Sign in to follow this  
pseudoquet

Another computer attacked, please help

Recommended Posts

Ok, well the "Alerts" log FYI is the firewall alerts.

 

Let's use this tool to scan the system. It's free and will make a log for me to look at. If the tool finds anything and wants you to pay to remove it, just ignore that. All I want is the log. (This tool uses the KAV engine so it's very good, but can have False Positives or find very minor stuff sometimes).

 

MicroWorld AntiVirus Toolkit Utility (MWAV)

http://www.mwti.net/products/mwav/mwav.asp

 

This log WILL be huge. Here is how you can upload a copy to me:

 

Go here to upload the file as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from pseudoquetat LS ),

fill in a short message & then press the browse button and then navigate to & select the log file on your computer. Then hit the *Post* button, I will be able to collect the attachment :)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

Share this post


Link to post
Share on other sites

Got it, thanks :)

 

Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

1. Open Killbox by clicking on Killbox.exe

 

2. Select *Delete on Reboot* in the first column

 

DeleteOnReboot.gif

 

3. Press the *All Files* button IMPORTANT STEP!

 

AllFilesButton.gif

 

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and pressing Control + C

 

C:\WINDOWS\system32\ekvrlfzz.exe

C:\WINDOWS\system32\qjrkvy.exe

C:\WINDOWS\system32\winflash.dll

C:\WINDOWS\SYSTEM32\MIGBUUPD.GJS

 

5. In Killbox, select the "File" tab at the top

 

6. Choose "Paste from Clipboard" in the drop down menu

 

7. Press the red button with the white x in it.

 

8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

 

(Choose yes, if ready to reboot or no, if you need to close some other open items first.)

 

9. You can close all programs and any open windows.

 

10. Reboot your computer.

 

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

C:\!KillBox (Note that the file starts with an exclamation mark)

 

11. Navigate to the Killbox backup folder:

C:\!KillBox

 

a. Right–click the file or folder

 

b. Point to Send To

 

c. Then click Compressed (zipped) Folder

 

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

C:\!KillBox.zip

 

12. Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?topic=1827.0

Just press *reply*

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files

 

Files to upload:

 

C:\!KillBox.zip

 

You DO NOT need to be a member to upload, anybody can upload the files.

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

Share this post


Link to post
Share on other sites

Good morning, pseudoquet

 

I got the files, still looking at them. There was one trojan not previously found until MWAV caught it and now killed with killbox. It does appear to be part of or related to this infection. You can delete the !Killbox folder now.

 

Let's do run the newest SmitfraudFix. Delete your prior SmitfraudFix Folder and files. Download the latest version here:

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

Ok! I'll be here, but maybe not in the evening hours (I have to rest sometime!) plus we have a Tropical Storm headed our way today and tomorrow, so there is a possibility we could have power outages or need to be offline.

 

Fellow researcher and MS MVP, Derek (dvk01), has had a look at this thread for me and he has suggested these steps to try to diagnose the IE problem:

 

download filesearch.bat to your desktop from http://www.thespykiller.co.uk/forum/index....tpmod;dl=item11

 

double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully

 

it will only pop up for a quick flash

 

a file search.txt should pop up, save it to desktop as it makes it easier to find

If it doesn't pop up then a copy will be in C:\filesearch.txt

 

It will be too big to upload here so go to your existing upload thread at Spykiller

http://www.thespykiller.co.uk/forum/index.php?topic=1827.0

(just press "reply" and attach the reports requested as they will long:

 

 

repeat with appdata.bat from http://www.thespykiller.co.uk/forum/index....tpmod;dl=item12

 

and then repeat again with all user_appdata.bat http://www.thespykiller.co.uk/forum/index....tpmod;dl=item13

 

so you will have 3 files to upload

 

filesearch.txt

appdata.txt

au_appdata.txt

Share this post


Link to post
Share on other sites

Ok, here is the logs requested in post 56.

 

HiJackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:14:09 PM, on 6/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Norton Internet Security\ISSVC.exe

c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\D-Link AirPlus\AirPlus.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\SetPoint\KEM.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/Symantec-eLife-PCSec-54NAblue

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe

O4 - Startup: HP Organize.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe

O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129917381609

O18 - Protocol: bw+0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {AA286532-1E7F-444E-9532-3B42A9464F67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

And the latest rapport:

 

SmitFraudFix v2.59

 

Scan done at 20:08:04.76, Mon 06/12/2006

Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\about_spyware_bg.gif Deleted

C:\WINDOWS\about_spyware_bottom.gif Deleted

C:\WINDOWS\as.gif Deleted

C:\WINDOWS\as_header.gif Deleted

C:\WINDOWS\box_1.gif Deleted

C:\WINDOWS\box_2.gif Deleted

C:\WINDOWS\box_3.gif Deleted

C:\WINDOWS\button_buynow.gif Deleted

C:\WINDOWS\button_freescan.gif Deleted

C:\WINDOWS\download_box.gif Deleted

C:\WINDOWS\features.gif Deleted

C:\WINDOWS\footer_back.gif Deleted

C:\WINDOWS\footer_back.jpg Deleted

C:\WINDOWS\header_1.gif Deleted

C:\WINDOWS\header_2.gif Deleted

C:\WINDOWS\header_3.gif Deleted

C:\WINDOWS\header_4.gif Deleted

C:\WINDOWS\main_back.gif Deleted

C:\WINDOWS\rf.gif Deleted

C:\WINDOWS\rf_header.gif Deleted

C:\WINDOWS\scan_btn.gif Deleted

C:\WINDOWS\security-center-bg.gif Deleted

C:\WINDOWS\security-center-logo.gif Deleted

C:\WINDOWS\security_center_caption.gif Deleted

C:\WINDOWS\sep_hor.gif Deleted

C:\WINDOWS\sep_vert.gif Deleted

C:\WINDOWS\spacer.gif Deleted

C:\WINDOWS\spacer.gif' Deleted

C:\WINDOWS\spyware-detected.gif Deleted

C:\WINDOWS\star_gray.gif Deleted

C:\WINDOWS\star_gray_small.gif Deleted

C:\WINDOWS\star_small.gif Deleted

C:\WINDOWS\ts.gif Deleted

C:\WINDOWS\ts_header.gif Deleted

C:\WINDOWS\v.gif Deleted

C:\WINDOWS\warning_icon.gif Deleted

C:\WINDOWS\win_logo.gif Deleted

C:\WINDOWS\x.gif Deleted

C:\WINDOWS\system32\thlwin32.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Calamity Jane:

 

You have been excellent about responding to my posts quickly. I will understand if a tropical storm delays you :lol: Please be safe though!

 

I will now try the suggestions from post 58...

Share this post


Link to post
Share on other sites

Calamity and Derek:

 

The files you requested in post 58 have been uploaded to http://www.thespykiller.co.uk/forum/index.php?topic=1827.0

 

Thanks again for your ocntinued attention.

 

Also, I have not checked IE after the past two or three steps because I suspect that every time I open it it is downloading more things to deal with... Could you tell me when are appropriate times to check it? Thanks.

Share this post


Link to post
Share on other sites

Got the logs, I'll review them shortly.

 

No, I don't think IE is downloading additonal malware. The message you see for this:

When I try to navigate to another webpage it looks like it is loading normally and then after a few seconds Microsoft Internet Explorer message box comes up that says "Internet Explorer could not open the search page." When I close that message box IE displays a message that says "Downloading from site: res://C:\Win\system32\shdoclc.dll/dnserror.htm".
is the standard error message - not downloading malware.

 

So could you please check IE to see if it is still having a problem openng webpages?

Share this post


Link to post
Share on other sites

I can see what is likely to be the problem

 

Nothing showing in any of the logs I asked for BUT in teh firewall log, it shows what looks like you have blocked IE from the net

 

I don't use NIS so I'm not sure exactly of how to remove blocks but in most firewalls there is an admin panel that displays all the rules

 

it looks like you are using a router & you have blocked IE from the router

 

this is the log section

 

5/12/2006 3:43:56 PM,Supervisor,The user has created a rule to "block" communications.,"The user has created a rule to ""block"" communications. Inbound UDP packet. Local address,service is (192.168.0.101,radius(1812)). Remote address,service is (64.132.47.194,5004). Process name is ""C:\Program Files\Internet Explorer\IEXPLORE.EXE""."

 

 

and this none which looks like you have blocked DNS access

 

6/7/2006 1:40:10 PM,Supervisor,The user has created a rule to "block" communications.,"The user has created a rule to ""block"" communications. Outbound UDP packet. Local address,service is (192.168.0.101,0). Remote address,service is (192.168.0.1,domain(53)). Process name is ""C:\WINDOWS\system32\users32.exe""."

 

I'm not sure whether NIS blocks all traffic on those IP numbers & ports or just from the specific application listed but NIS would be my first suspect with IE access problems

Share this post


Link to post
Share on other sites

! Jump for joy ! IE is now navigating and I have no more known symptoms from the antispywarebox infection.

 

Big thanks to CalamityJane for all your help removing the stupid thing in the first place!

 

And thanks to dvk01 for the astute observation that led me to fiddle around in Norton and restore IE internet navigability.

 

Here's what had happened. At some point in the quest to get rid of antispywarebox I had changed the Norton firewall setting from low to high. Apparently IE will not work unless Norton firewall is on the low setting. I would never had thought that that was the reason IE was not working. Thanks for the tip dvk01!

 

Now that I have overcome this virus I am going to do a general cleanup (and increase precautionary measures) by following the advice as outlined in a link that CalamityJane has been posting:

 

http://www.dslreports.com/faq/13620

 

Then I will reset my system restore points.

 

Then I will back up all of the important files on my computer on CDs and DVDs. This is the most crucial thing that I have never done... If I had a backup I would have been able to cut my losses at some point during a nasty infection like this one and wipe my hard drive clean and then re-install my operating system and files. IF anyone has been following this thread out of curiosity and has not backed up their files on their computer, PLEASE learn from my mistake.

 

Is there anything else I should do to prevent future attacks?

 

Also, as a final note, I just want to say that I have been amazed to discover that a community such as this one exists and the help of strangers, especially CalamityJane, has in no small part reaffirmed my belief in humanity at the time when the malicious pranks of antispywarebox called it into question. I have learned so much this past week and hope that I can pass on some of this knowledge to friends, family members, colleagues, or even a stranger on a security forum.

Share this post


Link to post
Share on other sites

Hoooray!!! :D Brilliant sluething there, Derek. Thank you!! B)

 

pseudoquet, you'll find a good bit of Tony Klein's excellent suggestions peppered into my prevention article. There is a whole army of researchers out here behind what we do in these forums, from Derek, to Tony and big thanks to S!ri, (author of the tool: SmitfraudFix) and a host of others doing various volunteer work to help everyone stay ahead of the malware out there. I'm thankful to all of them and it makes us all a great team :)

 

Good luck and stay safe, pseudoquet. I'm glad we were able to help!! :D

Share this post


Link to post
Share on other sites
Sign in to follow this