Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Have IE_updater.exe, crss and winlogon--Cant get into safe mode!

  1. #1
    Junior Member
    Join Date
    May 2007
    Posts
    6

    Default Have IE_updater.exe, crss and winlogon--Cant get into safe mode!

    I have spent some time on hour site and it seems I have the above referenced infections.

    I have read all the mandatory steps mentioned to obtain help, one of which is getting into safe mode.

    I can get into the safe mode menu after hitting F-8--I arrow up to safe mode , I hit enter, the machine boots into windows safe mode, a box pops up asking me if I want to work in safe mode, I click yes and then the screen stays black. The screen says safe mode in white on the left and right bottom of the black screen with an hour glass that wont go away.

    Any suggestions?

    The machine is my daughter's who is home before finals, is a Dell laptop with SP2.

    thanks in advance.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi there.

    If you can't get into safe mode, please go ahead and produce the HJT log for one of our helpers to analyse, if you can.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    May 2007
    Posts
    6

    Default

    Thanks for your response.
    Right before I ran HJ I installed BoClean which said it removed or shut down the IE_updater.

    Here is the HJT log:


    Logfile of HijackThis v1.99.1
    Scan saved at 5:23:36 PM, on 5/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\SYSTEM32\MrobeService.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\drvconf.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.pace.edu/uwc/auth
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=
    F3 - REG:win.ini: run=
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
    O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
    O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\cinkhbkr.dll",realset
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136649345947
    O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
    O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  4. #4
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hi bruce48,

    Are you still needing help? If so could you please scan and post a fresh HijackThis log so I can see where you are at this point?

    I'm now subscribed to this thread so I'll get a notice when you reply here and can get to you much more quickly.

    Meanwhile, there are some backdoor trojans running on that PC - so please don't force safe mode. Here is why (techinical but important not to attempt using msconfig or forcing the machine into safe mode)
    See the first post in this topic here:
    http://www.dslreports.com/forum/remark,18150258

    Just keep the PC offline as much as possible and we'll work with you here.
    Microsoft MVP 2003-2009
    Windows-Security

  5. #5
    Junior Member
    Join Date
    May 2007
    Posts
    6

    Default

    Yes, yes indeed-- I am still in need of some help.
    I am sending you this on my machine--the infected machine is a laptop that belongs to my daughter.
    I will keep the unit off line as you requested and run a fresh HJT and send it to this machine and then to you.
    I thank you so much!
    Be right back at ya.

  6. #6
    Junior Member
    Join Date
    May 2007
    Posts
    6

    Default hjt log

    Hello,
    Ok here ya go.
    I did manage, on Sunday, to install BoClean which said it took out the ie_updater:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:28:21 PM, on 5/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\SYSTEM32\MrobeService.exe
    C:\hjt\HijackThis.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\svchost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    https://email.pace.edu/uwc/auth
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=
    F3 - REG:win.ini: run=
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

    Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
    O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

    Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

    C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}

    - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should

    be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should

    be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should

    be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should

    be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should

    be Internet Zone (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsu...n/x86/client/w

    uweb_site.cab?1136649345947
    O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload

    ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -

    http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer

    Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} -

    http://download.buddylinks.net/ShellInstaller.cab
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509}

    - C:\WINDOWS\system32\nvfwwfr.dll
    O23 - Service: BOCore - COMODO - C:\Program

    Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO

    EPSON CORPORATION - C:\Program Files\Common

    Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

    C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner -

    C:\Documents and Settings\ie_updater.exe (file missing)
    O23 - Service: MrobeService - OLYMPUS IMAGING CORP. -

    C:\WINDOWS\SYSTEM32\MrobeService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

    C:\Program Files\Common Files\Symantec Shared\Security

    Center\SymWSC.exe

  7. #7
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Great, except your log is now all chopped up. Could you please open Notepad and choose *format* at the top and then make sure that "wordwrap" is unchecked then scan and make a fresh log and post that up. It's really hard to read properly all chopped up like that. I think some entries have changed but a readable log would make it a lot better.

    Meanwhile, I need for you to see if you can find some files to upload for me to look at.

    Make sure your PC is configured to show hidden files
    How to Show Hidden Files
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Click Start.

    Open My Computer.

    Select the Tools menu and click Folder Options.

    Select the View Tab.

    Under the Hidden files and folders heading select Show hidden files and folders.

    Uncheck the Hide protected operating system files (recommended) option.

    Click Yes to confirm.
    ....................
    Please go here to upload a suspicious file for analysis.
    http://www.uploadmalware.com/

    * Enter your username from this forum as: Bruce48 at Spybot Forum

    * Copy and paste the link to this thread: http://forums.spybot.info/showthread.php?t=13503

    o Click "Browse" on the 1. field.
    Browse to the following file and click the file with your mouse, press "Open":

    c:\windows\system32\prejqghyt.dll

    * In the comments, please mention that I asked you to upload this file
    * Click on Send File

    Look to see if these files are present and if found, please upload a copy of these:

    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\drvconf.exe
    C:\WINDOWS\system32\nvfwwfr.dll
    C:\WINDOWS\system32\cinkhbkr.dll
    Microsoft MVP 2003-2009
    Windows-Security

  8. #8
    Junior Member
    Join Date
    May 2007
    Posts
    6

    Default

    This machine is almost on it's knees.
    Here is latest hjt log unchopped up (hopefully).
    I will have to reboot a few times to get back on with you to do the other items soon. Thanks for your patience.
    Thanks!

    Logfile of HijackThis v1.99.1
    Scan saved at 6:06:37 PM, on 5/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Comodo\CBOClean\BOCORE.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\SYSTEM32\MrobeService.exe
    C:\hjt\HijackThis.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\svchost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.pace.edu/uwc/auth
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: load=
    F3 - REG:win.ini: run=
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
    O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136649345947
    O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
    O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
    O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  9. #9
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Yes, that log is much better. It's a pretty infected machine so I will not have real good news for you. You might think about backing up any important data and looking for the install disks because I see already a couple of backdoor trojans just in the brief glance I just gave it.

    Let me write all this up and come back with a complete reply.
    Microsoft MVP 2003-2009
    Windows-Security

  10. #10
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    If you can't get those files to me, I can collect them later from the backups of the program we are going to use to delete them. So let's proceed as I have now gotten this all written up. Warning! There is a lot of information you need to know about those infections and frankly, if this were my daughter's PC, I would choose to reformat/reinstall instead of trying to "fix" it as there may well be damage we cannot see nor fix leaving it vulnerable to future infections.

    Infections indicated in your logs:

    Troj/Bckdr-QGB (That one was the ie_updater.exe that BOClean deleted)
    http://www.sophos.com/security/analy...jbckdrqgb.html
    Troj/Bckdr-QGB is a Trojan for the Windows platform.

    Troj/Bckdr-QGB includes functionality to access the internet and communicate with a remote server via HTTP.
    ......................

    Troj/Agent-EBT
    http://www.sophos.com/security/analy...jagentebt.html
    Troj/Agent-EBT is a Trojan for the Windows platform.

    Troj/Agent-EBT includes functionality to access the internet and communicate with a remote server via HTTP.

    When Troj/Agent-EBT is installed the following files are created:

    <Temp>\free porn finder.exe
    <Temp>\gfdhsagfhsgajkfgsadhgfksag1_2.bat
    <Temp>\gfdhsagfhsgajkfgsadhgfksag2_2.bat
    <Temp>\gfdhsagfhsgajkfgsadhgfksag2_2.exe

    Troj/Agent-EBT also attempts to start these executables created in the <Temp> folder.

    When the file gfdhsagfhsgajkfgsadhgfksag2_2.exe is started it copies itself to <System>\svehost.exe.

    The following registry entry is created to run svehost.exe on startup:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Intel system tool
    <System>\svehost.exe
    ............................
    And this is, by far, the worst of the lot:
    W32/Agobot-LX
    http://www.sophos.com/virusinfo/anal...2agobotlx.html

    Name W32/Agobot-LX
    Type * Spyware Worm

    How it spreads * Network shares

    Affected operating systems * Windows

    Side effects

    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    Read under the *Adavanced* tab in that link for the Agobot description. It does some pretty nasty stuff
    ...........................
    There are some more I can't identify as yet but they are definitely some kind of infection. You need to realize the dangers of backdoor trojans that have run on a computer:

    What is a backdoor or remote access trojan?
    Read this article.
    Danger: Remote Access Trojans
    http://www.microsoft.com/technet/sec.../virusrat.mspx

    Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.

    Some helpful info if you choose that is the route you want to take to be safe:

    When should I re-format? How should I reinstall?
    http://www.dslreports.com/faq/10063

    And this because there were some trojans that steal data off of the compromised PC - you should change all accounts, passwords, etc. See this FAQ:
    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    http://www.dslreports.com/faq/10451

    ........................
    If you should choose to try to clean, I can't make any guarantees that the removal of this malware may not be complete, won't reverse any changes made we can't see and is entirely at your own risk. It is common for trojan such as Agobot to do much damage on a computer or make removal impossible.

    These would be the steps to follow if you do choose to try to clean or cannot reformat/reinstall.

    First:
    Download WinSock XP fix from here:
    WinSock Fix
    http://www.majorgeeks.com/download4372.html

    Then download LSPFix from here:
    LSP-Fix
    http://www.bleepingcomputer.com/files/lspfix.php

    We'll be using those later.
    ...........................
    1. Please download The Avenger by Swandog46 to your Desktop.
    Click on Avenger.zip to open the file
    Extract avenger.exe to your desktop

    2. Copy all the text contained in the quote box below (the bold text) and save to your Clipboard by highlighting it and pressing (Ctrl+C):

    Files to delete:
    c:\windows\system32\prejqghyt.dll
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\drvconf.exe
    C:\WINDOWS\system32\nvfwwfr.dll
    C:\WINDOWS\system32\cinkhbkr.dll

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".

      Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"

      Paste the text copied to clipboard into this window by pressing (Ctrl+V).

      Click Done

      Now click on the Green Light to begin execution of the script

      Answer *Yes* twice when prompted.


    4. The Avenger will automatically do the following:
    • It will Restart your computer.

      On reboot, it will briefly open a black command window on your desktop, this is normal.

      After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will
      be located at C:\avenger.txt

      The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


    5. Please copy/paste the content of c:\avenger.txt into your reply
    ...................
    6. Now we are going to use the LSPfix I had you download earlier

    Disconnect from the Internet and close all Internet Explorer Windows.
    Run the LSPfix program and check the "I know what I'm doing" box. If you see this file in the list: prejqghyt.dll,proceed as follows:

    Place all listings of prejqghyt.dll into the remove section by highlighting prejqghyt.dll and clicking on the button that points to the right. When all instances of this dll (and only ones with THAT name) are in the Remove section press the *Finish* button.
    Then Reboot.

    On rare occasions, LSP-fix may leave your connection broken. If this happens, unzip Winsock Fix and run the program.

    To see a tutorial on how to use this program click the link below:
    Using LSP-Fix to remove LSP Spyware & Hijackers
    http://www.bleepingcomputer.com/forums/tutorial59.html

    ......................

    7. Open HijackThis and choose to do a *system scan only*

    When it finishes, place a checkmark next to the following entries
    • R3 - Default URLSearchHook is missing

      F3 - REG:win.ini: load=

      F3 - REG:win.ini: run=

      O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe

      O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe

      O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

      O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll

      O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)


    After checkmarking those entries, please press the *fix checked* button then close HijackThis.
    ..........................
    One of those trojans is known to compromise the HOSTS file blocking certain security sites from being able to be accessed. To fix it do the following

    8. Download HostsXpert v3.7
    http://www.funkytoad.com/content/view/13/

    * Unzip HostXpert to your desktop
    * Open up the HostXpert program.
    * Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
    * Click Create Back Up
    * Then click on Restore Microsoft's Host Files
    * Close the HostXpert program

    9. Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
    Wait while Windows scans your system for files to delete.
    Make sure these 3 are checkmarked and press *ok* to delete them.

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    When done, restart the computer
    .....................................
    10. After the restart, Open HijackThis again and do a system scan to make a new log.

    Please post both the new HijackThis log and the Avenger report back please.
    Microsoft MVP 2003-2009
    Windows-Security

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •