View Full Version : Have IE_updater.exe, crss and winlogon--Cant get into safe mode!
I have spent some time on hour site and it seems I have the above referenced infections.
I have read all the mandatory steps mentioned to obtain help, one of which is getting into safe mode.
I can get into the safe mode menu after hitting F-8--I arrow up to safe mode , I hit enter, the machine boots into windows safe mode, a box pops up asking me if I want to work in safe mode, I click yes and then the screen stays black. The screen says safe mode in white on the left and right bottom of the black screen with an hour glass that wont go away.
Any suggestions?
The machine is my daughter's who is home before finals, is a Dell laptop with SP2.
thanks in advance.
Hi there.
If you can't get into safe mode, please go ahead and produce the HJT log for one of our helpers to analyse, if you can.
Cheers.
Thanks for your response.
Right before I ran HJ I installed BoClean which said it removed or shut down the IE_updater.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:23:36 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.pace.edu/uwc/auth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\cinkhbkr.dll",realset
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136649345947
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
CalamityJane
2007-05-08, 16:20
Hi bruce48,
Are you still needing help? If so could you please scan and post a fresh HijackThis log so I can see where you are at this point?
I'm now subscribed to this thread so I'll get a notice when you reply here and can get to you much more quickly.
Meanwhile, there are some backdoor trojans running on that PC - so please don't force safe mode. Here is why (techinical but important not to attempt using msconfig or forcing the machine into safe mode)
See the first post in this topic here:
http://www.dslreports.com/forum/remark,18150258
Just keep the PC offline as much as possible and we'll work with you here.
Yes, yes indeed-- I am still in need of some help.
I am sending you this on my machine--the infected machine is a laptop that belongs to my daughter.
I will keep the unit off line as you requested and run a fresh HJT and send it to this machine and then to you.
I thank you so much!
Be right back at ya.
Hello,
Ok here ya go.
I did manage, on Sunday, to install BoClean which said it took out the ie_updater:
Logfile of HijackThis v1.99.1
Scan saved at 5:28:21 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://email.pace.edu/uwc/auth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}
- C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should
be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should
be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should
be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should
be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should
be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w
uweb_site.cab?1136649345947
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload
ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -
http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer
Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} -
http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509}
- C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: BOCore - COMODO - C:\Program
Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO
EPSON CORPORATION - C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner -
C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. -
C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
CalamityJane
2007-05-09, 04:20
Great, except your log is now all chopped up. Could you please open Notepad and choose *format* at the top and then make sure that "wordwrap" is unchecked then scan and make a fresh log and post that up. It's really hard to read properly all chopped up like that. I think some entries have changed but a readable log would make it a lot better.
Meanwhile, I need for you to see if you can find some files to upload for me to look at.
Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
....................
Please go here to upload a suspicious file for analysis.
http://www.uploadmalware.com/
* Enter your username from this forum as: Bruce48 at Spybot Forum
* Copy and paste the link to this thread: http://forums.spybot.info/showthread.php?t=13503
o Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open":
c:\windows\system32\prejqghyt.dll
* In the comments, please mention that I asked you to upload this file
* Click on Send File
Look to see if these files are present and if found, please upload a copy of these:
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\nvfwwfr.dll
C:\WINDOWS\system32\cinkhbkr.dll
This machine is almost on it's knees.
Here is latest hjt log unchopped up (hopefully).
I will have to reboot a few times to get back on with you to do the other items soon. Thanks for your patience.
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 6:06:37 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.pace.edu/uwc/auth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136649345947
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
CalamityJane
2007-05-10, 02:15
Yes, that log is much better. It's a pretty infected machine so I will not have real good news for you. You might think about backing up any important data and looking for the install disks because I see already a couple of backdoor trojans just in the brief glance I just gave it.
Let me write all this up and come back with a complete reply.
CalamityJane
2007-05-10, 03:26
If you can't get those files to me, I can collect them later from the backups of the program we are going to use to delete them. So let's proceed as I have now gotten this all written up. Warning! There is a lot of information you need to know about those infections and frankly, if this were my daughter's PC, I would choose to reformat/reinstall instead of trying to "fix" it as there may well be damage we cannot see nor fix leaving it vulnerable to future infections.
Infections indicated in your logs:
Troj/Bckdr-QGB (That one was the ie_updater.exe that BOClean deleted)
http://www.sophos.com/security/analyses/trojbckdrqgb.html
Troj/Bckdr-QGB is a Trojan for the Windows platform.
Troj/Bckdr-QGB includes functionality to access the internet and communicate with a remote server via HTTP.
......................
Troj/Agent-EBT
http://www.sophos.com/security/analyses/trojagentebt.html
Troj/Agent-EBT is a Trojan for the Windows platform.
Troj/Agent-EBT includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Agent-EBT is installed the following files are created:
<Temp>\free porn finder.exe
<Temp>\gfdhsagfhsgajkfgsadhgfksag1_2.bat
<Temp>\gfdhsagfhsgajkfgsadhgfksag2_2.bat
<Temp>\gfdhsagfhsgajkfgsadhgfksag2_2.exe
Troj/Agent-EBT also attempts to start these executables created in the <Temp> folder.
When the file gfdhsagfhsgajkfgsadhgfksag2_2.exe is started it copies itself to <System>\svehost.exe.
The following registry entry is created to run svehost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Intel system tool
<System>\svehost.exe
............................
And this is, by far, the worst of the lot:
W32/Agobot-LX
http://www.sophos.com/virusinfo/analyses/w32agobotlx.html
Name W32/Agobot-LX
Type * Spyware Worm
How it spreads * Network shares
Affected operating systems * Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Read under the *Adavanced* tab in that link for the Agobot description. It does some pretty nasty stuff
...........................
There are some more I can't identify as yet but they are definitely some kind of infection. You need to realize the dangers of backdoor trojans that have run on a computer:
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
Some helpful info if you choose that is the route you want to take to be safe:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
And this because there were some trojans that steal data off of the compromised PC - you should change all accounts, passwords, etc. See this FAQ:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
........................
If you should choose to try to clean, I can't make any guarantees that the removal of this malware may not be complete, won't reverse any changes made we can't see and is entirely at your own risk. It is common for trojan such as Agobot to do much damage on a computer or make removal impossible.
These would be the steps to follow if you do choose to try to clean or cannot reformat/reinstall.
First:
Download WinSock XP fix from here:
WinSock Fix
http://www.majorgeeks.com/download4372.html
Then download LSPFix from here:
LSP-Fix
http://www.bleepingcomputer.com/files/lspfix.php
We'll be using those later.
...........................
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop
2. Copy all the text contained in the quote box below (the bold text) and save to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
c:\windows\system32\prejqghyt.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\nvfwwfr.dll
C:\WINDOWS\system32\cinkhbkr.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer *Yes* twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will
be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
...................
6. Now we are going to use the LSPfix I had you download earlier
Disconnect from the Internet and close all Internet Explorer Windows.
Run the LSPfix program and check the "I know what I'm doing" box. If you see this file in the list: prejqghyt.dll,proceed as follows:
Place all listings of prejqghyt.dll into the remove section by highlighting prejqghyt.dll and clicking on the button that points to the right. When all instances of this dll (and only ones with THAT name) are in the Remove section press the *Finish* button.
Then Reboot.
On rare occasions, LSP-fix may leave your connection broken. If this happens, unzip Winsock Fix and run the program.
To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers
http://www.bleepingcomputer.com/forums/tutorial59.html
......................
7. Open HijackThis and choose to do a *system scan only*
When it finishes, place a checkmark next to the following entries
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
After checkmarking those entries, please press the *fix checked* button then close HijackThis.
..........................
One of those trojans is known to compromise the HOSTS file blocking certain security sites from being able to be accessed. To fix it do the following
8. Download HostsXpert v3.7
http://www.funkytoad.com/content/view/13/
* Unzip HostXpert to your desktop
* Open up the HostXpert program.
* Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
* Click Create Back Up
* Then click on Restore Microsoft's Host Files
* Close the HostXpert program
9. Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.
Temporary Files
Temporary Internet Files
Recycle Bin
When done, restart the computer
.....................................
10. After the restart, Open HijackThis again and do a system scan to make a new log.
Please post both the new HijackThis log and the Avenger report back please.
Well, I think you gave me a terrific idea for a graduation gift for my daughter. She is going on to grad school and has had this machine for 4 years now.
So I will get her a new machine, reformatting this one and maybe use it for who knows what.
I really must express my gratitude to you for the work you put into this for us.
My gratitude speaks!
Thank You.
CalamityJane
2007-05-10, 17:04
Hello Bruce,
You're welcome and glad we could help :) That does sound like a solid plan :bigthumb:
Best wishes to you and your daughter. I'll leave you with some recommendations and tips for secure computing to pass along to her for that new computer. Meanwhile I'll archive this topic in the "Resolved" section (read only). If you should have any further issues, please feel free to start a new topic.
I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/setup/learnmore/share/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/
For XP users:
And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.