Logfile of HijackThis v1.99.1
Scan saved at 3:07:32 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Corina.PHS\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmser.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phs
O17 - HKLM\Software\..\Telephony: DomainName = phs
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phs
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Corina.PHS\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
1
HJT Log File for examination
Started by Radharc, Jun 30 2006 09:18 PM
3 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 30 June 2006 - 10:41 PM
Ho Geoffrey
Its going to be mostly the same response I put in your other topic except now you have a Worm present
There is a removal tool for this worm but it attempts to stop processes that contain certain strings so its best we go for it manually and then run the removal tool to make sure its gone.
Can you let us know how many Anti-Virus programs are currently installed as there is components for Trend and Symantec showing and having two running could be causing conflicts which is making the system less secure.
EDIT: If Symantec is installed , DO NOT run the LiveUpdate Feature as its been corruped by the Worm, the Worm will execute a copy of itself everytime LiveUpdate is run on the system. The LiveUpdate feature can be restored after running Symantecs removal tool by using an additional setup file.
You may want to print out these instructions or copy and paste them into Notepad and save it to your desktop as some of this fix will be performed in safe mode.
First can you put HijackThis into a folder so the backups are kept with the program, Right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis and then left click the HijackThis.exe file and drag it over the new folder, release the mouse button to place it into the folder.
Next can you disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Goto start menu > run > then type (or copy and paste)
sc delete hpdj
Press OK and it will remove the service, you will just notice the cmd screen flash on then off again and its then removed.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
The Yahoo entries are being fixed because your being re-directed through red.clientapps before getting to the Yahoo page, red.clientapps it related to red sheriff spyware and although its not a nasty one it still should be fixed. You can read more about that Here
Next reboot into safe mode, To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the Advanced menu that appears and press Enter.
In Safe mode delete this file if it still exists
C:\WINDOWS\system32\0mcamcap.exe
Next Delete this folder
C:\WINDOWS\WinSecurity
This folder will likely contain csrss.exe, services.exe, smss.exe and many other files but none of them are genuine Windows files so its fine to remove the complete folder
If you have any problems locating the files set Windows to show hidden files and folders
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Next search for these files and remove them if they exist.
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
bbvmwxxf.hml
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the steps for these files:
filesms.fms
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
Reboot back to Normal Mode
Download the Sober Worm removal Tool from Symantec Here and save it to your desktop,
http://securityrespo...nter/FixSbr.exe
Double click FixSbr.exe to run the tool and follow the prompts on screen. It will probably show clear but if anything is found, once its finished reboot the PC and run the removal tool again to be sure it then shows clear.
Please then download SmitfraudFix (by S!Ri)
http://siri.urz.free...mitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Finally Download Blacklight beta HERE and save it to your desktop.
http://www.f-secure....light/try.shtml
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Please then post back the Smitfraudfix report and blacklights log, let us know if you have any questions or problems.
Thanks
Andy
Its going to be mostly the same response I put in your other topic except now you have a Worm present
There is a removal tool for this worm but it attempts to stop processes that contain certain strings so its best we go for it manually and then run the removal tool to make sure its gone.
Can you let us know how many Anti-Virus programs are currently installed as there is components for Trend and Symantec showing and having two running could be causing conflicts which is making the system less secure.
EDIT: If Symantec is installed , DO NOT run the LiveUpdate Feature as its been corruped by the Worm, the Worm will execute a copy of itself everytime LiveUpdate is run on the system. The LiveUpdate feature can be restored after running Symantecs removal tool by using an additional setup file.
You may want to print out these instructions or copy and paste them into Notepad and save it to your desktop as some of this fix will be performed in safe mode.
First can you put HijackThis into a folder so the backups are kept with the program, Right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis and then left click the HijackThis.exe file and drag it over the new folder, release the mouse button to place it into the folder.
Next can you disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Goto start menu > run > then type (or copy and paste)
sc delete hpdj
Press OK and it will remove the service, you will just notice the cmd screen flash on then off again and its then removed.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
The Yahoo entries are being fixed because your being re-directed through red.clientapps before getting to the Yahoo page, red.clientapps it related to red sheriff spyware and although its not a nasty one it still should be fixed. You can read more about that Here
Next reboot into safe mode, To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the Advanced menu that appears and press Enter.
In Safe mode delete this file if it still exists
C:\WINDOWS\system32\0mcamcap.exe
Next Delete this folder
C:\WINDOWS\WinSecurity
This folder will likely contain csrss.exe, services.exe, smss.exe and many other files but none of them are genuine Windows files so its fine to remove the complete folder
If you have any problems locating the files set Windows to show hidden files and folders
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Next search for these files and remove them if they exist.
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
bbvmwxxf.hml
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the steps for these files:
filesms.fms
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
Reboot back to Normal Mode
Download the Sober Worm removal Tool from Symantec Here and save it to your desktop,
http://securityrespo...nter/FixSbr.exe
Double click FixSbr.exe to run the tool and follow the prompts on screen. It will probably show clear but if anything is found, once its finished reboot the PC and run the removal tool again to be sure it then shows clear.
Please then download SmitfraudFix (by S!Ri)
http://siri.urz.free...mitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Finally Download Blacklight beta HERE and save it to your desktop.
http://www.f-secure....light/try.shtml
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Please then post back the Smitfraudfix report and blacklights log, let us know if you have any questions or problems.
Thanks
Andy
#3 OFFLINE
-
- Members
-
- 4 posts
Newbie
Posted 05 July 2006 - 06:35 PM
SmitFraudFix v2.67
Scan done at 12:24:35.32, Wed 07/05/2006
Run from C:\Documents and Settings\Corina.PHS\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» U:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !
C:\WINDOWS\system32\taskdir.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Corina.PHS\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Corina.PHS\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
SmitfraudFix report as follows:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Scan done at 12:24:35.32, Wed 07/05/2006
Run from C:\Documents and Settings\Corina.PHS\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» U:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !
C:\WINDOWS\system32\taskdir.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Corina.PHS\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Corina.PHS\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
SmitfraudFix report as follows:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
AndyManchesta, on Jun 30 2006, 10:41 PM, said:
Ho Geoffrey
Its going to be mostly the same response I put in your other topic except now you have a Worm present
There is a removal tool for this worm but it attempts to stop processes that contain certain strings so its best we go for it manually and then run the removal tool to make sure its gone.
Can you let us know how many Anti-Virus programs are currently installed as there is components for Trend and Symantec showing and having two running could be causing conflicts which is making the system less secure.
EDIT: If Symantec is installed , DO NOT run the LiveUpdate Feature as its been corruped by the Worm, the Worm will execute a copy of itself everytime LiveUpdate is run on the system. The LiveUpdate feature can be restored after running Symantecs removal tool by using an additional setup file.
You may want to print out these instructions or copy and paste them into Notepad and save it to your desktop as some of this fix will be performed in safe mode.
First can you put HijackThis into a folder so the backups are kept with the program, Right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis and then left click the HijackThis.exe file and drag it over the new folder, release the mouse button to place it into the folder.
Next can you disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Goto start menu > run > then type (or copy and paste)
sc delete hpdj
Press OK and it will remove the service, you will just notice the cmd screen flash on then off again and its then removed.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
The Yahoo entries are being fixed because your being re-directed through red.clientapps before getting to the Yahoo page, red.clientapps it related to red sheriff spyware and although its not a nasty one it still should be fixed. You can read more about that Here
Next reboot into safe mode, To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the Advanced menu that appears and press Enter.
In Safe mode delete this file if it still exists
C:\WINDOWS\system32\0mcamcap.exe
Next Delete this folder
C:\WINDOWS\WinSecurity
This folder will likely contain csrss.exe, services.exe, smss.exe and many other files but none of them are genuine Windows files so its fine to remove the complete folder
If you have any problems locating the files set Windows to show hidden files and folders
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Next search for these files and remove them if they exist.
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
bbvmwxxf.hml
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the steps for these files:
filesms.fms
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
Reboot back to Normal Mode
Download the Sober Worm removal Tool from Symantec Here and save it to your desktop,
http://securityrespo...nter/FixSbr.exe
Double click FixSbr.exe to run the tool and follow the prompts on screen. It will probably show clear but if anything is found, once its finished reboot the PC and run the removal tool again to be sure it then shows clear.
Please then download SmitfraudFix (by S!Ri)
http://siri.urz.free...mitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Finally Download Blacklight beta HERE and save it to your desktop.
http://www.f-secure....light/try.shtml
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Please then post back the Smitfraudfix report and blacklights log, let us know if you have any questions or problems.
Thanks
Andy
Its going to be mostly the same response I put in your other topic except now you have a Worm present
There is a removal tool for this worm but it attempts to stop processes that contain certain strings so its best we go for it manually and then run the removal tool to make sure its gone.
Can you let us know how many Anti-Virus programs are currently installed as there is components for Trend and Symantec showing and having two running could be causing conflicts which is making the system less secure.
EDIT: If Symantec is installed , DO NOT run the LiveUpdate Feature as its been corruped by the Worm, the Worm will execute a copy of itself everytime LiveUpdate is run on the system. The LiveUpdate feature can be restored after running Symantecs removal tool by using an additional setup file.
You may want to print out these instructions or copy and paste them into Notepad and save it to your desktop as some of this fix will be performed in safe mode.
First can you put HijackThis into a folder so the backups are kept with the program, Right click an empty space on the desktop and choose New then Folder, name it HJT or HijackThis and then left click the HijackThis.exe file and drag it over the new folder, release the mouse button to place it into the folder.
Next can you disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Goto start menu > run > then type (or copy and paste)
sc delete hpdj
Press OK and it will remove the service, you will just notice the cmd screen flash on then off again and its then removed.
Run Hijack This and choose Do A System Scan then place a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ht*p://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - (no file)
O4 - HKLM\..\Run: [ Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
The Yahoo entries are being fixed because your being re-directed through red.clientapps before getting to the Yahoo page, red.clientapps it related to red sheriff spyware and although its not a nasty one it still should be fixed. You can read more about that Here
Next reboot into safe mode, To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the Advanced menu that appears and press Enter.
In Safe mode delete this file if it still exists
C:\WINDOWS\system32\0mcamcap.exe
Next Delete this folder
C:\WINDOWS\WinSecurity
This folder will likely contain csrss.exe, services.exe, smss.exe and many other files but none of them are genuine Windows files so its fine to remove the complete folder
If you have any problems locating the files set Windows to show hidden files and folders
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Next search for these files and remove them if they exist.
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
bbvmwxxf.hml
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Repeat the steps for these files:
filesms.fms
langeinf.lin
nonrunso.ber
rubezahl.rub
runstop.rst
Reboot back to Normal Mode
Download the Sober Worm removal Tool from Symantec Here and save it to your desktop,
http://securityrespo...nter/FixSbr.exe
Double click FixSbr.exe to run the tool and follow the prompts on screen. It will probably show clear but if anything is found, once its finished reboot the PC and run the removal tool again to be sure it then shows clear.
Please then download SmitfraudFix (by S!Ri)
http://siri.urz.free...mitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Finally Download Blacklight beta HERE and save it to your desktop.
http://www.f-secure....light/try.shtml
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Please then post back the Smitfraudfix report and blacklights log, let us know if you have any questions or problems.
Thanks
Andy
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 05 July 2006 - 07:26 PM
Hi Radharc
I'm Assuming you managed to complete all the steps in my last post without problems, please copy and paste the below to notepad and save it to your desktop as some steps need to be done in safe mode
If you still use Symantec then you can restore the Live Update by using this file
ftp://ftp.symantec.com/public/english_us_...ate/lusetup.exe
Save the file to the desktop.
Double-click the lusetup.exe icon on the desktop to install LiveUpdate.
Run LiveUpdate.
Goto Start Menu > Run > and type
services.msc
Press OK, then on the Services screen scroll down to Security Center and double click it to open the properties (or right click and choose Properties)
On the StartUp Type - Set that to Automatic if its not already set on that.
On The Service Status - Click Start then click Apply and OK
You have a different Trojan showing now which can use Rootkit features to hide its files so removing that is the next step
Please download the Trojan Abwiz removal tool from Here and save it to your Desktop
http://securityrespo...er/FixAbwiz.exe
Next Reboot your computer into Safe Mode
Reboot back into Normal Mode
Next set Windows to show hidden files and folders:
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Then delete these files if they are still present
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\_taskdir.exe
C:\WINDOWS\system32\taskdir.dll
C:\WINDOWS\system32\dlh9jkdq?.exe
Finally run Kaspersky WebScanner
Please use the
button at the bottom of the page when you reply as that doesn't quote my response back
Cheers
Andy
I'm Assuming you managed to complete all the steps in my last post without problems, please copy and paste the below to notepad and save it to your desktop as some steps need to be done in safe mode
If you still use Symantec then you can restore the Live Update by using this file
ftp://ftp.symantec.com/public/english_us_...ate/lusetup.exe
Save the file to the desktop.
Double-click the lusetup.exe icon on the desktop to install LiveUpdate.
Run LiveUpdate.
Goto Start Menu > Run > and type
services.msc
Press OK, then on the Services screen scroll down to Security Center and double click it to open the properties (or right click and choose Properties)
On the StartUp Type - Set that to Automatic if its not already set on that.
On The Service Status - Click Start then click Apply and OK
You have a different Trojan showing now which can use Rootkit features to hide its files so removing that is the next step
Please download the Trojan Abwiz removal tool from Here and save it to your Desktop
http://securityrespo...er/FixAbwiz.exe
Next Reboot your computer into Safe Mode
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press the F8 key.
- Instead of Windows loading as normal, the Windows Advanced Menu should appear.
- Use the Up Arrows to select Safe Mode then press the Enter key.
Reboot back into Normal Mode
Next set Windows to show hidden files and folders:
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Then delete these files if they are still present
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\_taskdir.exe
C:\WINDOWS\system32\taskdir.dll
C:\WINDOWS\system32\dlh9jkdq?.exe
Finally run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Please use the
button at the bottom of the page when you reply as that doesn't quote my response back Cheers
Andy
