elearct Posted July 23, 2007 Report Share Posted July 23, 2007 Must admit I do need some help. Had family in for funeral and some were using my laptop. Think my nephew may have been rather liberal in his use. Computer goes to About/Blank when try to log on to internet and many spyware ads appear, on and on. Below are my startup list report and HijackThis log as instructed to supply. I will keep my laptop shut down but will check my e-mail on PC's. I will need rather specific instructions because I am not real software savvy. Thanks for any help you may be able to give.StartupList report, 7/23/2007, 2:35:14 PMStartupList version: 1.52.2Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Video ActiveX Access\iesmin.exeC:\WINDOWS\system32\drwtsn32.exeC:\WINDOWS\system32\drwtsn32.exeC:\Program Files\Video ActiveX Access\iesmin.exeC:\Program Files\Video ActiveX Access\iesmn.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXEC:\WINDOWS\system32\NOTEPAD.EXE--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunSunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeDVDSentry = C:\WINDOWS\System32\DSentry.exeigfxtray = C:\WINDOWS\system32\igfxtray.exeigfxhkcmd = C:\WINDOWS\system32\hkcmd.exeigfxpers = C:\WINDOWS\system32\igfxpers.exedla = C:\WINDOWS\system32\dla\tfswctrl.exertasks = C:\Program Files\TrustedProtection\rtasks.exe--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=C:\WINDOWS\System32\logon.scrdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry value not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\Program Files\Video ActiveX Access\iesplg.dll - {E26CEADA-67B0-4543-BE8B-307F00265118}--------------------------------------------------Enumerating Task Scheduler jobs:FRU Task #Hewlett-Packard#hp psc 1200 series#1115109031.jobRegSweep Scheduled Scan.job--------------------------------------------------Enumerating Download Program Files:[shockwave Flash Object]InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocxCODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\System32\webcheck.dllSysTray: C:\WINDOWS\System32\stobject.dll--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Runuser32.dll = C:\Program Files\Video ActiveX Access\iesmn.exerare = C:\Program Files\Video ActiveX Access\imsmain.exe--------------------------------------------------End of report, 4,298 bytesReport generated in 0.831 secondsCommand line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history onlyLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:29:13 PM, on 7/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Video ActiveX Access\iesmin.exeC:\WINDOWS\system32\drwtsn32.exeC:\WINDOWS\system32\drwtsn32.exeC:\Program Files\Video ActiveX Access\iesmin.exeC:\Program Files\Video ActiveX Access\iesmn.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comO2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [rtasks] C:\Program Files\TrustedProtection\rtasks.exeO4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exeO4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO22 - SharedTaskScheduler: dustuck - {4a9e875b-d032-45e4-8294-789fe3be5b19} - (no file)O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe--End of file - 2880 bytes Quote Link to post Share on other sites
sari Posted July 24, 2007 Report Share Posted July 24, 2007 elearct,Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up.You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtPlease go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.Once you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendIf it wants to install an ActiveX component allow itSelect either Home User or CompanyClick the big Scan Now buttonIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.Please post the contents of rapport.txt, the Activescan report, and a new hijackthis log in your next post.Thanks,sari Quote Link to post Share on other sites
elearct Posted July 24, 2007 Author Report Share Posted July 24, 2007 elearct,Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up.You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txtPlease go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.Once you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendIf it wants to install an ActiveX component allow itSelect either Home User or CompanyClick the big Scan Now buttonIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.Please post the contents of rapport.txt, the Activescan report, and a new hijackthis log in your next post.Thanks,sari Quote Link to post Share on other sites
elearct Posted July 24, 2007 Author Report Share Posted July 24, 2007 Sari, Thanks for the input but.......I do not seem to be able to find the Smitfraud Fix folder you speak of. Just went to search to look for it, but computer said it wasn't there. Am I missing something. Thanks.Eleart Quote Link to post Share on other sites
sari Posted July 24, 2007 Report Share Posted July 24, 2007 elearct,I'm sorry - since you had run the program, I assumed you would still have it on your desktop.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.From that point, you can follow the rest of the directions in my first post. sari Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.