• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
phaetn

Homepage hijacking: sysnetsecurity.com

16 posts in this topic

I've been browsing Lavasoft's support forums trying to clear up my problem and I think first of all that I should say a general word of thanks to CalamityJane as it appears you've helped out quite a few people. Hopefully you'll be able to help me out, too! :)

 

Right now my homepage in IE has been hijacked and always directs to w-w-w-sysnetsecurity-com/

 

I used to have nasty icons in the system tray and popups with false messages about viruses, but by following the instructions on these forums I have managed to get rid of them. Unfortunately, I still haven't been able to get my homepage back, however. Following are my various logfiles. Any help would be much appreciated as this is absoutely pernicious sort of malware/spyware!

 

Note: I have an MP3 player made by iRiver and previously installed its software. I believe "updater.exe" is a known file for their software and not a worm.

 

Thanks and cheers,

phaetn

 

Edit: removed txt file attachements as they didn't word wrap properly. See following posts for logs.

Share this post


Link to post
Share on other sites

HijackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 11:30:00 AM, on 21/06/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\system32\BrmfBAgS.exe

E:\Program Files\Symantec AntiVirus\DefWatch.exe

E:\Program Files\ewido anti-spyware 4.0\guard.exe

E:\WINDOWS\system32\nvsvc32.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Symantec AntiVirus\Rtvscan.exe

E:\WINDOWS\system32\BRMFRSMG.EXE

E:\WINDOWS\system32\wuauclt.exe

E:\WINDOWS\Explorer.EXE

E:\WINDOWS\system32\ishost.exe

E:\WINDOWS\system32\issearch.exe

E:\WINDOWS\system32\ismon.exe

E:\WINDOWS\system32\CTHELPER.EXE

E:\Program Files\PIEngineering\X-keys\XKWdkApp.exe

E:\Program Files\ScanSoft\OmniPageSE\opware32.exe

E:\Updater.exe

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\WINDOWS\system32\wuauclt.exe

E:\PROGRA~1\SYMANT~1\VPTray.exe

E:\Program Files\ewido anti-spyware 4.0\ewido.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Program Files\Logitech\Profiler\lwemon.exe

E:\Adobe Acrobat 5\Distillr\AcroTray.exe

E:\Microsoft Office\Office\1033\msoffice.exe

C:\Utility Hijack Preventer\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = E:\WINDOWS\system32\searchbar.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Acrobat 5\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7fcf04b6-6354-47ef-b45e-a48268e92757} - E:\WINDOWS\system32\ixt0.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [start WingMan Profiler] "E:\Program Files\Logitech\Profiler\lwemon.exe" /noui

O4 - Global Startup: Acrobat Assistant.lnk = E:\Adobe Acrobat 5\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: @Home - {74C52D52-2768-4277-950F-76E4EBA0BF1B} - http://home.excite.ca (file missing) (HKCU)

O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O15 - Trusted Zone: *.msn.com

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab

O19 - User stylesheet: E:\WINDOWS\default.css (file missing)

O19 - User stylesheet: (file missing) (HKLM)

O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll

O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - E:\WINDOWS\system32\BrmfBAgS.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Ad-Aware Scan (all threats removed):

 

Ad-Aware SE Build 1.06r1

Logfile Created on:June 21, 2006 10:09:19 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R112 15.06.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

[email protected]@@k(TAC index:5):1 total references

MRU List(TAC index:0):50 total references

Tracking Cookie(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

21-06-2006 10:09:19 AM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : E:\Documents and Settings\Gian\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : E:\Documents and Settings\Gian\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\adobe\adobe acrobat\5.0\avgeneral\crecentfiles

Description : list of recently used files in adobe acrobat

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\adobe\photoshop\7.0\visiteddirs

Description : adobe photoshop 7 recent work folders

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\jasc\paint shop pro 6\recent file list

Description : list of recently used files in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\internet explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\internet explorer\main

Description : last save directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\medialibraryui

Description : last selected node in the microsoft windows media player media library

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\player\settings

Description : last save as directory used in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\player\settings

Description : last open directory used in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last cd record path used in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last playlist index loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-19\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-20\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last search path used in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\microsoft management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\ntbackup\log files

Description : list of recent logfiles in microsoft backup

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru

Description : list of recent pictured inserted in microsoft powerpoint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru

Description : list of recent documents saved by microsoft powerpoint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\add custom dictionary\file name mru

Description : list of custom dictionaries added by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\excel\recent files

Description : list of recent files used by microsoft excel

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\powerpoint\recent file list

Description : list of recent files used by microsoft powerpoint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\office\9.0\powerpoint\recent typeface list

Description : list of recently used typefaces in microsoft powerpoint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\applets\paint\recent file list

Description : list of files recently opened using microsoft paint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\applets\regedit

Description : last key accessed using the microsoft registry editor

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list

Description : list of recent files opened using wordpad

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\nvidia corporation\global\nview\windowmanagement

Description : nvidia nview cached application window positions

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : last login time in realplayer

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1935655697-583907252-725345543-1003\software\winrar\dialogedithistory\extrpath

Description : winrar "extract-to" history

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 564

ThreadCreationTime : 21-06-2006 1:31:44 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\E:\WINDOWS\system32\

ProcessID : 624

ThreadCreationTime : 21-06-2006 1:31:48 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\E:\WINDOWS\system32\

ProcessID : 652

ThreadCreationTime : 21-06-2006 1:31:49 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : E:\WINDOWS\system32\

ProcessID : 696

ThreadCreationTime : 21-06-2006 1:31:52 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : E:\WINDOWS\system32\

ProcessID : 708

ThreadCreationTime : 21-06-2006 1:31:52 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : E:\WINDOWS\system32\

ProcessID : 856

ThreadCreationTime : 21-06-2006 1:31:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : E:\WINDOWS\system32\

ProcessID : 924

ThreadCreationTime : 21-06-2006 1:31:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : E:\WINDOWS\System32\

ProcessID : 1080

ThreadCreationTime : 21-06-2006 1:31:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : E:\WINDOWS\System32\

ProcessID : 1148

ThreadCreationTime : 21-06-2006 1:31:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : E:\WINDOWS\System32\

ProcessID : 1252

ThreadCreationTime : 21-06-2006 1:31:55 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [explorer.exe]

FilePath : E:\WINDOWS\

ProcessID : 272

ThreadCreationTime : 21-06-2006 1:33:08 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:12 [ewido.exe]

FilePath : E:\Program Files\ewido anti-spyware 4.0\

ProcessID : 1736

ThreadCreationTime : 21-06-2006 1:37:20 PM

BasePriority : Normal

FileVersion : 4, 0, 0, 172

ProductVersion : 4, 0, 0, 172

ProductName : ewido anti-spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : ewido anti-spyware

InternalName : ewido anti-spyware

LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.

OriginalFilename : ewido.exe

 

#:13 [ad-aware.exe]

FilePath : E:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 1728

ThreadCreationTime : 21-06-2006 2:09:04 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 50

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 50

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 50

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/cgi-bin

Expires : 18-06-2016 8:03:46 AM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 19-06-2011 8:00:00 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 52

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 52

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 52

 

 

Deep scanning and examining files (E:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

[email protected]@@k Object Recognized!

Type : File

Data : A0084060.DLL

TAC Rating : 5

Category : Data Miner

Comment :

Object : E:\System Volume Information\_restore{995DA452-803C-4F93-9FB0-2B2A91513A58}\RP862\

 

 

 

Disk Scan Result for E:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 53

 

 

Scanning Hosts file......

Hosts file location:"E:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 53

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 53

 

10:17:55 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:08:36.313

Objects scanned:221267

Objects identified:3

Objects ignored:0

New critical objects:3

Share this post


Link to post
Share on other sites

rapport.txt

 

SmitFraudFix v2.63

 

Scan done at 9:32:48.42, 21/06/2006

Run from E:\Documents and Settings\Gian\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Ewido log

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 10:07:47 AM 21/06/2006

 

+ Scan result:

 

 

 

E:\System Volume Information\_restore{995DA452-803C-4F93-9FB0-2B2A91513A58}\RP861\A0084036.dll -> Not-A-Virus.Hoax.Win32.Renos.cv : Cleaned.

D:\System Volume Information\_restore{995DA452-803C-4F93-9FB0-2B2A91513A58}\RP861\A0084034.dll -> Not-A-Virus.Monitor.Win32.Dafunk : Cleaned.

D:\System Volume Information\_restore{995DA452-803C-4F93-9FB0-2B2A91513A58}\RP861\A0084035.dll -> Not-A-Virus.Monitor.Win32.SpyCapture.145 : Cleaned.

E:\Documents and Settings\Gian\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned.

E:\Documents and Settings\Gian\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.

 

 

::Report end

 

 

******

Any help would be much appreciated!

 

Cheers,

phaetn

Share this post


Link to post
Share on other sites

Hi phaetn,

 

I've not gone through all the logs yet, but you have one of the very newest hijackers.

 

I need a couple of files from you so we can get detection for these and then I'll come back and reply with some steps to take to remove what remains

 

Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from phaetn at LS ),

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files

 

Files to upload:

 

E:\WINDOWS\system32\ixt0.dll (and any others in that folder named ixt{n}.dll (where {n} is a number)

 

E:\WINDOWS\system32\ishost.exe

 

E:\WINDOWS\system32\issearch.exe

 

E:\WINDOWS\system32\ismon.exe

 

Search for any of these and if found, please upload those too:

 

<User>\Desktop\PornMag Pass.lnk

 

<User>\Start Menu\Programs\PornMag Pass <--all files in this folder, if found

 

<Program Files>\PornMag Pass <---all files in this folder, if found.

...................

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

 

I can collect them from there.

Share this post


Link to post
Share on other sites
Hi phaetn,

 

I've not gone through all the logs yet, but you have one of the very newest hijackers.

 

Lucky me! Seriously, this hijacker is just plain evil. Also, thanks for your incredibly prompt reply!

 

 

Files to upload:

 

E:\WINDOWS\system32\ixt0.dll (and any others in that folder named ixt{n}.dll (where {n} is a number)

 

E:\WINDOWS\system32\ishost.exe

 

E:\WINDOWS\system32\issearch.exe

 

E:\WINDOWS\system32\ismon.exe

 

Search for any of these and if found, please upload those too:

 

<User>\Desktop\PornMag Pass.lnk

 

<User>\Start Menu\Programs\PornMag Pass <--all files in this folder, if found

 

<Program Files>\PornMag Pass <---all files in this folder, if found.

...................

Done. No "PornMag Pass" files to be found. Should I be speaking to someone in the house about appropriate use of the Internet?

 

Cheers,

phaetn

Share this post


Link to post
Share on other sites
Should I be speaking to someone in the house about appropriate use of the Internet?
Don't know...this hijack downloads on you what it wants (not what you think you're getting, like some of these use a "fake codec" download to view a video...but it's really a trojan). While a common place to find these is at porn and crack sites, they can also be from just about anywhere. Internet safety is something you definitely want to stress to your users and we'll cover that when we get this cleaned up. One thing you can do is to have your multiple uses on Limited User Accounts vs. Admin account. That would restrict any malware to that user's account only and not the entire PC, so it rather limits the damage these things can do.

 

Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

 

Download smitRem.exe and save the file to your desktop.

Right click on the file and extract it to it's own folder on the desktop.

 

Next, please reboot your computer in SafeMode by doing the following:

[*]Restart your computer

[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

[*]Instead of Windows loading as normal, a menu should appear

[*]Select the first option, to run Windows in Safe Mode.

 

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

 

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

 

Reboot back into Windows. Scan again with HijackThis and post a new HijackThis Log, the contents of the smitfiles.txt log

Let us know if any problems persist.

Share this post


Link to post
Share on other sites

As promised I submitted to about 50 security programs companies, including Symantec. I see that is your AV?

 

Here is a special definitions file they made for this variant, based on the samples I sent them that came from your computer.

 

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.

Downloading and Installing RapidRelease Definition Instructions:

1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/

2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_us_...easedefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.

3. When a download dialog box appears, save the file to the Windows desktop.

4. Double-click the downloaded file and follow the prompts.

Share this post


Link to post
Share on other sites
As promised I submitted to about 50 security programs companies, including Symantec. I see that is your AV?

 

Here is a special definitions file they made for this variant, based on the samples I sent them that came from your computer.

Does that make me (in)famous? :) I've installed the updated A/V def. file.

 

System is "A-Okay" now!

 

Thanks for all of your help, CalamityJane, you've been an absolute Godsend with incredibly quick response time and with solutions that actually work. It's almost unheard of in IT. :)

 

Thanks again and cheers,

phaetn

 

Most Recent HijackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 2:56:47 PM, on 21/06/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\system32\BrmfBAgS.exe

E:\Program Files\Symantec AntiVirus\DefWatch.exe

E:\Program Files\ewido anti-spyware 4.0\guard.exe

E:\WINDOWS\system32\nvsvc32.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Symantec AntiVirus\Rtvscan.exe

E:\WINDOWS\system32\BRMFRSMG.EXE

E:\WINDOWS\Explorer.EXE

E:\WINDOWS\system32\CTHELPER.EXE

E:\Program Files\PIEngineering\X-keys\XKWdkApp.exe

E:\Program Files\ScanSoft\OmniPageSE\opware32.exe

E:\Updater.exe

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\PROGRA~1\SYMANT~1\VPTray.exe

E:\WINDOWS\system32\wuauclt.exe

E:\Program Files\ewido anti-spyware 4.0\ewido.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Program Files\Logitech\Profiler\lwemon.exe

E:\Adobe Acrobat 5\Distillr\AcroTray.exe

E:\Microsoft Office\Office\1033\msoffice.exe

E:\Program Files\Internet Explorer\iexplore.exe

C:\Utility Hijack Preventer\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = E:\WINDOWS\system32\searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Acrobat 5\Acrobat\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [start WingMan Profiler] "E:\Program Files\Logitech\Profiler\lwemon.exe" /noui

O4 - Global Startup: Acrobat Assistant.lnk = E:\Adobe Acrobat 5\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: @Home - {74C52D52-2768-4277-950F-76E4EBA0BF1B} - http://home.excite.ca (file missing) (HKCU)

O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O15 - Trusted Zone: *.msn.com

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab

O19 - User stylesheet: E:\WINDOWS\default.css (file missing)

O19 - User stylesheet: (file missing) (HKLM)

O20 - Winlogon Notify: NavLogon - E:\WINDOWS\system32\NavLogon.dll

O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - E:\WINDOWS\system32\BrmfBAgS.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

smitfiles.txt log

 

smitRem © log file

version 3.0

 

by noahdfear

 

 

Microsoft Windows XP [Version 5.1.2600]

"IE"="6.0000"

The current date is: 21/06/2006

The current time is: 13:22:32.09

 

Running from

E:\Documents and Settings\Gian\Desktop\utlity smitrem\smitRem

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Pre-run SharedTask Export

 

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

 

Registry Pseudo-Format Mode (Not a valid reg file):

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

checking for ShudderLTD key

 

ShudderLTD key not present!

 

checking for PSGuard.com key

 

 

PSGuard.com key not present!

 

 

checking for WinHound.com key

 

 

WinHound.com key not present!

 

 

checking for drsmartload2 key

 

 

drsmartload2 key not present!

 

spyaxe uninstaller NOT present

Winhound uninstaller NOT present

SpywareStrike uninstaller NOT present

AlfaCleaner uninstaller NOT present

SpyFalcon uninstaller NOT present

SpywareQuake uninstaller NOT present

SpywareSheriff uninstaller NOT present

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Existing Pre-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

ishost.exe

ismon.exe

isnotify.exe

issearch.exe

ixt*.dll

amcompat.tlb

nscompat.tlb

logfiles

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1056 'explorer.exe'

Killing PID 1056 'explorer.exe'

 

Starting registry repairs

 

Registry repairs complete

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SharedTask Export after registry fix

 

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

 

Registry Pseudo-Format Mode (Not a valid reg file):

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Deleting files

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Remaining Post-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

~~~ Wininet.dll ~~~

 

CLEAN! :)

*****

^^ Even smitfiles has a smilie about it! :)

Share this post


Link to post
Share on other sites

Do a *scan only* with Hijackthis and checkmark these two entries, then press the *fix checked* button

 

O19 - User stylesheet: E:\WINDOWS\default.css (file missing)

 

O19 - User stylesheet: (file missing) (HKLM)

 

I'm happy to see that got the active infection. Noahdfear is the author of SmitRem and the other tool is SmitfraudFix by S!ri. Both will probably be updated further for this particular hijacker, as we did not have the ishost.exe file until you submitted it. So delete any of those tools and their folders and in a few days re-download a fresh copy and run though the fix to see if either one picks up any more things to be fixed (I'm thinking stray files and registry entries especially), after these guys have had a chance to see what all those files do. Adaware has copies and will be updating in the future as well, and since it does a complete system scan may find additional things to repair.

 

Some final cleanup and prevention recomendations follow.

 

Navigate to C:\Windows\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Clean out your Temporary Internet files.

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
     
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

 

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

 

Also visit this Free Online Scanner for PC Health and Safety

http://safety.live.com/site/en-US/default.htm

and Microsoft Security At Home

http://www.microsoft.com/athome/security/default.mspx

for tips to Protect your Pc, Protect yourself and Protect your Family.

Share this post


Link to post
Share on other sites

Sorry, I have the same problem as phaetn. The only thing is that when I download the fix from symantec it says that a file is corrupt and needs to be re-downloaded. But when I do, the same thing happens. Its the file Virscan.zip which is corrupted. just wondering if anyone can help, it would be greatly appreciated.

Share this post


Link to post
Share on other sites

I tried to use HiJackThis to remove sysnetsecurity as my home page. I could not locate the files referenced in this message. Any other suggestions? I have run Norton Systemworks, AdAware, and Spybot [all in safe mode]. I cannot get rid of sysnetsecurity. Any assistance will be appreciated. Interesting note, I have Explorer and Netscape. It only took over Explorer.

Share this post


Link to post
Share on other sites
I tried to use HiJackThis to remove sysnetsecurity as my home page. I could not locate the files referenced in this message. Any other suggestions? I have run Norton Systemworks, AdAware, and Spybot [all in safe mode]. I cannot get rid of sysnetsecurity. Any assistance will be appreciated. Interesting note, I have Explorer and Netscape. It only took over Explorer.

Ron go here and post a new topic:

http://www.lavasoftsupport.com/index.php?showforum=36

 

(You'll see a button on the right side to start a new topic that look like this:

http://home.earthlink.net/~calamityjanefl/LS%20NewTopic.gif

 

Post your Adaware scan log and a HijackThis log. Here are instructions for both

 

1. Adaware SE log

Please can you make sure that you are using

Ad-aware SE Build 106r1

Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

 

[if not Uninstall your old Ad-aware first then install SE]

Then use the WebUpDate

to get the latest Definition file

SE1R113 28.06.2006

To do this Open Ad-aware

Click the WebUpDate

button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect"

Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main

Ad-aware screen, and look under "Initialization Status"

It should say the Latest Definition file.

then scan doing a "Full Scan"

and then post your logfile here by using the Add-Reply Feature .

As Logs are stored in :

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start,

click Run

And type in and press ENTER: %appdata%

then click Lavasoft

then Ad-Aware

and then Logs.

scroll down to find the latest one that you have

(by date & time)

and open it right Click select all

copy and then paste the contents of it here.

(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

 

2. Instructions on creating a HijackThis Log

http://www.lavasoftsupport.com/index.php?showtopic=216

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0