Recommended Posts

Must admit I do need some help. Had family in for funeral and some were using my laptop. Think my nephew may have been rather liberal in his use. Computer goes to About/Blank when try to log on to internet and many spyware ads appear, on and on. Below are my startup list report and HijackThis log as instructed to supply. I will keep my laptop shut down but will check my e-mail on PC's. I will need rather specific instructions because I am not real software savvy. Thanks for any help you may be able to give.

StartupList report, 7/23/2007, 2:35:14 PM

StartupList version: 1.52.2

Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\Program Files\Video ActiveX Access\iesmn.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

DVDSentry = C:\WINDOWS\System32\DSentry.exe

igfxtray = C:\WINDOWS\system32\igfxtray.exe

igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe

igfxpers = C:\WINDOWS\system32\igfxpers.exe

dla = C:\WINDOWS\system32\dla\tfswctrl.exe

rtasks = C:\Program Files\TrustedProtection\rtasks.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Video ActiveX Access\iesplg.dll - {E26CEADA-67B0-4543-BE8B-307F00265118}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1115109031.job

RegSweep Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

user32.dll = C:\Program Files\Video ActiveX Access\iesmn.exe

rare = C:\Program Files\Video ActiveX Access\imsmain.exe

--------------------------------------------------

End of report, 4,298 bytes

Report generated in 0.831 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:29:13 PM, on 7/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\Program Files\Video ActiveX Access\iesmn.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [rtasks] C:\Program Files\TrustedProtection\rtasks.exe

O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe

O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O22 - SharedTaskScheduler: dustuck - {4a9e875b-d032-45e4-8294-789fe3be5b19} - (no file)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--

End of file - 2880 bytes

Link to post
Share on other sites

elearct,

Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • If it wants to install an ActiveX component allow it
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the contents of rapport.txt, the Activescan report, and a new hijackthis log in your next post.

Thanks,

sari

Link to post
Share on other sites
elearct,

Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • If it wants to install an ActiveX component allow it
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the contents of rapport.txt, the Activescan report, and a new hijackthis log in your next post.

Thanks,

sari

Link to post
Share on other sites

elearct,

I'm sorry - since you had run the program, I assumed you would still have it on your desktop.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

From that point, you can follow the rest of the directions in my first post. :)

sari

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...