|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-16-2005, 10:51 AM
|
#1 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
hijack log
Hi
Could someone check this log for me, My wife had only opened yahoo in internet explorer When the screen went blue and ie6 shut down and left a message on screen saying fatal security error run antivirus software trojan-spy.html smitfraud.c. I ran avg no virus found, adawareSE removed critical objects, ccleaner and cleanup. also found a new program bsw.exe in c drive i have put an aserixin front of what I think should be removed sorry if it is to confusing Alba ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 17:17:15, on 16/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\hijackthis\HijackThis.exe *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 *R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ *O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hp79D3.tmp O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [TimeUp] C:\Program Files\TimeUp\TimeUp.exe /T O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_SC5.tmp" O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart O4 - Startup: AVG Free Control Center.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe O4 - Startup: TimeUp.lnk = C:\Program Files\TimeUp\TimeUp.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm *O9 - Extra button: Microsoft AntiSpyware helper - {CA949C61-643F-46F7-9A3B-F86A7FEE9130} - C:\WINDOWS\system32\wldr.dll *O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA949C61-643F-46F7-9A3B-F86A7FEE9130} - C:\WINDOWS\system32\wldr.dll *O9 - Extra button: Microsoft AntiSpyware helper - {CA949C61-643F-46F7-9A3B-F86A7FEE9130} - C:\WINDOWS\system32\wldr.dll (HKCU) *O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA949C61-643F-46F7-9A3B-F86A7FEE9130} - C:\WINDOWS\system32\wldr.dll (HKCU) End of KRC HijackThis Analyzer Log. ========================================================= |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-17-2005, 01:37 AM
|
#2 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. *IMPORTANT* Be sure you know how to VIEW HIDDEN FILES Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down. C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe Doubleclick smitfraud.reg and confirm you want to merge it with the registry. *Click Here to download Killbox by Option^Explicit. *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. *In the killbox program, select the Delete on Reboot option. *Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: Code:
C:\wp.exe C:\wp.bmp C:\bsw.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\System32\helper.exe C:\Windows\System32\intmonp.exe C:\Windows\System32\msmsgs.exe C:\Windows\System32\ole32vbs.exe C:\Windows\system32\msole32.exe C:\WINDOWS\System32\hp79D3.tmp C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Run HijackThis and put checkmarks in front of he following items. Close all windows except HijackThis and click Fix checked: *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html *R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 *R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 *R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ *O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hp79D3.tmp Make sure you can view hidden files. Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way) FOLDERS to delete (in bold) if found: C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\Windows\System32\Log Files C:\Program Files\Security IGuard Reboot into normal mode. 1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program. 2.) Download: DelDomains.inf Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf To use: right-click and select: Install (no need to restart) Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. 3.) Download, install, and run CleanUp! Post back with a new HijackThis log (analyzed) when you are done.
__________________
  |
|
|
|
|
05-17-2005, 11:18 AM
|
#3 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
next log
Hi Thanks
here is the next log. Don't Know if this is the place to ask if not pleade let me know where to post, But how did this one get in, email, internet explorer or was it just floating. My wife was viewing her website when the trojan shut everything down Kindest regards Alba ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 17:31:14, on 17/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [TimeUp] C:\Program Files\TimeUp\TimeUp.exe /T O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_SC5.tmp" O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart O4 - Startup: AVG Free Control Center.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe O4 - Startup: TimeUp.lnk = C:\Program Files\TimeUp\TimeUp.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Download with Star Downloader - C:\PROGRA~1\STARDO~1\sdie.htm O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
05-17-2005, 11:28 AM
|
#4 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Is you Desktop Fixed?
Are there any more problems? You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it. Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.
__________________
|
|
|
|
|
05-17-2005, 01:24 PM
|
#5 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hi
My desktop is back to normal thanks, here is the hijack log with the latest hjt and analyser versions. Wish I had broadband or ISDN ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 20:14:56, on 17/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\TimeUp\TimeUp.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [TimeUp] C:\Program Files\TimeUp\TimeUp.exe /T O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_SC5.tmp" O4 - Startup: AVG Free Control Center.lnk = C:\Program Files\Grisoft\AVG Free\avgcc.exe O4 - Startup: TimeUp.lnk = C:\Program Files\TimeUp\TimeUp.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Download with Star Downloader - C:\PROGRA~1\STARDO~1\sdie.htm O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
05-17-2005, 01:59 PM
|
#6 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,524
OS: 2000 Pro; XP Pro; XP Home
|
Quote:
Your log is clean. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore. Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
| Thread Tools | |
|
|
