sari

July 18, 2007

tman70,

Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thanks,

sari

July 18, 2007

http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/
If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!
It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!
The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.
Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.
I am going to suggest you try the Kaspersky online scanner
http://www.kaspersky.com/virusscanner
Click on the thing with the magnifying glass at upper left.
It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.

Just for the record, I cannot find any info on this other than on 2 blogs. I've searched Kaspersky's site, Webroot's site, and many other legitimate sites that we commonly use to investigate malware, etc. I'm not sure of the origin of this particular story. Every other reference for snakeoil.dom that I can find is related to Apache servers. Since the blog you quoted was from May 14 of this year, if this were an actual virus there should be information on the major antivirus and malware sites by now. If someone can find this on a legitimate site they can point me to, that would be great, but at this time I'm assuming that this some sort of hoax.

sari

July 18, 2007

tman70,

We'll get rid of the key, but since that file seems to be gone, I don't think it's the issue. I'm trying to do some research on other ways to get rid of this. In the meantime, I want you to run a rootkit scanner.

Download GMER from here:

http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.

Make sure all the boxes on the right of the screen are checked, EXCEPT for â€˜Show Allâ€™.

Click on Scan.

When the scan has run click Copy and paste the results (if any) into this thread.

Thanks,

sari

July 17, 2007

tman70,

I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same.

Are you still having the redirections on secure links?

sari

July 14, 2007

tman70,

Show Hidden Files

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

I'd like you to see if you can find the following file:

C:\SysMa2\svchost.exe

If so, please do the following:

Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory.

Please go to Uploadmalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for the zipped folder you just created in c:\SysMa2
In the comments, please mention that I asked you to upload this file
Click on Send File

The combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible.

Thanks,

sari

July 13, 2007

tman70,

Ok, that one is clean. Let's try a more generalized scan that will show me more files.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari

July 12, 2007

Double_D_Edd,

Hi, and welcome to the Besttechie forums. It looks like you've caught a case of Vundo, so let's get you cleaned up.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Thanks,

sari

July 12, 2007

tman70,

There's not much jumping out at me in your log, except for maybe some leftovers, but let's run some things and see if anything comes up.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks,

sari

June 19, 2007

Moonastar,

Hi, and welcome to Besttechie. You do indeed have some problems in your log, but I need a little more information before I can help you. The top of your hijackthis log was cut off, and i need to see that information. It should look something like this:

Logfile of HijackThis v1.99.1

Scan saved at 1:48:59 PM, on 6/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

If you could please put that information in a reply to this thread, then I can move ahead with helping you.

Thanks!

sari

March 17, 2007

Sushi is the best! :thumbsup:

March 13, 2007

jplink,

Hi, and welcome to Besttechie. I need you to re-enable everything in msconfig and post a new hijackthis log. If you have malware, you may be hiding it, and I need to see everything that normally starts up.

Thanks,

sari

March 13, 2007

Whiskeyman,

That looks a lot better, but your Java version is very out of date, which still leaves this laptop vulnerable. You need to update (you can do that via the Java control panel), as well as uninstall any older versions. You should be able to update XP SP2 now as well. Finally, did you change security settings in IE? I ask because of this line:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This often present with a protection program such as Spybot Search and Destroy's Teatimer, which I don't see, but I figured you may have restricted the security settings in order to provide more protection.

sari

March 12, 2007

I know you're whiskeyman at Geeks to Go, and you have access to everything there. I don't know if you recognized that you had an sdbot infection and should have run sdfix. Did you not really want help with the logs? I'm a little confused, and don't really know what's left on there since I don't really know everything that you did.

March 12, 2007

TheTerrorist_75,

I'm currently reviewing all your logs, and will be posting something soon. For the most part, the infections are PC-wide, so we can run the fixes on user only, which will help with the process. There is purityscan on one user only, which will have to be addressed separately. Keep your eyes open for my next reply.

sari

March 1, 2007

shortfuse,

Hi, and welcome to the Besttechie forums. I apologize for the delay in responding to your thread.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
c:\windows\system32\mbsrm32.exe
C:\WINDOWS\system32\mbssm32.exe
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the Activescan report and a new hijackthis log in your reply.

Thanks,

sari

February 28, 2007

rmurphy7817,

Hello, and welcome to Besttechie. Your log is actually clean, and I don't see the tell-tale signs of AWF. Just to be on the safe side, though, I'd like you to repeat the scan in safemode using the following directions, and then post the log from the AVG Anti-Spyware scan so I can see what it finds.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Thanks,

sari

August 15, 2006

spikeq1love,

Let's answer your questions first:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll <== related to Java (which is out-of-date; I'll provide instructions on updating it).

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL <=== related to Microsoft office

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll <== This has to do with Windows Genuine Advantage, which is a program to verify the authenticity of your Windows version.

O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan <== This program is generally considered to be a rogue program due to aggressive advertising and false positives. You can read more about it here.

This would be my recommendation for your log:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file)

O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Delete the following folder:

C:\spywarebegone

Reboot into normal mode.

1. Go to Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked:

1. Downloaded Applets

2. Downloaded Applications

3. Other Files

4. Click OK on Delete Temporary Files window.

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

sari

August 5, 2006

mainter,

Hi, and welcome to Besttechie. Your friend does indeed have a few problems, so let's get started. It will take multiple steps to get this cleaned up, so please stay with me until we're finished.

1. Download Ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete, run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close Ewido anti-spyware, Do Not run a scan just yet

2. Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
Close Ewido and reboot your system back into Normal Mode.

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let it do itâ€™s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Please include both of the above-mentioned logs in your reply.

Thanks,

sari

Report · August 3, 2006

romeo,

I'm glad we got you straightened out - we try to avoid re-formatting whenever possible. I would suggest getting something like spywareguard or spywareblaster, which will provide better protection against unexpected downloads than an anti-virus alone will. I would also recommend using something like Firefox as your browser - I've been using it for a while now, and I'm very impressed with it, and it will also provide more protection against Activex controls and popups.

sari

Report · July 31, 2006

romeo,

It looks like we finally got it! Your log is clean now

Here are some tips to reduce the potential for spyware infection in the future. I strongly recommend installing the following applications:

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice

So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

sari

Report · July 28, 2006

romeo,

Well, the good news is that the entries are no longer in your hijackthis log.

Please delete the following files:

C:\WINDOWS\SYSTEM32\CSFAS.EXE

C:\WINDOWS\SYSTEM32\DMHZB.EXE

Also, look in your c:\windows\system32 directory and delete anything that looks like this:

{AB48B2C9-9B9C-4CFB-A482-5DC00DDFFDDB}.exe

{920B2EB2-7E96-47A2-8F3B-61445E3645A0}.exe

Then run the wareoutfix again (I hope it's the last time) and post that and a new hijackthis log.

sari

Report · July 26, 2006

romeo,

Ok, we are making progress. Let's kill the remaining files, and then delete the lines from hijackthis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
{5E3CCD7B-B470-4F31-86FE-017DEBF813FB}.exe
{0F7A4563-5753-4093-B22C-3B1882069AD8}.exe
{8F75451D-5608-43D8-98A9-617A809271B1}.exe
C:\WINDOWS\SYSTEM32\CSFGF.EXE
C:\WINDOWS\SYSTEM32\CSJHE.EXE
C:\WINDOWS\SYSTEM32\CSKRY.EXE
C:\WINDOWS\SYSTEM32\CSSVN.EXE
C:\WINDOWS\SYSTEM32\DMATV.EXE
C:\WINDOWS\SYSTEM32\DMOTK.EXE
C:\WINDOWS\SYSTEM32\DMRYJ.EXE
C:\WINDOWS\SYSTEM32\DMUFV.EXE
C:\WINDOWS\System32\xputt.exe
C:\WINDOWS\System32\WinStat13.dll
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll

O4 - HKLM\..\Run: [xputt.exe] C:\WINDOWS\System32\xputt.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{39CBBE5C-CE35-4709-B44D-50547B566A60}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC122E3-FB03-4F71-BC6D-15EE27DB6307}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{B821443B-D772-4392-A6BF-28E93BD36F8D}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{BE212EC9-633A-4F08-B53D-5E6D1460AD58}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD1FB58-9EDC-47F8-9A4B-22C01ADD893A}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

Now close all windows other than HiJackThis, then click Fix Checked.

Now please run the wareoutfix one more time and post both logs here.

Thanks,

sari

Report · July 20, 2006

romeo,

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the below services:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

SvcProc

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.