Jump to content
Sign in to follow this  
Cloud

A Spyware 'Assault' help anybody

Recommended Posts

I need some help

(I work on a Windows XP hp pavillion laptop (zd7000))

 

I kept getting all these spyware warnings over and over. Then the screen froze down. I tried running Ad aware. Everthing froze.

 

I removed the battery which broke the circuit and shut the laptop down.

(I'm not sure if this was the best move).

 

I then reinserted the laptop battery and everthing was fine and it came to the Xp login screen.

 

I then clicked on my login (limited account)

 

The screen is just an enlarged version of the wallpaper with no icons showing.

 

And its frozen in this state.

 

The day before I had run ad aware 3x and quarantined all spyware. I don't know why this happened?

 

This is the same for all the other accounts.

This is a big problem because all my work is on the HD (only some of it in a portable storage system)

 

Please could someone help.

Much appreciated.

Share this post


Link to post
Share on other sites

Try booting it in safemode and running Adaware or whatever spyware detectors you have.

Share this post


Link to post
Share on other sites

(To boot in safe mode, hit F8 a bunch during start-up and choose it from the menu that comes up)

 

Also run a virus scan while you're at it, because I've had Ad-Aware choke on a virus as well.

Share this post


Link to post
Share on other sites

I tried safe mode.

 

There appears to be a 4th user called 'Administrator'

 

(Maybe a system hijack?)

 

Safe mode is a black screen with windows service pack 2 (and a whole bunch of other stuff -description of system etc) written at the top and safe mode written at all 4 sides. No icons are displayed.

 

The fan is working overtime and the system is frozen again.

 

 

I'll try looking around the web for other help.

Any more suggestions from here?

Share this post


Link to post
Share on other sites

In normal mode, explorer.exe (the browser) fails to start.

An error message comes up when I click on my login saying

'the application has failed to start because WININET.exe dll was not found'

Maybe the Dynamic library has been deleted ????

Share this post


Link to post
Share on other sites

I tried running system restore through safe mode with a command prompt

 

%systemroot%\system32\restore\rstrui.exe

 

The system restore window comes up but its another blank screen

(this time a white blank screen)

 

Just great.

Share this post


Link to post
Share on other sites
I kept getting all these spyware warnings over and over. Then the screen froze down. I tried running Ad aware. Everthing froze.

 

Were these warnings from an anti-spyware program that you recognise (like ad-aware, for example), or did they come from a system-tray icon that you didnt recognise?

 

There appears to be a 4th user called 'Administrator'

 

Thats normal.

 

 

In normal mode, explorer.exe (the browser) fails to start.

An error message comes up when I click on my login saying

'the application has failed to start because WININET.exe dll

 

 

If you meant 'wininet.dll', then:

 

  • reboot into safe mode and go to C:\windows\ServicePackFiles\i386 and find wininet.dll.
     
  • Right-click wininet.dll and select 'copy'
     
  • Goto C:\windows\system32
     
  • Right-click on the background and select 'paste'
     
  • if it asks if you want to over-right wininet.dll with wininet.dll, select 'yes'
     
  • reboot into normal mode, and explorer.exe should work.

 

if the error message actually read 'wininet.exe' or 'wininet.exe.dll' or anything other than just 'wininet.dll', then dont do the above.

 

Have you done the anti-virus/anti-slyware scans reccomended earlyer? If so, was the name 'smitfraud'/'smithfraud' mentioned? or any infection along the lines of 'trojan-spy.HTML-desktophijacker'?

Share this post


Link to post
Share on other sites

Thanks Dak for typing that up.

 

I cannot access anything in safe mode. It is just a blank screen.

 

I went into command prompt. I cannot access C:\windows\ServicePackFiles\i386.

 

The command always starts with C:\DOCUMENTS AND SETTINGS . . . .etc

 

The error message is exactely: WININET.dll

 

How do I run the antivirus/ antispyware from command prompt.

Should I reinstall the whole OS ???

Share this post


Link to post
Share on other sites

When you go into safe mode what exactly happens?

 

If you get up to the login screen (you said you saw Administrator (that's meant to happen)) then you should be able to log on.

 

If you logged onto the admin account then there may not be any icons, it doesn't mean it's not working. Try brining up My Computer using the Start and E shortcut (hold the Start button on the keyboard (between Ctrl and Alt) and then press E)... if this works then you can do what Dak said.

 

======

 

Reinstalling WinXP is really not a big deal, boot off the winXP CD and chose to Instal the OS, then it detects your current on and asks if it should reinstal/fix the current copy, say yes... it reinstalls the OS and you lose no data (except your default Windows Theme). And it's important you do it in that exact order (the Fix option appears elsewhere, you don't want it).

Share this post


Link to post
Share on other sites

The last days of 2005 and I'm here trying to fix the damn laptop.

 

Yeah - I've been thinking about reinstalling the whole OS.

 

When I go into Safe mode all I see is a black screen with safe mode written on all four sides and at the top is wriiten the system

(windows service pack 2 . . .etc)

 

I can't right click and go to properties

The start menu doesn't show

All the keys are frozen.

 

The only things I can do is move the mouse cursor

 

Therefore, I can only actually make any difference by using the command prompt which I've already tried system restore with - another blank screen comes up as I've said previously.

 

Is there any other method I could try that doesn't involve reinstalling the OS. I want to use that as a last resort.

Share this post


Link to post
Share on other sites

When you get the safe mode written on the sides, is that once you have logged onto an account (ie. administrator) or before that?

 

According to

http://www.tasklist.org/task_wininet_exe_6604.html

you have the Autotroj-C Trojan, see:

http://www.sophos.com/virusinfo/analyses/trojautotrojc.html

Go to the 'Removal Instructions' (just over half way down) here:

http://www.scanspyware.net/info/Autotroj.C.htm

 

But looking at your prob again it said that the dll for this trojan (if that is correct) cannot be found. So ok, the trojan doesn't work, so why then can you not even start your computer? :confused:

 

Why do you want to reinstal the OS only as a last resort? It doesn't take long and no data is lost.

Share this post


Link to post
Share on other sites

Ok - Thanks for those links.

 

I'm not that keen on deleting registry files unless I'm prefectly sure what I'm deleting. I'll read the info in the links to get an idea but I think I'll go ahead with the reinstallation of the operating system.

 

I'll have to get the disc and try reinstalling the OS

 

(IF this doesn't work then . . .damn.)

 

PS; Safe mode at all 4 sides comes up before login - then the login screen - then the desktop (with the 4 safe modes). I'm not sure if this has any relevance)

 

I'm now searching the registry . . . (which I accessed through typing regedit at command prompt in safe mode)

 

Safe Mode with command prompt is the only way I can input anything to the computer)

Share this post


Link to post
Share on other sites

I went into the supposedly normal 4th administrator account in safe mode.

 

I then had access to windows task manager.

 

There are 12 processes running:

 

taskmgr.exe

cmd.exe (the command prompt I'm running to access the registry)

svchost.exe

svchost.exe

svchost.exe

lsass.exe

services.exe

winlogon.exe

csrss.exe

smss.exe

System

System Idle Process SYSTEM

 

The first process is at CPU 01

The las process is at CPU 99

All the others arre CPU 00.

 

Anything suspicious (why are there 3 x svchost).

 

There is no networking (No active network adapters found). I have switched off the wireless network.

Share this post


Link to post
Share on other sites

svchost.exe is part of your OS, it's normal to appear more than once, I currently have 5 of em running.

 

When in Safe Mode you would not have networking anyway, unless you chose 'Safe Mode with Networking'.

 

"System Idle Process SYSTEM"

Is actually just 'System Idle Process'... the SYSTEM part you saw afterwards just means that the system is running the process, as opposed to the network or your actual account.

 

And no there isn't anything suspicious running, but then in Safe Mode you wouldn't really expect there to be, because when you go into Safe Mode the idea is that the virus/trojan (wtvr) isn't running so you can deal with it.

 

I suggested you either:

 

1) Safe mode -> admin account -> delete the stuff as shown on the site I showed you before, http://www.scanspyware.net/info/Autotroj.C.htm

 

2) Reinstall winXP... note that because you are not formatting (deleting everything) you are only reinstalling this will not fix a problem caused by a virus, well, it will fix your OS but it will not remove a virus.

 

As for deleting registries, fair enough to be cautious, but follow a respectable website and you'll be fine. Besides, can your computer actually get worst?! You can always backup the registries (in regedit file>export will export the registries and import would import registries, ie. the ones you backed up in the past).

 

I suggest you try working through the Administrator account as opposed to the command prompt.

Share this post


Link to post
Share on other sites

Im not sure that website that you linked to is offering great advice, 5614... deleting explorer.exe definately wont fix his problems.

 

Cloud, if you go to cmd and type the following in (all on one line) and hit enter then reboot, you should be able to run explorer.exe again.

 

copy C:\windows\ServicePackFiles\i386\wininet.dll C:\windows\system32\wininet.dll

 

Note the space after 'copy' and after the first 'wininet.dll'

 

 

How do I run the antivirus/ antispyware from command prompt.

 

Which anti-virus/anti-spyware do you have?

Share this post


Link to post
Share on other sites

I've left it until this morning but I ran the OS repair disk and it now allows me to go back to the state the computer was in before all the spyware took over. The spyware signs keep on coming from the tray.

 

There is also a large retangular box that has replaced my wallpaper saying

 

YOUR COMPUTER IS INFECTED WITH SPYWARE - Here is a list of the top antivirus and spyware software'

 

I cannot access the internet for some reason but I can probably get into the main windows and system32 folders to put back WININET.DLL.

 

Dak - The spyware program I'm using is Ad adware. Its absolute crap.

It did detect 100 critical objects which I quarantined then deleted.

I clicked on the icon in the tray that was flashing you computer is infected with spyware.

 

Spy sheriff came up and in the next 30 minutes detected around 70 trojons on the system. However it was the trial version and I couldn't delete them. I would have to do it manually.

 

I ran the rubbish norton 2004 and it only picked up 1 element of spyware.

(must be new definitions - my norton does not upgrade new defs.)

 

So I'm in a situation now. I cannot burn all my work and data onto a disk because somehow - the' recordnow' software that I was using has disappeared. I have about 2 Gigs of data.

 

So either there is another solution or I would have to reinstalled the OS???

 

Any advice?

I'm thinking about losing all the data. I've got a USB that holds 512 MB so I could potentially save 25% of my work but thats it.

Share this post


Link to post
Share on other sites
YOUR COMPUTER IS INFECTED WITH SPYWARE - Here is a list of the top antivirus and spyware software'

 

This is HTML-troj.smitfraud that I asked if your anti-spyware had mentioned earlyer; it downloads a fake anti-malware program (spysherrif in your case), pisses about with your desktop, and trys to get you to pay money for the full version of spysherrif to remove smitfraud (you gotta admire its audacity :D ).

 

 

Theres no anti-malware program that can fix this yet so it will have to be done manually.

 

I suggest that you download HijackThis and extract it to your desktop.

 

Run HijackThis, select 'do a system scan and save a log', and copy/paste the contents of the log into this thread, and I'll tell you what needs doing.

Share this post


Link to post
Share on other sites

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe

C:\WINDOWS\inet20099\winlogon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe

C:\WINDOWS\sysldr32.exe

C:\WINDOWS\system32\paytime.exe

C:\WINDOWS\sachostx.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\mpcsvc.exe

C:\WINDOWS\system32\cmd32.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\LSASS.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\paytime.exe

C:\WINDOWS\system32\sywsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe

C:\WINDOWS\system32\sachostp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Documents and Settings\H\Desktop\HijackThis.exe

C:\WINDOWS\system32\svchost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

F3 - REG:win.ini: run=C:\WINDOWS\inet20099\winlogon.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe

O4 - HKLM\..\Run: [systemLoader] C:\WINDOWS\sysldr32.exe

O4 - HKLM\..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe

O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe

O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\system32\efsdfgxg.exe

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe

O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [siS Mpc Service] C:\WINDOWS\system32\mpcsvc.exe

O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [backupNotify] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe

O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: avpi32 - C:\WINDOWS\SYSTEM32\avpi32.dll

O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll

O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: WTH - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\H\LOCALS~1\Temp\WTH.exe

Share this post


Link to post
Share on other sites

Dak, dak, dak... not the explorer.exe you are thinking of, the same file name sure, but in a different directory... check out what Sophos says:

http://www.sophos.com/virusinfo/analyses/trojautotrojc.html

(Go to 'Description' tab)

 

Windows Explorer is located in the Windows or Winnt folder. This one is located in the System or System32 subfolders.

http://startuplist.geekstogo.com/startup_command/explorer.exe-8752.html

 

Check out the top bunch of the list:

http://www.sysinfo.org/startuplist.php?letter=&filter=&count=50&offset=8750

 

See here:

http://startup.networktechs.com/srch-System%20Update2.html?search=System%20Update2

 

So going back to that original site I gave, it said:

"Autotroj.C is a simple Trojan that moves itself to the Windows System folder as a file with a name similar to the windows own file names"

At the same time it did not make it very clear which explorer.exe to delete.

 

=====

 

Back to the issue, that HJT log is useful, for one thing

 

C:\WINDOWS\System\svwhost.exe

svwhost.exe is from the SVWHost.Process Trojan.

 

C:\WINDOWS\system32\sachostp.exe

sachostp.exe if from the W32.Looksky.A/D Worm.

 

Look, I'm not gonna bother looking through the rest of this list, because I think there's gonna be more stuff, you need to get a powerful AV and run a scan... try Avast, or an online scan like Panda or BitDefender:

http://www.pandasoftware.com/products/activescan.htm

http://www.bitdefender.com/scan8/ie.html

 

And just delete EVERYTHING it finds!

 

And run more than one, in fact, just run all 3 things, Panda + BitDefender + Avast. Try updating Ad Aware and running that, it is a good program.

Share this post


Link to post
Share on other sites

[edit]5641: he has haxdoor, which [edit]usualy[/edit] stops anti-viruses from working. Also, its usually root-kited so the online-scans won't see it's main components.[/edit]

 

Oh dear.

 

Smitfraud will have to wait for a moment... you have another nasty one that might stop the tools needed to shift smitfraud from working.

 

Please download Rootkit revealer

 

Unzip it, run it, click 'scan' in the bottom left, and after its finished scanning go to 'file' > 'save' to save a log file.

 

Post the log file up please.

Share this post


Link to post
Share on other sites

I downloaded Avast onto a USB and installed it on the infected computer.

 

I scheduled a virus scan on boost since I cannot open the scan on the desktop for some reason ???

 

Once the viruses are deleted will all the strange files on my desktop disappear too or will have have to manually clean up?

 

Ok its scanning >>>

Share this post


Link to post
Share on other sites

Sorry Dak - 5614 advised me to run a virus scan

 

Atleast this might get rid of the trojons but as you've said - The computer won't allow me to run a virus scan - which it doesn't (on the desktop inside windows)

 

However it works outside of windows.

 

I think its just scanning the local drives (My stupidness)

 

I'll do the Rootkit revealer thing when the scan is done.

Share this post


Link to post
Share on other sites

No problem. If it works, it'll be the easyer fix. avast may not be on haxdoors hit-list, or you may have an older variant of it.

 

Hang on, what do you mean outside of windows? Is it running without windows being loaded?

Share this post


Link to post
Share on other sites

Yes, he scheduled a boot time scan, which is one of the 2 reasons I love Avast.

 

(The 2nd reason is that it is a powerful scanner with a decent database)

 

I spose it's not technically totaly outside of Windows as the Windows loading screen finishes and then the virus scan initiates, but as the user hasn't logged on the virus isn't active.

 

[edit] it is the same time/place as a winXP Error Check or Check Disk thing.

Share this post


Link to post
Share on other sites

Well -

 

Do you know the screen comes up that (when a USB is in a port)

 

where it says: checking USB files press a key to stop scan.

 

The virus scan starts on the same screen

 

(The screen is light blue with two dark blue strips - windows XP is written at the top right hand corner)

 

Bad explanation but there you go ???

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.