxczxcr.exe and stuff like that, created around the same time all the other stuff got installed) which definetly cannot be erased. tried in safe mode, ran all the virus/spy software i have and nothing happens to them. they keep on crashing windows.

the performance overall has gone back up to its normal level though, so that is one great improvement.


heres the latest log of hijackthis



Logfile of HijackThis v1.99.0
Scan saved at 11:45:21 AM, on 1/20/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erraticadesign.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DeskColor.lnk = C:\Program Files\DeskColor\DeskColor.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105829836695
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0ED217DD-9367-4B54-9515-281BDF89F81B}: NameServer = 151.202.0.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{0ED217DD-9367-4B54-9515-281BDF89F81B}: NameServer = 151.202.0.84
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Alias Documentation Server - Unknown - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SPM License Server - Unknown - C:\WINDOWS\System32\spm\spmd.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


and once again, tyvm

c

[guestolo]

All those other 5 files sound bad, but let's make sure, the 2 you showed for sure don't look good

Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/
Use the Browse button at the top of that links page and navigate to this file
c:\windows\system32\usxxcxzcb.exe <--this file, notice the spelling
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here

Do the same for this file
C:\windows\system32\izxczxcr.exe

Do the same for the 3 other files your unsure about

We'll get rid of them after they're identified
I need the names