[lmaurer]

Hello -

I was hoping you guys can help me out again..

My computer keeps restarting 2-3 times, when I turn it on. It just flashes a sceen I can't read in time.. basically black background with blue inside, and white words - goes too fast to make anything out of it..

I followed the steps, and ran Adaware and removed a bunch of objects..

Thanks for any help in advance!

Log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:45 PM, on 8/17/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\acs.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\prefs.js)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://dailygraphs.com/member/ocx/plotwon.ocx
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

 

[Ried]

Hello lmaurer,

Were you ever able to repair/replace that wininet.dll? I'm wondering if smitfraud is working it's way back up so as a precautionary measure, please do the following:

Download smitRem at http://noahdfear.geekstogo.com/click counter/click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat
Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoftware.com/activescan/com/activescan_principal.htm to do a full system scan.

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

Download FindIt's.zip http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis, Panda ActiveScan, smitfiles.txt and Ewido.

 

[lmaurer]

Hi Ried -

Thanks for getting back to me so soon!!! I finally got a chance to go through your advice.

I thought I repaired it.. I can't remember for sure though...

Ok, I've followed all the steps up to the notepad - copy c:\windows\system\wininet.dll c:\windows\desktop..

before I continue, I just want to verify - do I want to copy from C:\winnt\system32\ ?, and the file in there is all capitals - WININET.dll. Plus, do I copy to just c:\desktop? Since I don't have a windows\system or windows\destop..

I don't see a oleadm.dll or oleext.dll in my c:\winnt\system32? I did a file scan for both and they don't exist.. Just want to make sure that ok, I imagine it is - since we are deleting anyway..

Thanks for the help! I'll wait for your reply to continue - for now here was the log from smitRem


smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/20/2005
The current time is: 16:59:38.02

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

 

[Ried]

Hi,

What we're going to do is set up that file to be scanned/cured (if need be) by eTrust Web Scanner. For the following instructions, just open Notepad as indicatedand copy/paste the bolded text into Notepad, click File then Save as then type in copy.bat and click OK.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:
copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Since you don't see the other files, after completing the step above, continue from the Ewido scan...

 

[lmaurer]

Reid -

I actually did perform that step.. but I'm still a little confused, since I have no C:\windows\system or c:\windows\desktop directory - that doesn't matter?

So, since I've performed that step - should I see a wininet.dll under c:\windows\desktop? Sorry if I don't understand this..

Thanks,
Lee

 

[Ried]

Hi Lee,

My apologies, you can just skip that step as it only applies to non-NT systems. Since the smitrem came up clean. Please continue with Ewido, Panda and FindIts.

 

[lmaurer]

Hey Ried -

No problem, ok here's what I've got... Let me know the next steps - thanks for your help!!

There were two files from Ewido, that I didn't remove - since I wasn't sure..

Hijack Log
Logfile of HijackThis v1.99.1
Scan saved at 9:29:12 PM, on 8/21/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\acs.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\prefs.js)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://dailygraphs.com/member/ocx/plotwon.ocx
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\System32\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Log from FindIt's.zip

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Sun 08/21/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is F42A-68F6

Directory of C:\WINNT\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is F42A-68F6

Directory of C:\WINNT\system32

08/21/2005 08:48p 1,406 AddQuit.ico
05/29/2005 12:06a 2,238 Date.ico
08/21/2005 08:48p 9,470 Desktop.ico
08/21/2005 08:48p 1,406 Help.ico
08/21/2005 08:48p 5,350 IE.ico
05/29/2005 12:06a 2,238 network.ico
08/21/2005 08:48p 1,718 Open.ico
05/29/2005 12:06a 2,238 pharm.ico
08/21/2005 08:48p 1,718 Quick.ico
05/29/2005 12:06a 4,286 spam.ico
05/29/2005 12:06a 766 spyware.ico
08/21/2005 08:48p 2,550 Uninstall.ico
12 File(s) 35,384 bytes
0 Dir(s) 4,455,251,968 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

ActiveScan

Incident Status Location

Spyware:spyware/bargainbuddy No disinfected Windows Registry
Virus:W32/Smitfraud.A Disinfected C:\WINNT\$NtUninstallKB890923-IE501SP3-20050225.100153$\wininet.dll
Dialerialer.CBF No disinfected C:\WINNT\system32\AWM226.exe
Ewido

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:56:15 AM, 8/21/2005
+ Report-Checksum: 61D1343E

+ Scan result:

C:\Program Files\HijackThis\backups\backup-20050609-220222-801.dll -> Trojan.Puper.m : Ignored
C:\WINNT\system32\AWM226.exe -> Dialer.Generic : Ignored
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ajyjbjle.slt\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Lee\hpAC.tmp -> Trojan.Puper.m : Cleaned with backup


::Report End

 

[Ried]

Ok Lee, there were some pieces/parts of smitfraud left over along with a new trojan. Here we go: :smile:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode.(tapping F8 or F5)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINNT\system32\Date.ico
C:\WINNT\system32\network.ico
C:\WINNT\system32\pharm.ico
C:\WINNT\system32\spam.ico
C:\WINNT\system32\spyware.ico
C:\WINNT\system32\AWM226.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [YES] at the Pending Operations prompt.

Run another scan with Panda and post that here.

 

[lmaurer]

Thanks for getting back so fast Ried!!

I had to hit the hay before this thing finished, but here it is....


Incident Status Location

Spyware:spyware/bargainbuddy No disinfected Windows Registry

 

[Ried]

Hi Lee,

So how's everything now?

Your logs are clean. If there aren't any more problems, you should be all set.

Reset hidden/system files and folders

Windows 2000
===============
Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View tab.
*Select the Advanced settings box option.
*Select the Hidden files Folders.
*Deselect the Show all files option.
Click Yes to confirm.
Click OK.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/index.php?showtopic=3051
THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent
MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

 

[lmaurer]

Ried -

Things are looking real good!!!! I have not experienced any re-starts of the computer since we've been cleaning stuff up! Thanks a ton for all your help!! Thanks for the links to keep stuff clean...

The only unusual thing that I have noticed... when I boot up, my CPU is blasting at 100% for a good 2-5 minutes, maybe more.. I noticed my services task is sucking up a majority of it at 70-75, and a reg.exe taking up 20-25.. I'm not sure if this is normal? I only noticed it when I started having issues?

Again, thanks for all the help Ried!!

 

[Ried]

Ok Lee, let's go a little deeper to make sure.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

 

[lmaurer]

Ried -

Ok sounds good - here you go: Thanks!

StartDreck (build 2.1.7 public stable) - 2005-08-22 @ 20:27:41 (GMT -05:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 3)
Internet Explorer: 5.00.3502.1000
Logged in as Administrator at MCC-FC8J1B0HRR8

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*D-Link AirPlus G=C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
*ANIWZCS2Service=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
+Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 5/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINNT\SYSTEM32\blank.htm
*Search Bar=http://search.msn.com/spbasic.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://my.yahoo.com/
+SearchUrl
*provider=gogl
*=http://home.microsoft.com/access/autosearch.asp?p=%s
»Default User
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
»Local Machine
*Default_Page_URL=http://www.msn.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=explorer.exe
*Userinit=C:\WINNT\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINNT\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
*C:\WINNT\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\System32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\WINNT\System32\atiiprxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\Atiiprxx.exe
+C:\WINNT\System32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\System32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\System32\winhlp32.exe
*C:\WINNT\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+156=\SystemRoot\System32\smss.exe
+180=\??\C:\WINNT\system32\csrss.exe
+200=\??\C:\WINNT\system32\winlogon.exe
+228=C:\WINNT\system32\services.exe
+240=C:\WINNT\system32\lsass.exe
+384=C:\WINNT\system32\svchost.exe
+440=C:\WINNT\System32\acs.exe
+480=C:\WINNT\system32\spoolsv.exe
+512=C:\WINNT\System32\msdtc.exe
+632=C:\WINNT\System32\Ati2evxx.exe
+648=C:\WINNT\System32\svchost.exe
+668=C:\Program Files\ewido\security suite\ewidoctrl.exe
+804=C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
+820=C:\WINNT\system32\regsvc.exe
+836=C:\WINNT\system32\MSTask.exe
+860=C:\WINNT\System32\tcpsvcs.exe
+928=C:\WINNT\System32\snmp.exe
+1004=C:\WINNT\Explorer.EXE
+1056=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
+1180=C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
+1156=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
+1200=C:\WINNT\System32\WBEM\WinMgmt.exe
+968=C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
+1204=C:\Program Files\D-Link AirPlus\AirPlus.exe
+792=C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
+1224=C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
+1236=C:\WINNT\System32\inetsrv\inetinfo.exe
+1264=C:\WINNT\System32\mqsvc.exe
+296=C:\WINNT\system32\ZoneLabs\vsmon.exe
+1680=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+1628=C:\WINNT\System32\mdm.exe
+1780=C:\PROGRA~1\WINZIP\winzip32.exe
+1792=C:\Lee\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

 

[Ried]

Hi Lee,

I'm not seeing anything wrong in this log. I've consulted with another Analyst/Moderator. Please do the following and see if this resolves the issue:

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us. Your system should be at Windows 2000 SP 4 and Internet Explorer 6.0

Let us know. :smile:

 

[lmaurer]

Ried -

Sorry I haven't replied.. .been tied up the last couple of days!! Thanks for looking further into it. I'll look into upgrading to sp4/ie6.. I get nervous doing that, I've tried to update w/my old computer before and messed things up - on 98 I can reinstall the old registry with scanreg/restore.. but w/2000 I don't know how to get it back..

Thanks again for all your help on this issue!!! I appreciate all your support -you've bee great! My main reason for posting has been resolved!

Thanks Ried!!

 

[Ried]

Hi Lee,

See this article by Microsoft:

How to back up, edit, and restore the registry in Windows 2000 http://support.microsoft.com/kb/322755/

Good Luck :smile:

 

[dasai]

D-link REG.EXE problem which causes 100% CPU Usage

O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\AirPlus G Wireless Adapter Utility\Reg.exe

A useful Links I found that explained the D-link REG.EXE problem which causes 100% CPU Usage:
http://www.computergripes.com/dlink.wifi.g.card.html

If you have an older laptop with a Texas Instrument PCMCIA adapter and install the D-Link AirPlus G Wireless Adapter Utility, it will hang up and never finish the one time D-link registry update (REG.EXE). Although your wireless adapter may still work, REG.EXE from the D-link subdirectory will execute each time you reboot, and gets hung up again causing your Win 2000 services.exe to use 90-100% of your CPU time. After I removed the D-link REG.EXE from my windows startup, windows and D-link DWL-G630 worked fine.
D-Link phone technical support knows about this problem, but has no website search information on their D-link REG.EXE, or FAQ reference to this problem. They just say your hardware is not compatible and you have to update you PCMCIA BIOS, not that REG.EXE is hanging up you system and cannot be detected by Virus scan or Ad-ware remover. D-links does not provide any website support to notify you of this known REG.EXE problem or a D-Link REG.EXE removal tool.

> Check the Device Manager:
> 1. Click on Start.
> 2. Right-click on My Computer.
> 3. Click on Properties.
> 4. Click on Hardware tab.
> 5. Click on Device Manager.
> 6. Click on the plus sign on PCMCIA.
> 7. Check the PCMCIA. (Texas Instrument, PCMCIA)