Been Hijacked... I Think.[RESOLVED]

den_killen · June 30, 2006

here is my logfile. Can anyone please help me?

Logfile of HijackThis v1.99.1

Scan saved at 21:10:01, on 2006-06-30

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program\D-Tools\daemon.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Documents and Settings\Jan\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = LÃ¤nkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{010B8673-46E4-419D-B798-16CA2FEE5762}: NameServer = 195.54.122.200,195.54.122.204

O17 - HKLM\System\CCS\Services\Tcpip\..\{705CF8D3-9B41-413C-9CD8-C61DE2A5F88E}: NameServer = 195.54.122.200,195.54.122.204

O17 - HKLM\System\CS1\Services\Tcpip\..\{010B8673-46E4-419D-B798-16CA2FEE5762}: NameServer = 195.54.122.200,195.54.122.204

O17 - HKLM\System\CS2\Services\Tcpip\..\{010B8673-46E4-419D-B798-16CA2FEE5762}: NameServer = 195.54.122.200,195.54.122.204

O17 - HKLM\System\CS3\Services\Tcpip\..\{010B8673-46E4-419D-B798-16CA2FEE5762}: NameServer = 195.54.122.200,195.54.122.204

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

therock247uk · June 30, 2006

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

den_killen · June 30, 2006

this is what came up. btw, really fast answer, I'm grateful!

SmitFraudFix v2.65

Scan done at 22:29:06,31, 2006-06-30

Run from C:\Documents and Settings\Jan\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in normal mode

C:\WINDOWS\system32\atmclk.exe FOUND !

C:\WINDOWS\system32\dcomcfg.exe FOUND !

C:\WINDOWS\system32\hp???.tmp FOUND !

C:\WINDOWS\system32\hp????.tmp FOUND !

C:\WINDOWS\system32\ld????.tmp FOUND !

C:\WINDOWS\system32\ot.ico FOUND !

C:\WINDOWS\system32\regperf.exe FOUND !

C:\WINDOWS\system32\simpole.tlb FOUND !

C:\WINDOWS\system32\stdole3.tlb FOUND !

C:\WINDOWS\system32\1024\ FOUND !

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Min aktuella startsida"

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

[HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]

@="C:\WINDOWS\system32\guxxa.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]

@="C:\WINDOWS\system32\guxxa.dll"

therock247uk · June 30, 2006

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

den_killen · July 1, 2006

After I used smitfraudfix in safe mode and restarted my computer, opened my browser the site thatÂ´s been showing all the time cos the malware isn't there any more. Now msn homepage appeared. That means that everything is OK?

Here is the last report from smitfraudfix:

SmitFraudFix v2.65

Scan done at 8:47:06,23, 2006-07-01

Run from C:\Documents and Settings\Jan\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

GenericRenosFix by S!Ri

Registry Cleaning done.

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

therock247uk · July 1, 2006

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

den_killen · July 1, 2006

Here is the report from ewido anti-spyware, even though my pc is up and running and fully funktional after Smitfraudfix...

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 21:37:35 2006-07-01

+ Scan result:

C:\Documents and Settings\Jan\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).

C:\Documents and Settings\Jan\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).

::Report end

therock247uk · July 1, 2006

Ok post me a new Hijackthis log.

den_killen · July 2, 2006

The new Hijackthis log....

Logfile of HijackThis v1.99.1

Scan saved at 21:03:05, on 2006-07-02

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Documents and Settings\Jan\Skrivbord\ewido anti-spyware 4.0\guard.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program\D-Tools\daemon.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program\QuickTime\qttask.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Documents and Settings\Jan\Skrivbord\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Internet Explorer\IEXPLORE.EXE

C:\Program\Adobe\Acrobat 6.0\Reader\AcroRd32.exe

C:\Documents and Settings\Jan\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/