help malware

[pskelley]

Thanks for returning the information, I am not sure why you are having the issues, perhaps Smitfraudfix does not know the language.

As far as SDFix, if you follow the direction: Report.txt will also be copied to Clipboard ready for posting back on the forum

Let's have a look at the results.

The first part of the fix for Smitfraud worked ok, the second part, SDFix has not worked. This fix will remove the really nasty trojans I mentioned in the linked in my last instructions, please read these directions carefully and run the fix again:

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please take the time to read and follow the directions carefully. If you are unsure about what you are doing, please ask someone with more computer experience for help. If you run the fix the way it says to, it will remove the trojans and it will produce the report. We use the fix all of the time.

Thanks

[amobilepp]

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

hey

I've done 3 times exactly what you said.

I always get this:

"Starting Repairs

Checking runing processes, services and files...

Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified
Sistem can't find the way specified"

Then it doesn't do anything.

The RunThis.bat is localized in "C:\SDFix\RunThis.bat"

Maybe because i'm runing Safe Mode with comand line?

[pskelley]

Maybe because i'm runing Safe Mode with comand line?

Then try following the directions please...

[amobilepp]

Then try following the directions please...

??
sry i don't understand what you mean.

When i run the safe mode and after entering my password, i only see a black screen saying "Safe Mode". is this normal?

What should i do after runing safe mode and entering my password? i only see a black screen saying "Safe Mode".

[pskelley]

http://www.bleepingcomputer.com/tuto...utorial61.html
Using the F8 Method

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.
Do whatever tasks you require and when you are done reboot to boot back into normal mode

http://www.computerhope.com/issues/chsafe.htm

http://www.pcstats.com/articleview.cfm?articleID=1643

[amobilepp]

Hey

i got a big problem.

i did this: (http://www.bleepingcomputer.com/tuto...utorial61.html)

Using the System Configuration Tool Method

Step 1: Close all programs so that you have nothing open and are at the desktop.

Step 2: Click on the Start button then click on Run.

Step 3: In the Run field type msconfig as shown in the image below.



Figure 4. Starting Msconfig



Step 4: Press the OK button and the System Configuration Utility will start up. You will then see a screen similar to Figure 5 below.




Figure 5. Starting the System Configuration Utility



Step 5: Click on the tab labeled "BOOT.INI" which is designated by the red box in Figure 5 above. You will then be presented with a screen similar to Figure 6 below.




Figure 6. BOOT.INI Tab



Step 6: Put a checkmark in the checkbox labeled "/SAFEBOOT" designated by the red box in Figure 6 above. Then press the OK button. After pressing the button you will be presented with a confirmation box as shown in Figure 7 below.




Figure 7. Confirm Reboot



Step 7: Press the Restart button and let the computer reboot. It will now boot up into Safe Mode.

Now when i restart my computer I ALWAYS GET IN SAFE MODE.

As i said before, in safe mode i can't do anything!!

I only see a black screen saying safe mode (like in this pic http://www.bcot1.com/safemode03.jpg)

What can i do?

PLEASE help me

[pskelley]

Once you get back to normal mode, please do not try to get to safe mode again unless you use the F8 method I originally posted. I have prepared manual instructions for removing the malware and will post them once you are in normal mode and let me know.

I still seriously believe you have problems caused by this junk, and that you really should consider a a reformat or at the very least reinstalling your Operating System. Your call.

Let's try this, please take your time and follow the directions carefully:

Method 2: tried and tested moments ago
- boot up in safe mode
- bring up taskmgr (alt/ctl/del)
- Select file: either use the browse button to get to this path and double click on msconfig.exe or type the entire path in by hand
C:\windows\pchealth\helpctr\binaries\msconfig.exe
This will bring you back to msconfig screen.
- From there you can select the boot.ini tab and unselect the /SAFEBOOT check box.
- Restart your PC and you should be ok


Let me know how it goes.

Thanks

[amobilepp]

nvm i got my computer back ))

I typed NO to this message http://www.bcot1.com/safemode03.jpg because when i type YES the i only see a black screen saying safe mode. Must be a bug!!

Then i did the system restore and i got the computer in normal mode.

But i got all the virus again :D

see you

[pskelley]

OK...that's a good thing. Here are the manual instructions, you can delete the SDFix.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
(next two are Alexa toolbar resource wasters, but if you use Alexa you can leave them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

(I believe the "spool" folder should be deleted, if all that is in it are those two files, delete the folder)
C:\WINDOWS\system32\spool\cmd.exe <<< delete that file
C:\WINDOWS\system32\spool\hpprintqueue.exe <<< delete that file

C:\WINDOWS\system32\uedfarer.dll <<< delete that file

C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll <<< delete that file

5) Follow the directions in this link to download, update and run AVG Anti-Spyware. Make sure you delete or at least quarantine anything found and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan report and a new HJT log. Add any comments you think will help.

Thanks

[amobilepp]

hey

I installed this antivirus http://www.free-av.com/ and it immediatly detected and i moved to quarantine these ones:

gebyv.dll
notepad.exe (from spool folder)
yhqgeae.dll
fhxovnj.dll
cmd.exe (from spool folder)

Am i safe from this ones?

They are still shown in hijack log. (no idea why)
But they are not anymore in the respective folders.. (spool..)

Logfile of HijackThis v1.99.1
Scan saved at 15:29:45, on 29-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\HP\QuickPlay\QPService.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\Programas\Apoint2K\Apntex.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\Miguel Rodrigues\Ambiente de trabalho\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.138.64.143:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14EDF56F-48E6-4953-91A9-DD894A71562E} - C:\WINDOWS\system32\gebyv.dll
O2 - BHO: (no name) - {15FDD0E0-28C0-430C-8CE6-25BCC9BF50E2} - C:\WINDOWS\system32\ddcdabc.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\nnnlmmm.dll (file missing)
O2 - BHO: (no name) - {3FBE25C8-BF92-5FD5-3793-0A2C8BF02D24} - C:\WINDOWS\system32\oqkffqc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tvadupmp.dll (file missing)
O2 - BHO: (no name) - {69FB2C07-9D91-69F0-3349-00AE5946C225} - C:\WINDOWS\system32\yhqgeae.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar4.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\hnccaeca.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programas\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programas\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Programas\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKLM\..\Run: [fhxovnj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Miguel Rodrigues\Definições locais\Application Data\fhxovnj.dll",klwrakd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uedfarer.dll",setvm
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KIT3] C:\WINDOWS\system32\spool\hpprintqueue.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: XFX Game Controller.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Programas\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcdabc - C:\WINDOWS\SYSTEM32\ddcdabc.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\system32\gebyv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: nnnlmmm - nnnlmmm.dll (file missing)
O20 - Winlogon Notify: urqpnlj - urqpnlj.dll (file missing)
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programas\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programas\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe