Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Wednesday 27.11.2024 / 21:44
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus or something..help
Show topics
 
Forums
Forums
virus or something..help
  Jump to:
 
Posted Message
mesa101
Member
_ 		9. March 2006 @ 15:31 _ Link to this message    Send private message to this user   
im trying to help a friend fix his pc...he has an older emachine pc. about a 2003 model..running xp. when i first got it it was very slow and the screen would jitter when you tried to open a program..and a pop up screen at the bottom right tray says ::dangerous infection was detected on your pc the system willnow downloadand install most efficient antimalware program to prevent data loss and information theft.:: i ran ewido and spyware doctor and they found nothing..i install panda platinum and it found several malware things but the pop up is still there...i ran HJT but there was a very short list and everything looked legit...one thing i noticed about his version of XP was there was no system recovery program anywhere?..just system restore...i was gonna just reformat the thing but it's not there..may this older version requires the disc's..?
[ + quote]
Advertisement
_ 		__
spertti
Senior Member
_ 		9. March 2006 @ 15:34 _ Link to this message    Send private message to this user   
Sounds like smitfraud infection. Post a HjT-log and someone will take a look. Instructions there > http://forums.afterdawn.com/thread_view.cfm/263784 ( steps 3 and 4 )
[ + quote]
mesa101
Member
_ 		10. March 2006 @ 11:25 _ Link to this message    Send private message to this user   
Logfile of HijackThis v1.99.1
Scan saved at 4:06:30 PM, on 3/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\New Folder\HijackThis.exe

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
[ + quote]
-kemisti-
AfterDawn Addict
_ 		11. March 2006 @ 02:53 _ Link to this message    Send private message to this user   
Download smitrem -> http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Save it on desktop and doubleclick it, it will then create smitRem folder on desktop

Fix with HjT (do a system scan only, checkmark these and press fix checked):

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp5C7E.tmp
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe /insfin
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Boot in safe mode (tap F8 while booting).

Delete, if found:

C:\DOCUME~1\JULIA\LOCALS~1\Temp\200639165248_mcinfo.exe
C:\WINDOWS\web\related.htm

Open smitRem folder and doubleclick RunThis.bat. Follow instructions.

Reboot, send a fresh HjT log and contents of c:\smitfiles.txt
And get antivirus, firewall and windows updates!
[ + quote]
mesa101
Member
_ 		11. March 2006 @ 03:05 _ Link to this message    Send private message to this user   
thanks.. i will do as you said and report back...thank you.
[ + quote]
mesa101
Member
_ 		12. March 2006 @ 06:08 _ Link to this message    Send private message to this user   
thanks spertti..and special thanks to kemisti...the directions you gave me worked like a charm.. the pc is running smooth...im very greatful...thanks for taking time to post and helping me out.
[ + quote]
lauriantu
Suspended permanently
_ 		12. March 2006 @ 08:01 _ Link to this message    Send private message to this user   
BUT FOR PRECAUTION download ZONE ALARM (the best firewall from all the world)
[ + quote]
mesa101
Member
_ 		12. March 2006 @ 08:15 _ Link to this message    Send private message to this user   
advice taken thanks
[ + quote]
-kemisti-
AfterDawn Addict
_ 		12. March 2006 @ 08:16 _ Link to this message    Send private message to this user   
@mesa101: I still need a fresh HjT log and contents of c:\smitfiles.txt in order to realize that same thing by myself :)
[ + quote]
mesa101
Member
_ 		12. March 2006 @ 11:07 _ Link to this message    Send private message to this user   
here is the HJT log................


Logfile of HijackThis v1.99.1
Scan saved at 4:02:07 PM, on 3/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijack this\HijackThis.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
[ + quote]
mesa101
Member
_ 		12. March 2006 @ 11:08 _ Link to this message    Send private message to this user   
here is the smit log........



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 03/11/2006
The current time is: 8:57:06.23

Running from
C:\Documents and Settings\JULIA\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
@="C:\WINDOWS\System32\replmap.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

replmap.dll
1024 dir
ld****.tmp
ncompat.tlb
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1504 'explorer.exe'
Killing PID 1504 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)
[ + quote]
mesa101
Member
_ 		12. March 2006 @ 11:10 _ Link to this message    Send private message to this user   
sorry it takes so long but i just have my friends tower..so i have to disconnect all my stuff to make his work..then burn information to disc's to get it to my pc....pain in the buttock's.
[ + quote]

This message has been edited since posting. Last time this message was edited on 12. March 2006 @ 11:10
-kemisti-
AfterDawn Addict
_ 		12. March 2006 @ 20:35 _ Link to this message    Send private message to this user   
Ok, logs are clean :) Next one is to get antivirus and firewall!
[ + quote]
mesa101
Member
_ 		13. March 2006 @ 11:07 _ Link to this message    Send private message to this user   
i use zone alarm security suite on mine...what do you use kemisti?...i used panda before zone..and had alot of trouble with freezing and long starts and shut downs...i will prolly use zone or mcafee on my friends system... i suggested he get more ram first he only has 128 on his {the system you debugged }...
[ + quote]
-kemisti-
AfterDawn Addict
_ 		13. March 2006 @ 21:13 _ Link to this message    Send private message to this user   
I use nod32 and outpost. Those are good and very lightweight.
[ + quote]
Advertisement
_ 		__
 
_
mesa101
Member
_ 		14. March 2006 @ 07:32 _ Link to this message    Send private message to this user   
both of those look tempting.. i may have to check them out..thanks
[ + quote]
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus or something..help
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork