PDA

View Full Version : AstaKiller, Smitfraud-C.Toolbar888 and Virtumonde



JDL155
2006-08-02, 19:55
My other computer has not been starting up properly since yesterday morning, so I have only been able to run it in safe mode. I believe this is because of spyware, and have tried to fix the problem with Spybot S&D. I have run Spybot several times but AstaKiller, Smitfraud-C.Toolbar888 and Virtumonde keep showing up as problems.
Because I have only been able to run the computer in safe mode I do not have an on-line scan log for you, but my HJT log is below. Thanks for your help.



Logfile of HijackThis v1.99.1
Scan saved at 9:22:26 AM, on 8/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Antimalware Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll
O2 - BHO: (no name) - {6FD20885-351E-4737-8584-BDB934CA9AA6} - \
O2 - BHO: (no name) - {81D1AB79-1B83-45BD-88B4-B441AD4830BD} - \
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updwebmin] C:\WINNT\system32\updwebmin.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\RunServices: [updwebmin] C:\WINNT\system32\updwebmin.exe
O4 - HKLM\..\RunOnce: [WMC_15] C:\WINNT\system32\regsvr32.exe /s "C:\WINNT\system32\wmvdmod.dll"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [447bb746.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\447bb746.exe
O4 - HKCU\..\Run: [updwebmin] C:\WINNT\system32\updwebmin.exe
O4 - HKCU\..\Run: [riwr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\133_funtarget_4_0_4_0.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
O20 - Winlogon Notify: efcay - C:\WINNT\SYSTEM32\efcay.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

teacup61
2006-08-03, 05:38
Hello JDL155,

Welcome to Safer Networking Forums :)

Understand that I can't see everything when the log is made in safe mode, so we'll try to clean it to the point that you can use normal mode, then finish.:)

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll
O2 - BHO: (no name) - {6FD20885-351E-4737-8584-BDB934CA9AA6} - \
O2 - BHO: (no name) - {81D1AB79-1B83-45BD-88B4-B441AD4830BD} - \
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKCU\..\Run: [447bb746.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\447bb746.exe
O4 - HKCU\..\Run: [riwr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\133_funtarget_4_0_4_0.exe
O15 - Trusted Zone: *.elitemediagroup.net
O20 - Winlogon Notify: efcay - C:\WINNT\SYSTEM32\efcay.dll

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Also, delete the following files (if they exist):

C:\windows\system32\blank.htm
C:\WINNT\system32\efcay.dll
C:\WINNT\thiselt.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\447bb746.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\133_funtarget_4_0_4_0.exe

Reboot your computer.

If you can boot into normal mode now, please do the following. Otherwise, if you can download it to this computer you're on and transfer it to the infected computer, please do that and follow these directions.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.


Thanks,
tea

JDL155
2006-08-04, 03:08
Hello tea,

Thanks for your prompt response. I followed all of your instructions, but my computer still will not boot into normal mode. Below are the logs you requested.

efcay.dll;C:\WINNT\system32;Trojan.DownLoader.9994;Will be cured after reboot.;
backup-20060803-151458-338.dll;C:\Documents and Settings\Administrator\Desktop\Antimalware Programs\hijackthis\backups;Trojan.DownLoader.9994;Deleted.;
efcay.dll;C:\WINNT\system32;Trojan.DownLoader.9994;Will be cured after reboot.;
Process.exe;D:\SmitfraudFix\SmitfraudFix;Tool.Prockill;Cannot move.;

Logfile of HijackThis v1.99.1
Scan saved at 4:56:01 PM, on 8/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Antimalware Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WMC_15] C:\WINNT\system32\regsvr32.exe /s "C:\WINNT\system32\wmvdmod.dll"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
O20 - Winlogon Notify: efcay - C:\WINNT\SYSTEM32\efcay.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

teacup61
2006-08-05, 06:27
Hello,

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.


I see SmitfraudFix in the DrWeb log. If you still have it, then go ahead and follow the direction for running option # 1 below. If not:

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks,
tea

JDL155
2006-08-05, 08:04
Tea,

I tried to follow your directions but was not able to carry out all of them.Here's what happened:

After reading your last post in this thread, I opened the link for the VundoFix program and saved it (the program) to a writeable disc. I then removed the disc, started up the infected computer in safe mode (normal mode still doesn't work), and put the disc into that computer's CD drive. After copying the VundoFix.exe file from the disc and pasting it onto the infected computer's desktop, I got to the point with the message about Vundofix needing to restart, and clicked "OK". That was nearly 15 minutes ago, but the program still has not restarted.What's the problem?

Thanks again,

JDL

teacup61
2006-08-05, 09:00
Hello,

Go ahead and restart it yourself and go on with the directions as best as you can. :) Post the log it made in your reply.

Thanks,
tea

JDL155
2006-08-05, 20:25
Hi,

I did have to restart VundoFix manually, but I was able to follow the rest of your instructions just as you wrote them.

Here are the scans you requested:

Vundo
VundoFix V5.1.6

Checking Java version...

Java version is 1.5.0.7

Scan started at 9:55:38 AM 8/5/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:02:26 AM, on 8/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Antimalware Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WMC_15] C:\WINNT\system32\regsvr32.exe /s "C:\WINNT\system32\wmvdmod.dll"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
O20 - Winlogon Notify: efcay - C:\WINNT\SYSTEM32\efcay.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[B]SmitFraudFix
SmitFraudFix v2.79

Scan done at 10:09:41.50, Sat 08/05/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

teacup61
2006-08-05, 20:49
Hello,

Let's try another option in VundoFix. :)


* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes

o C:\WINNT\system32\efcay.dll
o C:\WINNT\system32\yacfe*

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.[/list]

Thanks

JDL155
2006-08-05, 21:37
Hello,

Once agiain, VundoFix did not re-open as it should have (I waited approx. five minutes), so I re-opened it manually. Also, when my desktop became blank and VundoFix was removing the Vundo, I received this message: "Cannot import C:\vundofix.reg: Error opening this file. There may be a disk or file system error." Other than that, everything proceeded in accordance with your last post.


VundoFix V5.1.6

Checking Java version...

Java version is 1.5.0.7

Scan started at 9:55:38 AM 8/5/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.6

Checking Java version...

Java version is 1.5.0.7

Scan started at 11:00:42 AM 8/5/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINNT\system32\efcay.dll
C:\WINNT\system32\efcay.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 11:19:06 AM, on 8/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Antimalware Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WMC_15] C:\WINNT\system32\regsvr32.exe /s "C:\WINNT\system32\wmvdmod.dll"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

teacup61
2006-08-05, 21:54
Hello,

Just a leftover visible in your log.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\efcay.dll (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Could I please see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Thanks,
tea

JDL155
2006-08-05, 22:51
Hello again, :)

I followed your instructions, and below is what you requested.

Many thanks,
JDL

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5
BroadJump Client Foundation
Canon i250
Canon Utilities Easy-PhotoPrint
Desktop Weather by The Weather Channel
Easy-WebPrint
HijackThis 1.99.1
iTunes
J2SE Runtime Environment 5.0 Update 7
Macromedia Flash Player 8
Macromedia Shockwave Player
Nancy Drew: The Final Scene
RealPlayer
SBC Self Support Tool
SBC Yahoo! Applications
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Visual IP InSight(SBC)
Weather Services
Windows Media Player 7.1

teacup61
2006-08-06, 03:15
Hello,

Did you install anything new around the time this happened? Sometimes in Windows 2000 driver conflicts can keep you from being able to boot into normal mode. You can also try Last Known Good Configuration.

Let me know please. :)

tea

JDL155
2006-08-06, 03:24
Hi tea,

Actually, I don't use that computer very often, and I hadn't used it for a while before it started having problems. I believe my sister might have downloaded the trojan(s) that it had, but she hasn't given me a thorough account of what happened on the day the problems started.

Is there anything else you want me to do? If so, I'll be glad to do it.

Thanks again,
JDL

JDL155
2006-08-06, 04:04
Hello,

I have tried the "Last Known Good Configuration" option, but it has not worked.

By the way, all that I expected from you was your help in getting the malware off of my computer. If my computer is clean of malware, as I believe it is, you may close this thread without upsetting me.

Thanks a bunch, :bigthumb:
JDL

teacup61
2006-08-06, 04:07
Hello,

I hate to keep asking you to download things, but not being able to see everything really bites and I have to. Honestly right now I'm searching, as there is nothing else visible in your Safe Mode log. It may not even be malware related.

Try this :

Download Silent Runners.zip (http://tinyurl.com/8bmsr) and extract it to a new folder on your Desktop. Run the Silent Runners.vbs file. You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO." If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it. A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!) Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

tea

teacup61
2006-08-06, 04:11
Heh, Looks like we cross posted.;) Since you don't use it often, perhaps there are drivers that need to be updated? Go ahead and get Silent Runners. I want to be as sure as I can be about the malware being gone. :)

JDL155
2006-08-06, 04:42
Here you go.


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "1" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" [file not found]
"IPInSightLAN 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"]
"IPInSightMonitor 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"]
"Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"WMC_15" = "C:\WINNT\system32\regsvr32.exe /s "C:\WINNT\system32\wmvdmod.dll"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * DfsInit" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "&Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Distributed Link Tracking Server, TrkSvr, "C:\WINNT\system32\services.exe" [MS]
File Replication, NtFrs, "C:\WINNT\system32\ntfrs.exe" [MS]
File Server for Macintosh, MacFile, "C:\WINNT\System32\sfmsvc.exe" [MS]
InstallDriver Table Manager, IDriverT, "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" ["Macrovision Corporation"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]
Message Queuing, MSMQ, "C:\WINNT\System32\mqsvc.exe" [MS]
Network DDE DSDM, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]
On-line Presentation Broadcast, NSLService, "C:\WINNT\System32\Windows Media\NSLite\nslservice.exe" [MS]
Print Server for Macintosh, MacPrint, "C:\WINNT\System32\sfmprint.exe" [MS]
Simple TCP/IP Services, SimpTcp, "C:\WINNT\System32\tcpsvcs.exe" [MS]
SNMP Service, SNMP, "C:\WINNT\System32\snmp.exe" [MS]
SNMP Trap Service, SNMPTRAP, "C:\WINNT\System32\snmptrap.exe" [MS]
TCP/IP Print Server, LPDSVC, "C:\WINNT\System32\tcpsvcs.exe" [MS]
Windows Internet Name Service (WINS), WINS, "C:\WINNT\System32\wins.exe" [MS]
Windows Media Monitor Service, nsmonitor, "C:\WINNT\System32\WINDOW~1\Server\nspmon.exe" [MS]
Windows Media Program Service, nsprogram, "C:\WINNT\System32\WINDOW~1\Server\nspm.exe" [MS]
Windows Media Station Service, nsstation, "C:\WINNT\System32\WINDOW~1\Server\nscm.exe" [MS]
Windows Media Unicast Service, nsunicast, "C:\WINNT\System32\WINDOW~1\Server\nsum.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
AppleTalk Printing Devices\Driver = "sfmmon.dll" [MS]
Canon BJ Language Monitor i250\Driver = "CNMLM50.DLL" ["CANON INC."]
LPR Port\Driver = "lprmon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 56 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 137 seconds)

JDL155
2006-08-06, 05:33
Some more info on the problem:

(Note: I had run scans with fully-updated versions of Ad-aware and Spybot S&D just a few days before the following events. According to those scans, the system was clean.)

A few days before I started this thread my sister came to me and told me that there was something wrong with our computer. I went to check on it immediately and found it to be turned off. I knew that she had been using it just a few moments before, so I asked her if it had crashed. She didn't really tell me (she's hard to get info. from), so I turned it on to find out for myself.

It seemed to be working normally until it got to the part where the desktop was supposed to show up on the screen. At that point, the screen just turned a light shade of blue (the color of the regular background) and the computer immediately shut off and restarted itself. This happened again, so I tried booting the computer into safe mode, which worked. When the desktop came up I noticed a strange icon labeled "Spysheriff", or something very similar. I had heard of this being spyware, and asked my sister whether she had downloaded it. She said that she might have, and something about a bunch of pop-ups that claimed we had viruses on our computer. According to her, these pop-ups would not go away, so she clicked on them.

It sounded to me as though she had downloaded a trojan, so I ran Ad-aware and Spybot in an attempt to get rid of it. The Spybot scan came up with the entries given in the title of this thread, along with some others--I don't remember what the Ad-aware scan said. I "fixed" these problems with Spybot, but ran the scan again to make sure they were gone. According to the results of the second scan, they weren't (gone, that is), so I ran the scan again, with the same results. This happened a few more times, so I sought out the Safer Networking Forums.

The computer has not booted into normal mode since then, though I have tried many times.

Finis

So that's why I believe the malware and booting problems are related.

Does that help any? I hope so, because it took me a loooong time to write.:D:

teacup61
2006-08-06, 07:50
Hello,

Yes, it always helps to know details like that. Thank you very much for taking so much time on it. Not many people do.

Do you have you OS disc?

teacup61
2006-08-06, 22:14
Hello,

We're not done yet.:)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I don't see an Anti Virus running......do you have one installed? And, do you have internet access at all while you're in safe mode? And finally, you gave a great detailed description of what happens when you turn the computer on, but I need to ask to make sure........are there any error messages that accompany this restart?

ComboFix may take a while to run, and the log may be pretty big, so be prepared.

Thank you,
tea

JDL155
2006-08-07, 00:52
Tea,

First, the OS disc is not actually mine. My father borrrowed it from a friend of his, whom I believe still has it. I'm certain this friend would lend it to me if I asked. I do have an XP OS disc, and my father has mentioned using that to replace the Windows 2000 that's on the problematic computer.

Second, I downloaded Combofix and tried to run it. However, a few seconds after the Combix window opened, I received a message saying "Combofix cannot run in Safe Mode."

Third, I do not have an anti-virus on the computer itself, but it is connected to the internet through a router, which does have an anti-virus.

As for the internet, I can actually connetct to it in safe mode (I'm typing this post on the problematic computer). This requires a special setting called "Safe Mode with Networking", which I was not aware of until this afternoon. I'm sorry that I didn't know of it sooner. I'm not sure how much I can do on the internet with this setting, but I'm willing to try any suggestions you might have.

Finally, I haven't noticed any error messages while the computer has been booting, though I certainly have been looking for them. It seems to work fine until the point I mentioned before.

I'm really sorry for not noticing the "Safe Mode with Networking" option before, and I understand if you're upset. Once again, I don't expect any more help from you--I believe I've already taken too much of your time. If you no longer want to assist me, I won't blame you. However, if you are still willing to help, I'll do my best to follow your instructions.

Sincere thanks,
JDL

teacup61
2006-08-08, 03:32
Hello,

No need to be sorry.;) Let's get an AV on your computer since you're online now.
AVG (http://free.grisoft.com/freeweb.php/doc/2/), Avira (http://www.free-av.com/) OR Avast (http://www.avast.com/) are good FREE antivirus. Run a scan with the one you chose to install and post back with anything bad it finds. Maybe that will give us another clue. ;)

Thanks,
tea

JDL155
2006-08-08, 06:52
Hi tea,

I downloaded Avira AntiVir PersonalEdition Classic, Version 7 from free-av.com and ran a scan with it. During the scan, "Luke Filewalker" reported the following:

C:\Documents and Settings\...\lo573244448.exe
Is the Trojan horse TR/Crypt.F.Gen

C:\Documents and Settings\...\VSL.dl_
Is the Trojan horse TR/Dldr.Small.ctp.

When I received these reports, I was given the option to delete the entries or quarantine them. Because you didn't instruct me to delete anything, I just quarantined them.

Thanks for your patience,
JDL

teacup61
2006-08-08, 09:36
Hello,

If it wants to delete them, let it. No sign of normal mode yet?

Heh, Luke Filewalker....heh.....I like that. ;)

JDL155
2006-08-08, 20:53
Hello,

I deleted those entries, then ran the AntiVir scan again to make certain they are gone. Luke didn't report them, so I guess they are.

As for normal mode, I tried to boot into it a few times, both before and after deleting the trojans. None of these tries were successful, and proceeded just as I detailed in my previous posts (looks OK until the desktop should appear, then restarts automatically).

Do you have any more suggestions? Should I borrow that Win 2000 OS disc?

teacup61
2006-08-08, 23:40
If you can borrow it, then yes. If it's a system file that's either missing or corrupted that's causing this, then we can possibly repair it, but we need the disc for that. I'm not ready to give up!;) Let me know when you have it.:)

Regards,
tea

JDL155
2006-08-11, 04:06
Hi tea,

I received the Win 2000 disc this afternoon, and started to run it. On the disc's installation menu, there are two options:

1. Upgrade to Windows 2000 (reccomended). This would replace the OS, but leave the current settings and programs.

2. Install a new copy of Windows 2000. This would replace the OS, reset the settings, and erase all of the software.

Which of these do you recommend to me?

Thanks for sticking with me,
JDL

teacup61
2006-08-11, 07:05
Hello,

Actually neither for now!:laugh: Take the disc out for now. I want you to do this first:

Click Start>Run and type in or copy and paste the following in :

sfc /scannow

OK

Follow the prompts and give it the disc when it asks for it. Let me know how that does. :)

Thanks,
tea

JDL155
2006-08-11, 21:08
Hi tea,

After I had copied/pasted "sfc /scannow" into the Run text box and clicked OK, the screen just flickered, as though a window had opened and immediately closed. I watched the screen for approx. 10 minutes, but nothing else happened. The H.D.D. light wasn't even on, and none of the normal "thinking" noises came from the PC tower.

Still faithful,
JDL

JDL155
2006-08-11, 21:16
By the way, no normal mode yet, though I have been trying it a few times each day.

teacup61
2006-08-12, 23:14
Hi,

Before you do anything drastic, I'd like to refer you to another forum for some troubleshooting.

http://forums.tomcoyote.org/index.ph...5&showforum=83

http://www.bleepingcomputer.com/forums/forum83.html

Either of these places will offer you quality help, and hopefully get you running in normal mode again.:)

Please take care, and let me know how you come out!

tea

tashi
2006-08-17, 15:28
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.