Author Topic: Malware Attack (Read 1805 times)

desmondang1109 · « **on:** June 28, 2006, 05:15:04 AM »

Hi, my screen suddenly turn black yesterday and there a warning with an red "X" icon that keep popping out on the task bar that says

" Your Computer is in Danger!
Windows Security Center have detected spyware/adware infection!
It is strongly recommended to use special antispyware tools to prevent date loss
Click here to install the latest protection tools! "

then it install a program Brave Sentry (Which i have already uninstall) and now my notepad.exe and i can't install any exe application as well, once i connect to my internet, my mcafee will detect mass maill being sent out (about 5-10 mail in 30 second). everytime i use my internet explorer, it will experience error and close by itself.

Can someone help me to take a look at hijackthis to help. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:52:38 PM, on 6/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\8af60a9c.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Windows\xpupdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [8af60a9c.exe] C:\WINDOWS\System32\8af60a9c.exe
O4 - HKLM\..\Run: [ÿ_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [8af60a9c.exe] C:\Documents and Settings\DAD Computer\Local Settings\Application Data\8af60a9c.exe
O4 - HKCU\..\Run: [ÿ_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.turfclub.com.sg/web/Files.nsf/L...le/ticker.class
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

guestolo · « **Reply #1 on:** June 28, 2006, 10:45:10 PM »

You have no Windows Updates and a badly infected computer
Let's try the following

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [8af60a9c.exe] C:\WINDOWS\System32\8af60a9c.exe
O4 - HKLM\..\Run: [ÿ_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Startup] C:\DOCUME~1\DADCOM~1\LOCALS~1\Temp\ustart.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [8af60a9c.exe] C:\Documents and Settings\DAD Computer\Local Settings\Application Data\8af60a9c.exe
O4 - HKCU\..\Run: [ÿ_zskdsjaxs^jiqbihv[d50inkrwksz_] c:\windows\system32\_zskwrkni05d[vhibqij^sxajsd.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.turfclub.com.sg/web/Files.nsf/L...le/ticker.class
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in windows
Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

Post back all the following

1. Post back a fresh hijackthis log
2. Post back the whole report from Panda's

3.
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

desmondang1109 · « **Reply #2 on:** June 29, 2006, 09:43:19 AM »

Hi i have done the online panda scan and the report is as follow

Incident Status Location

Virus:Trj/Monurl.T Disinfected Operating system
Adware:adware/adsmart Not disinfected c:\windows\system32\dlh9jkdq8.exe
Potentially unwanted tool:application/errorguard Not disinfected C:\Documents and Settings\DAD Computer\Start Menu\Programs\ErrorGuard
Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\program files\common files\WinAntiVirus Pro 2006
Adware:adware/bravesentry Not disinfected Windows Registry
Potentially unwanted tool:Application/ErrorGuard Not disinfected C:\Program Files\ErrorGuard\ErrorGuard.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\Activate.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\fat.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\VAExt.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\pv.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\asmngr.dll
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\rpt.dll
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\fopn.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\WinAntiVirus Pro 2006\install.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Program Files\SystemDoctor 2006 Free\updater.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\SystemDoctor 2006 Free\Activate.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Program Files\SystemDoctor 2006 Free\order.dll
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\system32\dlh9jkdq2.exe
Adware:Adware/Tibs Not disinfected C:\WINDOWS\system32\dlh9jkdq5.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\system32\stera.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\DAD Computer\Local Settings\Application Data\hdnojedi.exe
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\DAD Computer\Cookies\dad computer@cgi-bin[2].txt
The New Hijackthis is as follow:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:42 PM, on 6/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\8af60a9c.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\IEFWBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [8af60a9c.exe] C:\WINDOWS\System32\8af60a9c.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [8af60a9c.exe] C:\Documents and Settings\DAD Computer\Local Settings\Application Data\8af60a9c.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2005.lnk = C:\Program Files\AdsGone\adsgone.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.turfclub.com.sg/web/Files.nsf/L...le/ticker.class
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

The report by Smitfraudfix is as follow:

SmitFraudFix v2.65

Scan done at 22:38:42.65, Thu 06/29/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DAD Computer\Application Data

C:\Documents and Settings\DAD Computer\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DADCOM~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #3 on:** July 02, 2006, 11:30:57 AM »

Sorry for the delay

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:
Select any of the following that apply or found:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

==Download the Killbox by Option^Explicit.
* Save it to a folder or desktop

Save the rest of these instructions too a text file and save too desktop, we will need them later

Immediately access your add/remove programs and uninstall any of the following if they exist
WinAntiVirus Pro>>SystemDoctor 2006>>ErrorGuard
Reboot into safe mode afterwards

In safe mode
=Open Killbox.exe
Copy the file name below and paste it to the Full path of file to delete in Killbox

c:\windows\system32\dlh9jkdq8.exe
Then click the Red Circle with the White X
Allow to delete the file and make backup

Do the same with the rest of these
Don't worry about any file not found messages
==================================
C:\Documents and Settings\DAD Computer\Start Menu\Programs\ErrorGuard
C:\Documents and Settings\DAD Computer\Application Data\Install.dat
C:\Documents and Settings\DAD Computer\Local Settings\Application Data\hdnojedi.exe
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq5.exe
C:\WINDOWS\System32\8af60a9c.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
C:\Windows\xpupdate.exe
=================================

Find and delete these folders
C:\Program Files\SystemDoctor 2006 Free <-this folder
C:\Program Files\WinAntiVirus Pro 2006 <-folder
C:\Program Files\ErrorGuard <-this folder

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\IEFWBHO.dll

O4 - HKLM\..\Run: [8af60a9c.exe] C:\WINDOWS\System32\8af60a9c.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [8af60a9c.exe] C:\Documents and Settings\DAD Computer\Local Settings\Application Data\8af60a9c.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.turfclub.com.sg/web/Files.nsf/L...le/ticker.class
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

Reboot back to Normal mode

Come back here and post a fresh hijackthis log and the report from smitfraudfix>>C:\rapport.txt
Don't install anymore removal tools unless advised please
They may do more harm than good, or interfere with any fixes we try

desmondang1109 · « **Reply #4 on:** July 02, 2006, 09:29:11 PM »

SmitFraudFix v2.65

Scan done at 10:20:32.54, Mon 07/03/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dlh9jkdq?.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

This is the Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:25:25 AM, on 7/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis1991.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2005.lnk = C:\Program Files\AdsGone\adsgone.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks for your help, waiting for you next reply. Thanks you so much

guestolo · « **Reply #5 on:** July 03, 2006, 01:28:52 PM »

If you find this file can you delete it please
C:\WINDOWS\System32\testtestt.exe

Or enter the whole path to the file in killbox, if found killbox should delete it for you

How's everything running on your end now?

Are you running the free version of Ewido?
Did you install the trial version of SpySweeper or the paid?

It's nice to see that you installed SP1 for Windows

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Sp2 is the latest, if you haven't installed it yet, let's make sure your totally clean before you do

desmondang1109 · « **Reply #6 on:** July 04, 2006, 08:10:37 AM »

Thank you guestolo,

i have got everything running smoothly again thanks to you, i'm running the free version of Ewido and trial version of webroot just to remove any possible spyware or adware.

i will get the SP2 running up soon. Thanks once again for your kind help.

guestolo · « **Reply #7 on:** July 05, 2006, 12:05:15 AM »

Suggestion: Your running an older version of Ewido
You may want to do the following
Uninstall your version from add/remove programs
Reboot when prompted
Back in Windows

Download, install, and update the latest version of Ewido anti-spyware[list=1]
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")

click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Reboot the computer

Come back here and post the whole Ewido report

soL309 · « **Reply #8 on:** July 15, 2006, 06:01:03 AM »

Hi there, I am having the same problem as desmondang, i really need your help, and was wondering if anyone could help me, any help would be seriously appreciated if you can help me ill send you all and any information you need such as the hijack checklist and whatever else you would need me to do, i really need this thing off my computre its driving me crazy!

Again any help would be really appreciated, thank you for your time.

- soL

guestolo · « **Reply #9 on:** July 15, 2006, 08:35:33 PM »

Since the original poster has not returned I'll lock this topic

soL309, If you still need a hand
Start your own topic please
Read This

TheTechGuide Forum

News:

Author Topic: Malware Attack (Read 1805 times)

desmondang1109

Malware Attack

guestolo

Malware Attack

desmondang1109

Malware Attack

guestolo

Malware Attack

desmondang1109

Malware Attack

guestolo

Malware Attack

desmondang1109

Malware Attack

guestolo

Malware Attack

soL309

Malware Attack

guestolo

Malware Attack