Win32/Hoax.Renos or something

[bokchod]

Hello

accidentally i ran a fishy prog on my comp, though my Nod32 (fully updated) caught it with some kind of spyware/malware and stopped that, but now, every now and then, i get the following warning

D:\WINDOWS\system32\1024\ld907B.tmp

probably a variant of Win32/Hoax.Renos application quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\D:\WINDOWS\SYSTEM32\winlogon.exe. The file was moved to quarantine. You may close this window.

and a prog named AdService apprears on my taskbar.

how can i clean this junk?




heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:43 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\XFXGameController\XFXController.exe
D:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\system32\hpDA7.tmp (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\JCCATCH.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] D:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FlashGet.lnk = D:\Program Files\FlashGet\flashget.exe
O4 - Startup: XFX Game Controller.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BBA8D76-F644-4D79-B90C-6FF4892EAF72}: NameServer = 203.76.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77BAA42-CFE3-4116-8083-8A751FC4A180}: NameServer = 203.76.96.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - (no file)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download the file attached to this post. - sffix.zip
Double click on the file within & follow the prompts given

Download & install - CleanUp.exe (not recommended for WinXP64)

Download & extract it to it's own folder - smitRem.exe

Download and install Ewido Security Suite

• When installing, under "Additional Options",
  • uncheck - Install background guard
• Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido


'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\system32\hpDA7.tmp (file missing)
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.



* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• winjrs32.dll<<<Find via Start>Search

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * *

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.


* * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh copies of:

• HiJackThis log
• Online scan
• Smitfiles.txt
• Ewido's log

Let us know if any problems persist.

[bokchod]

i have done all .. here are the logs

in last 4-5hours, nothing happened .. no adservice, no win32/renos warning ... but panda report doesnt look good :(

i am posting the logs

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:40:53 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.exe
c:\ewido\ewidoctrl.exe
C:\xampp\FileZillaFTP\FileZilla Server.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\XFXGameController\XFXController.exe
D:\Program Files\ESET\nod32kui.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\JCCATCH.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] D:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FlashGet.lnk = D:\Program Files\FlashGet\flashget.exe
O4 - Startup: XFX Game Controller.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BBA8D76-F644-4D79-B90C-6FF4892EAF72}: NameServer = 203.76.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77BAA42-CFE3-4116-8083-8A751FC4A180}: NameServer = 203.76.96.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - c:\ewido\ewidoctrl.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - (no file)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Ewido log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:19:46 PM, 4/1/2006
+ Report-Checksum: ACC8788E

+ Scan result:

D:\System Volume Information\_restore{7C7E93B6-32FD-4993-8EFF-3EF8A2F8F0A2}\RP303\A0121894.dll -> Adware.Chiem : Cleaned with backup
F:\System Volume Information\_restore{7C7E93B6-32FD-4993-8EFF-3EF8A2F8F0A2}\RP303\A0121895.exe -> Not-A-Virus.NetTool.Win32.WinGateScan.30 : Cleaned with backup


::Report End

smitRem log



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 04/01/2006
The current time is: 12:56:04.95

Running from
C:\tsf\smtrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
ncompat.tlb


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

wininet.dll is missing!!


Panda Activescan Report

Incident Status Location

Adware:adware/emediacodec Not disinfected D:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securityerror Not disinfected D:\WINDOWS\SYSTEM32\ts.ico
Adware:adware/ist.istbar Not disinfected D:\PROGRAM FILES\COMMON FILES\Totem Shared
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\My Documents\IRcbot.zip[moo.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\tsf\smtrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\smitRem.exe[Process.exe]
Hacktool:Hacktool/RegPatch.A Not disinfected D:\Documents and Settings\Sayed Iftekhar\My Documents\Downloads\Opera Downloads\ultraisov7.2.3.901mecrackfff.zip[fff-u72x_reg.exe]
Adware:Adware/IST.ISTBar Not disinfected D:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.040
Adware:Adware/IST.ISTBar Not disinfected D:\Program Files\Common Files\Totem Shared\Update\Music.dll.018
Spyware:Cookie/Belnk Not disinfected D:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1469587-0E07-4B95-B61E-BD0E09860C0D}\{E00E971B-5D0C-47BF-9ED1-612F774D8192}.txt[{E00E971B-5D0C-47BF-9ED1-612F774D8192}.txt]
Spyware:Cookie/Belnk Not disinfected D:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1469587-0E07-4B95-B61E-BD0E09860C0D}\{62488C32-7A0C-4B26-9502-28B0456BE431}.txt[{62488C32-7A0C-4B26-9502-28B0456BE431}.txt]

[greyknight17]

Please print the below instructions or copy them to Notepad.

Boot into Safe Mode.

Fix these in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)

Delete these:

D:\Documents and Settings\Sayed Iftekhar\My Documents\Downloads\Opera Downloads\ultraisov7.2.3.901mecrackfff.zip
D:\Program Files\Common Files\Totem Shared\
D:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1469587-0E07-4B95-B61E-BD0E09860C0D}\{E00E971B-5D0C-47BF-9ED1-612F774D8192}.txt[{E00E971B-5D0C-47BF-9ED1-612F774D8192}.txt]
D:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D1469587-0E07-4B95-B61E-BD0E09860C0D}\{62488C32-7A0C-4B26-9502-28B0456BE431}.txt[{62488C32-7A0C-4B26-9502-28B0456BE431}.txt]

Run smitrem tool again.

Restart and run another Panda scan. Post the smitfiles log, Panda log and a new HijackThis log.

[tetonbob]

And please do not wrap your logs in code tags....it makes them more difficult to read.

Thanks.

[bokchod]

I have deleted and fixed as per instruction

Here are the new logs:

Activescan log


Incident Status Location

Adware:adware/securityerror Not disinfected D:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/emediacodec Not disinfected D:\WINDOWS\SYSTEM32\1024
Adware:adware/ist.istbar Not disinfected Windows Registry
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\My Documents\IRcbot.zip[moo.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\tsf\smtrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected F:\chat scripts\bcscript1\mIRC\mirc\backup\PanGea\Stats\moo.dll
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected F:\chat scripts\bcscript1\mIRC\mirc\backup\Fuelie-v5.4-Cobra_R\moo.dll
smitfiles.txt


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 816 'explorer.exe'
Killing PID 816 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

wininet.dll is missing!!


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:42:04 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.exe
c:\ewido\ewidoctrl.exe
C:\xampp\FileZillaFTP\FileZilla Server.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\XFXGameController\XFXController.exe
D:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\JCCATCH.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] D:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FlashGet.lnk = D:\Program Files\FlashGet\flashget.exe
O4 - Startup: XFX Game Controller.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BBA8D76-F644-4D79-B90C-6FF4892EAF72}: NameServer = 203.76.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77BAA42-CFE3-4116-8083-8A751FC4A180}: NameServer = 203.76.96.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - c:\ewido\ewidoctrl.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - (no file)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[greyknight17]

Do you remember if some program deleted the wininet.dll file before or not? I'm asking because it can't be found anywhere now and we need to get it back...otherwise, we might need to extract it from the Windows CD.

Delete these two:

D:\WINDOWS\SYSTEM32\ot.ico
D:\WINDOWS\SYSTEM32\1024

[bokchod]

i have deleted these two files ... but this 1024 folder reappears after every restart :(

i havent seen any prg deleting wininet.dll ... i dont know how it disappeared.

[bokchod]

ok ... 1024 havent reappeared for last 2-3 restarts

[tetonbob]

Please do these things for me:

Delete your current C:\smitfiles.txt, and run smitrem tool once again in safe mode.

Post it's log.

Also, go to Start>Search and run a search for wininet.dll let me know if it's truly missing.

[bokchod]

there are 2 wininet.dll .. one in system32 folder ... one in system32\dllcache folder .. no idea why it(smitfiles.txt) says wininet.dll is missing.

new log:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 04/03/2006
The current time is: 19:11:24.70

Running from
C:\tsf\smtrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 808 'explorer.exe'
Killing PID 808 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

wininet.dll is missing!!

[tetonbob]

Please post a new HJT log, and await further instructions.

[bokchod]

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:43:13 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.exe
c:\ewido\ewidoctrl.exe
C:\xampp\FileZillaFTP\FileZilla Server.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\XFXGameController\XFXController.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.250.1:8080
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\JCCATCH.DLL (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] D:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FlashGet.lnk = D:\Program Files\FlashGet\flashget.exe
O4 - Startup: XFX Game Controller.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://e:\Canon Pixma ip1000\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BBA8D76-F644-4D79-B90C-6FF4892EAF72}: NameServer = 203.76.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77BAA42-CFE3-4116-8083-8A751FC4A180}: NameServer = 203.76.96.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - c:\ewido\ewidoctrl.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - (no file)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




i can see symantec process running ... but i have uninstalled norton av 2005 years ago :(

[tetonbob]

About the wininet.dll -

What drive is it installed to and running from? C? And your OS is D?

[bokchod]

my OS is on D:

Quote:

What drive is it installed to and running from? C?

.. what? smitrem? it is in C: (though the smitfiles.txt is in D:)

[tetonbob]

sorry, yeah..bad form on my part...that's exactly what I meant. I'm trying to figure out why smitrem won't see it.

Your log is essentially clean. I'll give you some advice on how to completely remove Norton in the meantime.

Please use the instructions on this page to completely uninstall your Norton Products.

[bokchod]

yeah .... i think so to ... thank u (and the entire TSF team) very much.

btw.. i tried tht symantech tool from symantec page .. didnt even load :(

any 3rd party tool available?

[tetonbob]

Hmmm, they seem to have changed that page a bit...I'll have to amend my canned speech.

Did IE block the ActiveX?

I've successfully used their SymNRT tool often.

ftp://ftp.symantec.com/public/englis...gen/SymNRT.exe

Have a look at this thread.

I'm still waiting on a reply from some others, more expert than I, about the wininet.dll situation.....my feeling is that it's a non-issue, but I'd like to have a more solid answer.

When I'm sure I can do no more, I'll have final housekeeping and prevention instructions.

[bokchod]

i will use this symnrt tool .... hope tht works .. if it doesnt .... lets just keep things untill the next reinstall :S

[tetonbob]

I haven't been able to exactly find out why smitrem isn't seeing your wininet.dll, but as they appear in the correct location, it may be due to the tool running from a different drive than the OS.

It appears Norton doesn't think it's uninstalled, as there are Running Processes for it as well as the services. Try to uninstall it from Add/Remove again, or use the Removal tool. We can manually pull out those Norton services if the Removal Tool doesn't do it for you, but it should. Let me know.

If you have no other issues, I'll leave you with these final instructions.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.