Author Topic: Another victum of SmartSecurity (Read 2992 times)

boastercoaster · « **on:** April 30, 2005, 01:00:15 PM »

It seems you are the man to contact with this dumb redscreen smartsecurtity. Here is my logfile.Logfile of HijackThis v1.99.1
Scan saved at 1:54:37 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hoauc.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {516B1C67-B52D-E97F-A80D-D6C5DBCBFE0A} - C:\WINDOWS\sdkbf.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.

guestolo · « **Reply #1 on:** April 30, 2005, 01:44:35 PM »

I see another problem on your computer besides Smart Security
Unfortunately, you have either done some fixing with Hijackthis or controlling entries with msconfig
Not that there's nothing wrong with that but you may be hiding malicious activity

Could you go to start>>Run>>type in
msconfig
Hit OK
Enable all startup items
Do a Normal startup

You shouldn't have to restart your computer but post back a fresh hijackthis log afterwards
Also, if you have done fixes with Hijackthis>>Open Hijackthis
View a list of Backups and Restore all backups before do another scan posting back a fresh log

boastercoaster · « **Reply #2 on:** April 30, 2005, 01:59:33 PM »

I did as you said and here is a new log

Logfile of HijackThis v1.99.1
Scan saved at 2:56:39 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\crwk32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ntus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5EB8144B-6EF2-7346-72E4-ADB028205C5E} - C:\WINDOWS\system32\nethk32.dll
O2 - BHO: (no name) - {770CE589-D47C-9567-46F4-E4E08B3366BC} - C:\WINDOWS\ipxe.dll
O2 - BHO: (no name) - {E902A02C-DD59-5DE4-624F-8012F9AFA9B9} - C:\WINDOWS\apptr32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Vaf] C:\WINDOWS\System32\Hac.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Ocg] C:\WINDOWS\System32\Iki.exe
O4 - HKLM\..\Run: [Gqb] C:\WINDOWS\System32\Hdu.exe
O4 - HKLM\..\Run: [d3ii.exe] C:\WINDOWS\system32\d3ii.exe
O4 - HKLM\..\Run: [Cga] C:\WINDOWS\System32\Hos.exe
O4 - HKLM\..\Run: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

guestolo · « **Reply #3 on:** April 30, 2005, 02:04:39 PM »

I need to look for something
Can you download Files.zip and UNZIP the folder within to desktop
or another folder

Open the folder and double click on find.bat
Wait for the scan to finish and a log will be produced

Can you post the log back here, thanks

boastercoaster · « **Reply #4 on:** April 30, 2005, 02:37:41 PM »

Does this scan take a while? It has been 10 mins or so and it says scanning for files.

boastercoaster · « **Reply #5 on:** April 30, 2005, 02:53:20 PM »

Whe I hit run a window labeled C:Windows\system32\cmd.exe comes up and it says "XFind.com" is not recognized as an internal or external command, operable program or batch file. Notedpad also opens with the scanning for files text.

guestolo · « **Reply #6 on:** April 30, 2005, 02:59:14 PM »

The only way I can reproduce your problem is if I don't UNZIP Files.zip first
You can't run this from within the zipped archive

As I said, UNZIP the contents to desktop or another folder
Than open the folder you UNZIPPED and then run find.bat

boastercoaster · « **Reply #7 on:** April 30, 2005, 03:02:07 PM »

clninst.bat C:'program files\Symantec_CLient_Security\Symatec antivirus

msdtcvtr.bat c:\windows\system32\msdtc\trace

If I do a *.bat search these come up. Don't know if that means anything.

guestolo · « **Reply #8 on:** April 30, 2005, 03:04:55 PM »

I don't know what this has to do with anything I asked you to do

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Download Files.zip and save it to a folder
Choose save to disk rather than Open

UNZIP it and then open the folder you unzipped and run files.bat

boastercoaster · « **Reply #9 on:** April 30, 2005, 03:09:07 PM »

That is exactly what i am doing. But I still get the 2 windows. How long does a scan usualyy take?

guestolo · « **Reply #10 on:** April 30, 2005, 03:14:37 PM »

Open the folder you unzipped
Double click on Xfind.com
A window will open and close
Then double click on find.bat>>When it's done, which shouldn't take that long
A text file called files.txt will be placed in the same folder
Copy and paste that back here

If you can't get it to run we'll have to try alternate methods
But as I said, the only way I can reproduce your problems is if you didn't save and then UNZIP the file I uploaded for you

boastercoaster · « **Reply #11 on:** April 30, 2005, 04:02:11 PM »

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...

* result-> C:\WINDOWS\DESKTO~1.HTM
* result-> C:\WINDOWS\FHR~1.HTM
* result-> C:\WINDOWS\POPUP~1.HTM

Sorry took so long, pizza arrived. I finally got it to work

guestolo · « **Reply #12 on:** April 30, 2005, 04:41:37 PM »

Let's get to work and clean this machine
Pizza>>I know what I'm having for dinner later, that sounds good

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I'm going to ask you to download a few tools, all are free
and don't take long to run
Only Ewido takes some time, but please try and do everything I ask as you have a couple different infections

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" UNCHECK "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that in the next step
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

==Download to a folder
About:Buster.zip
by RubbeR Ducky
UNZIP the contents to desktop or a folder, a folder will be placed on your desktop or whereever you unzipped it too
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and UNZIP to a folder
Removal.zip, so you now have a folder unzipped called "Removal"
We'll need this later

==Download and UNZIP to a folder Cwsserviceremove.zip
So you have cwsserviceremove.reg unzipped to the same folder
Cwserviceremove.zip
We'll need this later

==From my signature below, download and save to a folder CWShredder.exe
Don't run it yet

==Could you next
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

==Please save these instructions to a Notepad file and save it to your Desktop or a folder for reference, I will need you to restart into safe mode soon and stay disconnected from the Internet

==Access your Add/Remove programs and remove if found
SurfSideKick
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer
Win-Tools for IE
Do not reboot until they have all been removed even if prompted.
# When you are uninstalling the last program you can then reboot when prompted

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

==Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Workstation NetLogon Service

Double click on it--- STOP the service-- If running
In the drop down menu, change the startup type to Disabled

Open your Task manager and kill these processes if still running
crwk32.exe
ntus.exe

Open the Removal folder you unzipped and double click on Removal.bat
A dos window will open and close quickly, this is normal
Say yes to import the registry file

Find and delete these folders if found
C:\Program Files\SurfSideKick 2 <-this folder
C:\Program Files\Toolbar <-folder
C:\Program Files\Common Files\WinTools <-folder

Stay in safe mode
==Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

====Double click on cwsserviceremove.reg and allow it to merge to the registry

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

====Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

==Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but fix what appears

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pddtw.dll/sp.html#27130
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5EB8144B-6EF2-7346-72E4-ADB028205C5E} - C:\WINDOWS\system32\nethk32.dll
O2 - BHO: (no name) - {770CE589-D47C-9567-46F4-E4E08B3366BC} - C:\WINDOWS\ipxe.dll
O2 - BHO: (no name) - {E902A02C-DD59-5DE4-624F-8012F9AFA9B9} - C:\WINDOWS\apptr32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)

O4 - HKLM\..\Run: [crwk32.exe] C:\WINDOWS\crwk32.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Vaf] C:\WINDOWS\System32\Hac.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Ocg] C:\WINDOWS\System32\Iki.exe
O4 - HKLM\..\Run: [Gqb] C:\WINDOWS\System32\Hdu.exe
O4 - HKLM\..\Run: [d3ii.exe] C:\WINDOWS\system32\d3ii.exe
O4 - HKLM\..\Run: [Cga] C:\WINDOWS\System32\Hos.exe
O4 - HKLM\..\Run: [atljw32.exe] C:\WINDOWS\system32\atljw32.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntus.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run CWShredder.exe, click the FIX button and let it fix what it finds

===RESTART the computer back to Normal mode
Back in Windows

===Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

==Do the following
1. In the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

I'm going to ask that you post back a number of logs
Try and supply them all, thanks

Post back with a fresh Hijackthis log
Also, post the logs from About:Buster
Include the report from Ewidos trojan scanner

I want to check to see if your hosts file was edited
Could you do the following
==Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Could you run Find.bat you unzipped earlier and post a new log when it's done

Also let me know if you have Spybot 1.3 installed, I'm just checking!!!

guestolo · « **Reply #13 on:** April 30, 2005, 04:47:40 PM »

I forgot to upload Removal.zip, here it is
Sorry, and this is an important step

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

boastercoaster · « **Reply #14 on:** April 30, 2005, 04:50:37 PM »

Thanks.. This will take a bit but I will try to follow exactly and get back with you. Get back with me at your convenience aferwards.

boastercoaster · « **Reply #15 on:** April 30, 2005, 09:40:05 PM »

Logfile of HijackThis v1.99.1
Scan saved at 10:22:26 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Naramor\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O15 - Trusted Zone: http://launch.yahoo.com
O15 - Trusted Zone: http://radio.music.yahoo.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         9:54:26 PM, 4/30/2005
+ Report-Checksum:      802A6291

+ Date of database:      5/1/2005
+ Version of scan engine:   v3.0

+ Duration:            22 min
+ Scanned Files:         18540
+ Speed:            13.87 Files/Second
+ Infected files:         71
+ Removed files:         71
+ Files put in quarantine:      71
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   G:\

+ Scan result:
   C:\dkload.exe -> TrojanDownloader.Small.vg -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\02B52AD6-8E82-4465-AEDB-B85688\6E7C4ABF-8205-439E-B443-F08C97 -> Spyware.Altnet.c -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\54A4A3AC-58BA-449A-9050-993E25\85C62CB7-30F5-4E2A-B256-2F0BD0 -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\7C562B22-B470-4DDE-86D0-761C98\832C5685-D0D8-4F7D-A0C4-B96DFF -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\9B908EE8-46AE-4CAD-ABFA-0CA2BA\FA02292E-E9A3-4498-9503-919DE1 -> Spyware.Wintol.y -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\9B908EE8-46AE-4CAD-ABFA-0CA2BA\FA79F0E8-E607-424C-979C-E1CC14 -> TrojanDownloader.Wintool.f -> Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\D5499A1D-D033-4F17-A251-D9D5CB\BBEC677D-48B2-4F6E-B2A8-84A5F1 -> Spyware.Sahat.l -> Cleaned with backup
   C:\w.exe -> TrojanDownloader.Small.aod -> Cleaned with backup
   C:\WINDOWS\addrf.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\apicl32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\apiqq.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\appmv32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\appxn32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\d3rk32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\diyju.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\dljhu.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ehlhz.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\fmtvj.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\gzfuj.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hgbyr.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hrogb.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\hwofb.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\iszey.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\javavl.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\jdswr.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\mfcpd32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\mfcqd32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\netiz.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\nifzc.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\npprw.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ntbc.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\ntvl.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\nvcpf.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\pcbvk.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\qacak.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\qjbjq.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\rxlrt.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\sdkgo.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdkiz32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdkln.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\sdklo32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\addif.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\apilv32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\apixz32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\atlex32.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\d3cp.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\dqymi.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\eiikk.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\fetpy.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\fuguo.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\gxrfh.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\hoauc.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\iell.exe -> Trojan.Agent.bi -> Cleaned with backup
   C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\WINDOWS\system32\javaom32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\javaph.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\jlcbg.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\mxjqn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\netlp32.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
   C:\WINDOWS\system32\ntrf32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
   C:\WINDOWS\system32\piygt.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\stqhe.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\sujgp.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\tibs.exe -> TrojanDownloader.Small.my -> Cleaned with backup
   C:\WINDOWS\system32\uvbjy.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\wuwkn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\xzgnn.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\system32\zkylq.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\xfiib.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\yrjfl.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
   C:\WINDOWS\ysxzm.dll -> Spyware.Hijacker.Generic -> Cleaned with backup

::Report End
**** Run Keys ****

RUN: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
RUN: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
RUN: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

**** IE Toolbars ****

**** IE Extensions ****

**** Hosts File Entries ****

**** IE Settings ****

Default Page: http://www.google.com
Default Search: http://www.google.com

Scanned at: 9:24:57 PM on: 4/30/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\cvajk.dat
Removed! : C:\WINDOWS\jolyz.dat
Removed! : C:\WINDOWS\mfhaz.dat
Removed! : C:\WINDOWS\zopke.dat
Removed! : C:\WINDOWS\System32\ceqcp.dat
Removed! : C:\WINDOWS\System32\idxlo.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...

Should there be more there?

As i was psting these reprts my desktop turned from blue tan and all the icons are gone..Says it cannot find the host files in the hijackthis
Host FileManager.

boastercoaster · « **Reply #16 on:** April 30, 2005, 09:44:55 PM »

From blue to tan from prior post. Should I turn Folder settting back to hidden aventually?

boastercoaster · « **Reply #17 on:** April 30, 2005, 09:46:53 PM »

Now it went back to Blue with icons.. Maybe it was from one of the reports i ran?

guestolo · « **Reply #18 on:** May 01, 2005, 03:03:59 AM »

Your doing fine, I can't help you unless you carry on with ALL the instructions
Don't just stop halfway through
Post back with everything I asked for

guestolo · « **Reply #19 on:** May 01, 2005, 03:11:03 AM »

Post back with all logs I asked for, If you did that's fine
Don't get ahead of yourself

News:

Author Topic: Another victum of SmartSecurity (Read 2992 times)