Author Topic: infected computer PLEASE HELP!!! (Read 1496 times)

bobbyhinojosa · « **on:** December 05, 2005, 11:56:17 AM »

i dont know how this happend but my desktop was taken over by this smartsecurity image on my desktop. i cleaned out the viruses with panda, but now i have a couple of problems. 1. i now have no "real control over my desktop (i cant access anybackground images, i got a picture from a webpage as my background right now to replace the "only solid colors option" this virus left me) 2. every time i start my computer i get a message that windows cannot find this file: c:\program Files\common files\microsoft shared\web folders\ibm00001.exe

can some one help me!!
here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:35 AM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJKTHS\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RegAgent] C:\WINDOWS\HPLRA.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = titan.titan1.local
O17 - HKLM\Software\..\Telephony: DomainName = titan.titan1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = titan.titan1.local
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

guestolo · « **Reply #1 on:** December 06, 2005, 12:46:17 AM »

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0

==Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Download SmitRem.exe by Noahdfear and save the file to your desktop.

Please print the next set of instructions or save them too a notepad file on your desktop for reference

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKLM\..\Run: [RegAgent] C:\WINDOWS\HPLRA.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode

Find and delete this file if found
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <-file

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot back to Normal mode

Your not running any Anti-Virus software, that's not a good idea
If you need a free solution
Please download your free version of either AVG or AVAST from these links
AVG 7 by Grisoft
Avast Home Edition by ALWIL

ONLY USE ONE Anti-virus software please, I gave you 2 links to give you a choice
After you install your new AV, make sure it's right up to date and run a full system scan
Afterwards, reboot the computer again

Back in Windows
Post the following back please
1. A fresh hijackthis log
2. The full report from Ewido's
3. Post the log made from SmitRem located here C:\Smitfiles.txt

bobbyhinojosa · « **Reply #2 on:** December 12, 2005, 11:44:55 AM »

thanks for all of your help. sorry it took me so long to reply i had to go out of town. i did everyting you said to do, desktop seems to be working now. here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:12 AM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\HJKTHS\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = titan.titan1.local
O17 - HKLM\Software\..\Telephony: DomainName = titan.titan1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = titan.titan1.local
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:20:40 AM, 12/12/2005
+ Report-Checksum:      97B22996

+ Scan result:

   C:\Documents and Settings\rosbel\Cookies\rosbel@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\rosbel@valueclick[3].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   C:\Documents and Settings\rosbel\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

::Report End

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/12/2005
The current time is: 10:29:11.57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1860 'explorer.exe'
Killing PID 1860 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #3 on:** December 12, 2005, 08:40:34 PM »

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection...."

Additionally, you may also like to have this tool installed
Spybot 1.4 from can be downloaded
HERE
or HERE
If your running an older version, uninstall it beforehand from add/remove programs

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After updating is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process
Do the above after every update

I would opt to hold onto Ewido and CleanUp! also, there great tools
I'll leave that up to you, but definitely get SpywareBlaster installed!

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: infected computer PLEASE HELP!!! (Read 1496 times)

bobbyhinojosa

infected computer PLEASE HELP!!!

guestolo

infected computer PLEASE HELP!!!

bobbyhinojosa

infected computer PLEASE HELP!!!

guestolo

infected computer PLEASE HELP!!!