?
Solved

Cannot get rid of adware/trojan - runsrv32.exe , a.exe , users32.exe...

Posted on 2006-06-07
52
Medium Priority
?
27,737 Views
Last Modified: 2012-06-27
Last couple of days i have been infected with adware.

What happens is that on opening IE the default home page comes up as a windows security center clone saying "alert spyware detected on your computer!" It is made to look like a bonafide windows page but it redirects to anti-spyware box.com.

There are also popups in the bottom right of the screen and in the middle warning of spyware (nothing to do with my resident software). It also prevents you from ending processes in the windows task manager.

I have tried all of the usual anti-virus/adware/spyware scans but they cannot remove this.

The problem stems from the system32 folder which on startup runs runsrv32.exe (i have deleted it with regedit in safemode and from the folder but it comes back) also there is a runsrv32.dll. I think the main daddy is a.exe in system32. I cannot delete it in safe mode or otherwise - says it is being used by another program but it doesnt show as a running process I have also tried after having killed runsrv32.exe with Process Explorer. In the processes there is also a user32.exe which spawns qirkvy.exe(the popup).

Any ideas appreciated.

0
Comment
Question by:DuarteR
  • 14
  • 10
  • 9
  • +7
52 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16855375
Here is what I suggest:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

I can suggest a couple of ways to get rid of those hard-to-delete files, but it is better to see the HJT log first to see what files are involved.
0
 

Author Comment

by:DuarteR
ID: 16855384
0
 
LVL 3

Expert Comment

by:johnsy32
ID: 16855574
The following looks like they will need deleting

C:\WINDOWS\system32\users32.exe (THIS WILL NEED DELETING ON REBOOT TO STOP INFECTION AGAIN)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
  O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)  
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
  O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)  
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe (THIS WILL NEED DELETING ON REBOOT TO STOP INFECTION AGAIN)

Hijack this enalbles deletion on reboot. The users32.exe entry is what keeps infecting you. There seems to be a lot of possible spyware programs listed, and other appilcations, but you will have to look at directories and names to decided weather they are of importance.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Expert Comment

by:johnsy32
ID: 16855602
Sorry, you will need to run hijack this, then click on config and then select "delete file on reboot", browse to the files and then restart your computer as well as deleting the above entries.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16855631
"F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe"

I don't think this is anything bad, please don't remove this entry.
0
 
LVL 3

Expert Comment

by:johnsy32
ID: 16855663
YEAH, SORRY DON'T DELETE  F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
0
 
LVL 32

Expert Comment

by:r-k
ID: 16855672
Are you familiar with application?

"O23 - Service: SSO Plus (pgpwdmon) - PassGo Technologies - C:\PROGRA~1\PASSGO~1\SSOPLU~1\pgpwdmon.exe"

0
 
LVL 32

Expert Comment

by:r-k
ID: 16855690
You can follow steps suggested by johnsy32 and then reboot and see if things are better.

If not, follow the steps at this link:

 http://www.technibble.com/case-study-removing-a-virusadware-not-detected-by-scanners/

If that doesn't do it post back and I have some more specific tips. Thanks.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16856920
Hi,
Your log is showing rougescan app and purityscan.
Please follow these:

1. Download roguescanfix_setup.
http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
Doubleclick roguescanfix_setup to install it.

After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.

The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.

A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
(The textfile can also be found at c:\program files\roguescanfix\task.txt)

2. Your log is showing purityscan/OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16856996
Can you please scan with hijackthis again and post the link to a new hijackthis log?
We want to look at it again after you've run the rougescanfix and the OIN uninstaller.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16857652
Some files like a.exe etc where rougescanfix can't take care , but smitrem will.

Please also run smitrem by Noahdfear.
Download SmitRem.exe and save the file to the Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the Desktop.

Now, reboot to Safe Mode:

Next, open the SmitRem folder
-Double click the "RunThis.bat" file to start the tool.
-Follow the prompts on screen.
The Desktop and icons disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while.
When done, the log created by the smitRem tool is located at C:\smitfiles.txt

Restart your computer.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16857848
You can also use SmitfraudFix instead of Smitrem, they both do the same thing.
SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php

Tell us if "user32.exe" still exist after you run those tools.



>>>"F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe"

I don't think this is anything bad, please don't remove this entry.<<<

Yes that entry is valid. Fixing or not Fixing it won't hurt your system.
It appears in hijackthis log is because the line in the registry is wrong that's why hijackthis picked it up.(it could only be the comma "," missing in the registry)caused by a legit app or by malware.
Fixing it with hijackthis won't do any harm, hijackthis will revert the entry back to its default correct entry.

Fixing does not delete the file, fixing it will correct the line in the registry.
Not fixing it is also okay, so it's up to you.

The entry in the registry looks like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\System32\Userinit.exe,"

if the comma is missing, hijackthis will pick up that line as suspicious and when you fix the entry, hijackthis will put the comma back to correct it.
0
 
LVL 2

Expert Comment

by:pyroman1
ID: 16858349
In addition, if you know a file needs to be deleted you can download Unlocker to unlock the process that is holding the file.  Then it can be deleted.
http://ccollomb.free.fr/unlocker/

You can also use the Recovery console from your Windows CD to login via an MS-DOS based shell and delete the file that way.  Though this can sometimes be a pain if you use RAID or SCSI because you will need the driver disk handy.
0
 

Author Comment

by:DuarteR
ID: 16863543
new log:
http://www.hijackthis.de/logfiles/e2323bbae6b60da662295c3ec80ef7a6.html

i have used Unlocker to delete a.exe as well as runsrv32.exe , runsrv32.dll , users32.exe but they all respawn. a.exe is connected to explorer.exe as shown by unlocker.

rpgamergirls software suggestions have not worked.

This one tough little biatch
0
 
LVL 3

Expert Comment

by:johnsy32
ID: 16863614
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

this one also needs deleting, described as Browser Helper Object that displays advertisements and downloads and installs files, could be re-infecting you over and over.


As well as the ones the ones that need deleting on boot, as I mentioned before.

Are the directories and entries with pass go technologies ones that you now are safe?
0
 

Author Comment

by:DuarteR
ID: 16863808
deleted susp.exe with hijackthis and the others mentionedu

but that entry aswell as the runsrv32.exe and the (no name) entries all come back after reboot so does a.exe - all the files reappear in system32

the passgo go stuff is legit - it automatically inputs passwords on websites for me.
0
 
LVL 3

Expert Comment

by:johnsy32
ID: 16864050
is there anything suspicious in your start up folder?

Start > All Programs > Startup

Are the PartyPoker entries also legit?
0
 

Author Comment

by:DuarteR
ID: 16864216
the party poker entries are just left overs from when I uninstalled party poker

as for starting programs i use jv16 powertools and the only sus thing is the runsrv32.exe which spawns itself even after deleting the file and registry enries.




0
 

Author Comment

by:DuarteR
ID: 16864245
if this helps here are my running processes shown in process explorer:

Process      PID      CPU      Description      Company Name
System Idle Process      0      93.08            
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a      0.77      Deferred Procedure Calls      
 System      4      0.77            
  smss.exe      596            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      792            Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      824            Windows NT Logon Application      Microsoft Corporation
    services.exe      884      0.77      Services and Controller app      Microsoft Corporation
     svchost.exe      1084            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1144            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1216            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1316            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1368            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      1548            Spooler SubSystem App      Microsoft Corporation
     pgpwdmon.exe      1716            SSO Plus Password Player Service      PassGo Technologies
      pgpwdmon.exe      1748            SSO Plus Password Player Service      PassGo Technologies
     schedul2.exe      1740            Acronis Scheduler 2      Acronis
     aswUpdSv.exe      1792                  
     ashServ.exe      1824            avast! antivirus service      
     svchost.exe      1864            Generic Host Process for Win32 Services      Microsoft Corporation
     ewidoctrl.exe      216            ewido control      ewido networks
     nvsvc32.exe      244            NVIDIA Driver Helper Service, Version 53.03      NVIDIA Corporation
     sdhelp.exe      296                  PC Tools Research Pty Ltd
     svchost.exe      756            Generic Host Process for Win32 Services      Microsoft Corporation
     wdfmgr.exe      844            Windows User Mode Driver Manager      Microsoft Corporation
     ashMaiSv.exe      2620            avast! e-Mail Scanner Service      ALWIL Software
     ashWebSv.exe      2740            avast! Web Scanner      ALWIL Software
     alg.exe      3032            Application Layer Gateway Service      Microsoft Corporation
     svchost.exe      3540            Generic Host Process for Win32 Services      Microsoft Corporation
    lsass.exe      896            LSA Shell (Export Version)      Microsoft Corporation
explorer.exe      576            Windows Explorer      Microsoft Corporation
 rundll32.exe      1948            Run a DLL as an App      Microsoft Corporation
 pctspk.exe      2000            pctvoice MFC Application      
 jusched.exe      2040            Java(TM) 2 Platform Standard Edition binary      Sun Microsystems, Inc.
 ashDisp.exe      2096            avast! service GUI component      
 issch.exe      2232            InstallShield Update Service Scheduler      InstallShield Software Corporation
 TrueImageMonitor.exe      2304            TrueImage      Acronis
 schedhlp.exe      2352            Acronis Scheduler Helper      Acronis
 ssotray.exe      2544            SSO Plus System Tray App      PassGo Technologies
 realsched.exe      2588            RealNetworks Scheduler      RealNetworks, Inc.
 procexp.exe      2956      4.62      Sysinternals Process Explorer      Sysinternals
 iexplore.exe      3788            Internet Explorer      Microsoft Corporation
 jv16 PowerTools.exe      508            jv16 PowerTools      
 iexplore.exe      3792            Internet Explorer      Microsoft Corporation
EM_EXEC.EXE      2108            Logitech Events Handler Application      Logitech Inc.

0
 
LVL 3

Expert Comment

by:johnsy32
ID: 16864266
How about manually going into the registry and deleting suspicious entries in

HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS > CURRENT VERSION > RUN

Then deleting any entries with hijackthis again, and deleting files again on reboot.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16864337
Here is what I suggest:

First identify and locate all the bad .exe and .dll files (probably in c:\windows or c:\windows\system32)

Then:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for each of the other files

(6) Close all windows.

(7) Reboot. (normal mode).

After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.
At this point you can clean up with HJT and with standard anti-spyware programs.

The success of this method depends on getting all the files in one go (steps (1) to (4) repeated for each)

0
 
LVL 2

Expert Comment

by:pyroman1
ID: 16864364
Try this from the GeeksToGo forum:
http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html

These steps remove most spyware/malware without any additional steps.  Once you complete the steps let us see the new HJT log.
0
 

Author Comment

by:DuarteR
ID: 16864680
r-k just tried your method but no luck. when i click internet explorer to get to this page users32.exe runs in the processes
0
 
LVL 6

Expert Comment

by:Dale May
ID: 16864701
<<i have deleted it with regedit in safemode and from the folder but it comes back) >>
have you stopped system restore?

d_may
0
 
LVL 32

Expert Comment

by:r-k
ID: 16864817
"when i click internet explorer to get to this page users32.exe runs in the processes"

Can you double-check by looking at the Security Properties for that file that all permissions have been removed?
0
 

Author Comment

by:DuarteR
ID: 16864856
r-k i double checked that permissions had been removed but the check box is now ticked again
0
 

Author Comment

by:DuarteR
ID: 16864884
pyroman - my first course of action when this virus/adware first appeared was to use spybot + cwshredder + adaware se + spysweeper + ediwoo + avast + spyware doctor
0
 
LVL 32

Expert Comment

by:r-k
ID: 16864896
Are you saying that permissions to that file got restored again? The malware is getting very clever these days!

Try the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
      then click on the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything clearly bad by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.
0
 
LVL 2

Expert Comment

by:pyroman1
ID: 16865048
Did you disable system restore as d_may suggested?  Also run CleanUp to remove any unnecessary files and make your scans run faster.

You mentioned using Unlocker, did you also try deleting the files from Recovery Console?  That way no Windows processes will be running when you delete the files.
0
 

Author Comment

by:DuarteR
ID: 16865340
ok I have just tried r-k's method again in safe mode with system rostore off - permissions all denied in the 4 files that i believe are causing the problems. then deleted them (still in safe mode) removed registry entries with reg edit and hijackthis and double checked all traces have been removed with jv16 power tools. Also made sure the about:blank IE start page was gone. The processes running during this seemed safe.

Then I restarted again in safe mode and checked if they had returned - the files were not present so I thought i'd done it.

restarted in normal mode - the files are back again.

I think there must be another file in there somewhere that i'm missing but I hav'nt a clue what it could be.

I still have to try the recovery console thing but this is my 3rd night in a row trying to solve this thing, I'm getting tired.

0
 
LVL 2

Expert Comment

by:pyroman1
ID: 16865520
Try using NirSoft's CurrProcess to find out what modules are loading with the processes you have running.  Maybe that will help you find any other files that shouldn't be loading a startup so you can delete them.

http://www.nirsoft.net/utils/cprocess.html
0
 
LVL 32

Expert Comment

by:r-k
ID: 16865557
" think there must be another file in there somewhere..."

Yes, I would say that. The Autoruns log is about as complete as you can get. Try that when you have the time.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1500 total points
ID: 16865828
Did you run rougescanfix, or smitrem or smitfraudfix?
a.exe and runsrv.exe are both part of smitfrarud infection.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16865849
Can we please see the smitfraudfix log? there might be a bad entry on sharedtask sheduler.
If you used Smitfraudfix, run option 2
0
 
LVL 3

Expert Comment

by:Tony Gimenez
ID: 16866642
Save yourself some time and just do System Restore...
Sorry.. I had spent around ten minutes typing a fix to your problem
and the page refreshed by mistake..
good luck.
0
 

Author Comment

by:DuarteR
ID: 16873375
cannot do a system restore as i had turned it off.

used the smitfraud fix and it semmed to do the trick:

SmitFraudFix v2.56

Scan done at 20:38:32.29, 09/06/2006
Run from C:\Documents and Settings\Dooey\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\bridge.dll Deleted
C:\WINDOWS\system32\dailytoolbar.dll Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\wstart.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

but users32.exe comes back and starts the pop ups.

By the way like an idiot i was in jv16 in the file tools i clicked show system dll files and thinking it was 'unused' dll files I selected all and clicked remove - i canceled when i realised my mistake but i fear i may have removed vital dll files although i havnt noticed any system malfunctions as of yet.
0
 
LVL 3

Expert Comment

by:Tony Gimenez
ID: 16873537
For all those idiots telling people to turn off system restore they have no idea what they are talking about.
The first reason people tell others to disable system restore is because viruses and other malaware may be hiding in certain  restore points and/or you will not be able to detect them with anti-virus/anti-spyware applications. In a sense this is true, the folder that they never tell you about C:\System Volume Information. This is where all those restore points are kept and this folder is by default hidden. If you choose to display hidden and system files and then try to access it you will be given a access denied error. But there is a way to bypass this restriction with a simple command in the command line

CACLS "C:\System Volume Information" /E /C /G (Username):F
*Use the above without parenthesis*
Other variations:
http://www.theeldergeek.com/system_volume_information_folder1.htm

After you have granted yourself permission to access the folder you may now proceed to use anti-spyware and anti-virus programs that will now be able to scan for files in that folder.

And as always though viruses/malaware may be in certain restore points restoring to more earlier ones will almost always guarentee a virus/malaware free environment which you can then delete the system restore points and be proud that you may have saved yourself a lot of time.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16873838
where exactly is that users32.exe located?
can you give us the exact location, have you tried Killboxing it using "delete on reboot" option?


Try these too:
1. download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.

Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.


2. CWSShredder.
http://www.majorgeeks.com/download4086.html
0
 

Author Comment

by:DuarteR
ID: 16874232
users32.exe and all the other files I have mentioned are in windows/system32

at this moment in time I'm not having any symptoms a.exe, runsrv32.exe, runsrv32.dll, and qirkvy.exe(the popup spawned by users32.exe) have gone although users32.exe is still present thanks to smitfraudfix although because users32.exe still exists (and i have already got to this stage before and deleted users32.exe but it returned with the other files until I used smitfraudfic again) i'm not sure if it will last. At the moment IE bowser is not hijacked when I open a new occurance.

I am quite worried about the removed .dll files that happened with jv16 powertools - is this going to cause major problems?
0
 
LVL 2

Expert Comment

by:pyroman1
ID: 16874253
It's hard to say for certain about the DLL files because we don't know which ones got deleted.  Does jv16 have a recovery option?
0
 
LVL 32

Expert Comment

by:r-k
ID: 16874294
If you think you may have deletd important system files then do the following:

 > sfc /scannow

from a command prompt.

This will rstore any critical system file, but you may need the XP CD on hand.

Re. user32.exe coming back, try the Autoruns as suggested above, and post the (shortened) log here.
0
 

Author Comment

by:DuarteR
ID: 16874923
just realised jv16 has a backup option and had all the dll's there for me to restore. thanks pyroman1

here is the shortened autorun log:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ avast!      avast! service GUI component            c:\program files\alwil software\avast4\ashdisp.exe

+ CloneDVDElbyDelay      ElbyCheck      Elaborate Bytes AG      c:\program files\elaborate bytes\clonedvd\elbycheck.exe

+ Cmaudio      CmiCnfg DLL      C-Media Corporation      c:\windows\system\cmicnfg.cpl

+ ISUSPM Startup      InstallShield Update Service Update Manager      InstallShield Software Corporation      c:\program files\common files\installshield\updateservice\isuspm.exe

+ ISUSScheduler      InstallShield Update Service Scheduler      InstallShield Software Corporation      c:\program files\common files\installshield\updateservice\issch.exe

+ Logitech Utility      Logitech Launcher Application      Logitech Inc.      c:\windows\logi_mwx.exe

+ LogitechVideoRepair      Logitech QuickCam Startup Application      Logitech Inc.      c:\program files\logitech\video\isstart.exe

+ LogitechVideoTray      ImageStudio Tray Application      Logitech Inc.      c:\program files\logitech\video\logitray.exe

+ NvCplDaemon      NVIDIA Display Properties Extension      NVIDIA Corporation      c:\windows\system32\nvcpl.dll

+ nwiz                  File not found: nwiz.exe

+ PCDRealtime            Dell      c:\windows\realtime.exe

+ PCTVOICE      pctvoice MFC Application            c:\windows\system32\pctspk.exe

+ PinnacleDriverCheck                  c:\windows\system32\psdrvcheck.exe

+ QuickTime Task            Apple Computer, Inc.      c:\program files\quicktime\qttask.exe

+ SSOTRAY      SSO Plus System Tray App      PassGo Technologies      c:\program files\passgo technologies\sso plus\ssotray.exe

+ SunJavaUpdateSched      Java(TM) 2 Platform Standard Edition binary      Sun Microsystems, Inc.      c:\program files\java\jre1.5.0_06\bin\jusched.exe

+ TkBellExe      RealNetworks Scheduler      RealNetworks, Inc.      c:\program files\common files\real\update_ob\realsched.exe

C:\WINDOWS\system32\MsSvc32                  

+ Adobe Gamma Loader.lnk      Adobe Gamma Loader      Adobe Systems, Inc.      c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Adobe Reader Speed Launch.lnk      Adobe Acrobat SpeedLauncher      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

+ Logitech Desktop Messenger.lnk      LDM Configuration Application      Logitech      c:\program files\logitech\desktop messenger\8876480\program\ldmconf.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks                  

+ ewido shell guard                  c:\program files\ewido anti-malware\shellhook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ avast      avast! Shell Extension      ALWIL Software      c:\program files\alwil software\avast4\ashshell.dll

+ dBpowerAMP Music Converter      dMCShell Module            c:\program files\illustrate\dbpoweramp\dmcshell.dll

+ dBpowerAMP Music Converter 1      dBShell Module            c:\program files\illustrate\dbpoweramp\dbshell.dll

+ Display Panning CPL Extension                  File not found: deskpan.dll

+ Haali Column Provider                  c:\program files\avi2dvd\programs\filters\haali media splitter\mmfinfo.dll

+ HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

+ My Logitech Pictures      Logitech Namespace2      Logitech Inc.      c:\program files\logitech\video\namespc2.dll

+ Shell Extensions for RealOne Player      RealPlayer Shell Extensions      RealNetworks, Inc.      c:\program files\real\realplayer\rpshell.dll

+ SmartFTP Shell Extension DLL      SmartFTP Shell Extension      SmartFTP      c:\program files\smartftp\smarthook.dll

+ UnlockerShellExtension                  c:\program files\unlocker\unlockercom.dll

+ WinRAR shell extension                  c:\program files\winrar\rarext.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing, Inc.      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing, Inc.      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing, Inc.      c:\program files\winzip\wzshlstb.dll

+ WinZip      WinZip Shell Extension DLL      WinZip Computing, Inc.      c:\program files\winzip\wzshlstb.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ StuffIt Archive Menu      StuffIt Archive Shell Extension      Allume Systems, Inc.      c:\program files\allume systems\stuffit\archivemenu.dll

+ StuffIt Compress Menu      StuffIt Compress Shell Extension      Allume Systems, Inc.      c:\program files\allume systems\stuffit\compressmenu.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers                  

+ dBpShell Class      dBShell Module            c:\program files\illustrate\dbpoweramp\dbshell.dll

+ Haali Column Provider                  c:\program files\avi2dvd\programs\filters\haali media splitter\mmfinfo.dll

+ PDF Shell Extension      PDF Shell Extension      Adobe Systems, Inc.      c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects                  

+ Adobe PDF Reader Link Helper      Adobe Acrobat IE Helper Version 7.0 for ActiveX      Adobe Systems Incorporated      c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

+ adobepnl.ADOBE_PANEL            Laguna Media      c:\windows\system32\adobepnl.dll

+ Google Toolbar Helper      Google IE Client Toolbar      Google Inc.      c:\program files\google\googletoolbar1.dll

+ Kwyshell MidpX      Kwyshell J2ME Midp Emulator IE Toolbar      Kwyshell G.Corp      c:\program files\kwyshell\midpx\jadinvoker\midpinvoker.dll

+ PCTools Browser Monitor      iesdpb.dll      PC Tools      c:\program files\spyware doctor\tools\iesdpb.dll

+ PCTools Site Guard      Site Guard      PC Tools      c:\program files\spyware doctor\tools\iesdsg.dll

+ ReadPage Class      SSO Plus Password Management for Internet Explorer      PassGo Technologies      c:\program files\passgo technologies\sso plus\pgiexpl.dll

+ SSVHelper Class      Java(TM) 2 Platform Standard Edition binary      Sun Microsystems, Inc.      c:\program files\java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar                  

+ googletoolbar1.dll      Google IE Client Toolbar      Google Inc.      c:\program files\google\googletoolbar1.dll

+ Kwyshell MidpX      Kwyshell J2ME Midp Emulator IE Toolbar      Kwyshell G.Corp      c:\program files\kwyshell\midpx\jadinvoker\midpinvoker.dll

+ yt.dll      Yahoo! Toolbar      Yahoo! Inc.      c:\program files\yahoo!\companion\installs\cpn0\yt.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions                  

+ AIM      AOL Instant Messenger      America Online, Inc.      c:\program files\aim95\aim.exe

Task Scheduler                  

+ RegCure.job      RegCure Application            c:\program files\regcure\regcure.exe

HKLM\System\CurrentControlSet\Services                  

+ aswUpdSv      Provides automatic updating for the avast! antivirus.            c:\program files\alwil software\avast4\aswupdsv.exe

+ avast! Antivirus      Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.            c:\program files\alwil software\avast4\ashserv.exe

+ ewido security suite control      ewido control      ewido networks      c:\program files\ewido anti-malware\ewidoctrl.exe

+ NVSvc      Provides system and desktop level support to the NVIDIA display driver      NVIDIA Corporation      c:\windows\system32\nvsvc32.exe

+ pgpwdmon      Captures, stores and plays back passwords to provide automated logon      PassGo Technologies      c:\program files\passgo technologies\sso plus\pgpwdmon.exe

+ SDhelper            PC Tools Research Pty Ltd      c:\program files\spyware doctor\sdhelp.exe

HKLM\System\CurrentControlSet\Services                  

+ alcan5wn      WAN Driver      THOMSON multimedia      c:\windows\system32\drivers\alcan5wn.sys

+ alcaudsl      WDM Driver      THOMSON multimedia      c:\windows\system32\drivers\alcaudsl.sys

+ ASPI32      ASPI for WIN32 Kernel Driver      Adaptec      c:\windows\system32\drivers\aspi32.sys

+ aswRdr      avast! TDI RDR Driver      ALWIL Software      c:\windows\system32\drivers\aswrdr.sys

+ BtAudio                  File not found: System32\DRIVERS\btaudio.sys

+ BTDriver                  File not found: System32\DRIVERS\btport.sys

+ BTWDNDIS                  File not found: System32\DRIVERS\btwdndis.sys

+ BTWUSB                  File not found: System32\Drivers\btwusb.sys

+ cmuda      C-Media Audio WDM Driver      C-Media Inc      c:\windows\system32\drivers\cmuda.sys

+ DFUBTUSB                  File not found: System32\Drivers\frmupgr.sys

+ ElbyCDIO      ElbyCD Windows NT/2000/XP I/O driver      Elaborate Bytes AG      c:\windows\system32\drivers\elbycdio.sys

+ ElbyDelay      Elby Delay Lower Filter Driver      Elaborate Bytes      c:\windows\system32\drivers\elbydelay.sys

+ fasttx2k      Promise Driver for Windows XP      Promise Technology, Inc.      c:\windows\system32\drivers\fasttx2k.sys

+ ikhlayer            PCTools Research Pty Ltd.      c:\windows\system32\drivers\ikhlayer.sys

+ k750bus      Sony Ericsson 750 Driver      MCCI      c:\windows\system32\drivers\k750bus.sys

+ k750mdfl      Sony Ericsson 750 USB WMC Modem Filter      MCCI      c:\windows\system32\drivers\k750mdfl.sys

+ k750mdm      Sony Ericsson 750 USB WMC Modem Drivers      MCCI      c:\windows\system32\drivers\k750mdm.sys

+ k750mgmt      Sony Ericsson 750 USB WMC Device Management Drivers      MCCI      c:\windows\system32\drivers\k750mgmt.sys

+ k750obex      Sony Ericsson 750 USB WMC OBEX Interface Drivers      MCCI      c:\windows\system32\drivers\k750obex.sys

+ L8042pr2      Logitech PS/2 Mouse Filter Driver.      Logitech, Inc.      c:\windows\system32\drivers\l8042pr2.sys

+ LMouFlt2      Logitech Filter Driver for Mouse Class.      Logitech, Inc.      c:\windows\system32\drivers\lmouflt2.sys

+ MMRTKRNL      MMRTKRNL.SYS      ALCATech GmbH      c:\windows\system32\drivers\mmrtkrnl.sys

+ nv      NVIDIA Compatible Windows 2000 Miniport Driver, Version 53.03       NVIDIA Corporation      c:\windows\system32\drivers\nv4_mini.sys

+ Pcouffin      Patin-Couffin low level access layer for CD devices      VSO Software      c:\windows\system32\drivers\pcouffin.sys

+ pfc      Padus(R) ASPI Shell      Padus, Inc.      c:\windows\system32\drivers\pfc.sys

+ PhilCam8116      Universal Serial Bus Camera Driver      Logitech Inc.      c:\windows\system32\drivers\camdrl21.sys

+ prodrv06      StarForce Protection Environment Driver      Protection Technology      c:\windows\system32\drivers\prodrv06.sys

+ prohlp02      StarForce Protection Helper Driver      Protection Technology      c:\windows\system32\drivers\prohlp02.sys

+ prosync1      StarForce Protection Synchronization Driver      Protection Technology      c:\windows\system32\drivers\prosync1.sys

+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

+ Ptserial      HSP Modem Serial Device Driver for NT 5.0      PCTEL, INC.      c:\windows\system32\drivers\ptserial.sys

+ PxHelp20      Px Engine Device Driver for Windows 2000/XP      Sonic Solutions      c:\windows\system32\drivers\pxhelp20.sys

+ Secdrv      SafeDisc driver      Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.      c:\windows\system32\drivers\secdrv.sys

+ sfdrv01      StarForce Protection Environment Driver      Protection Technology      c:\windows\system32\drivers\sfdrv01.sys

+ sfhlp01      StarForce Protection Helper Driver      Protection Technology      c:\windows\system32\drivers\sfhlp01.sys

+ sfhlp02      StarForce Protection Helper Driver      Protection Technology      c:\windows\system32\drivers\sfhlp02.sys

+ sfsync02      StarForce Protection Synchronization Driver      Protection Technology      c:\windows\system32\drivers\sfsync02.sys

+ SISAGP      SiS AGPv3.5 Filter      Silicon Integrated Systems Corporation      c:\windows\system32\drivers\sisagpx.sys

+ SiSide      SiS PCI Mini IDE Driver      Silicon Integrated Systems Corp.      c:\windows\system32\drivers\siside.sys

+ SISNIC      SiS PCI Fast Ethernet Adapter Driver      SiS Corporation      c:\windows\system32\drivers\sisnic.sys

+ snapman      Acronis Snapshot API      Acronis      c:\windows\system32\drivers\snapman.sys

+ SONYPVU1      Sony USB Lower Filter driver      Sony Corporation      c:\windows\system32\drivers\sonypvu1.sys

+ sptd                  c:\windows\system32\drivers\sptd.sys

+ timounter      TrueImage Backup Archive Explorer      Acronis      c:\windows\system32\drivers\timntr.sys

+ Vmodem      HSP Modem Modem Device Driver      PCTEL, INC.      c:\windows\system32\drivers\vmodem.sys

+ Vpctcom      HSP Modem Virtual Control Device      PCtel, Inc.      c:\windows\system32\drivers\vpctcom.sys

+ Vvoice      HSP Modem device driver      PCtel, Inc.      c:\windows\system32\drivers\vvoice.sys

+ WinDriver                  File not found: System32\Drivers\windrvr.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls                  

+ ssohook      SSO Plus System Hook DLL      PassGo Technologies      c:\windows\system32\ssohook.dll

-----------------------------------------------------------------------------------------------------------------------------------

after another reboot  symptoms have not returned so far so good.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16874983
Can you take a closer look at the followinng entries from the Autoruns log:

C:\WINDOWS\system32\MsSvc32           (is this perhaps truncated from MsSvc32.exe - a known virus)
+ adobepnl.ADOBE_PANEL          Laguna Media     c:\windows\system32\adobepnl.dll    (very suspicious)
+ RegCure.job     RegCure Application          c:\program files\regcure\regcure.exe          (very suspicious)

Try to locate these files, right-click -> Properties -> Version and see who created them.

I would also try disabling them in Autoruns, reboot and see if they're still disabled.

The Scheduled Task (regcure) can probably be disabled in the Task Scheduler (unless you scheduled it yourself).


0
 

Expert Comment

by:smhp
ID: 16875906
0
 

Author Comment

by:DuarteR
ID: 16876098
Although users32.exe is still present I'm closing this down (the threads getting abit long) but im not having any more sympoms so thats ok with me.

I think smitfraudfix has removed the parent which would load users32.exe.

Thanks Rpggamergirl
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16876739
Yeah,  "adobepnl.dll" also can go.

Now that smitfraud is gone, did you try deleting the users32.exe and see if it goes?

Or Killbox?
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\users32.exe
c:\windows\system32\adobepnl.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

If Killbox won't delete it, I'm sure Avenger would.


You might also need to delete this registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E8FA924-DEF0-4E71-8A82-A11CA0C1413B}]
0
 

Author Comment

by:DuarteR
ID: 16880296
I found this page that really sovled the problem for me:

http://www.lavasoftsupport.com/index.php?showtopic=878&st=20
0
 

Expert Comment

by:Rex_Browne
ID: 16889474
This was the result of my log file analysis which I have pasted from this link: http://www.hijackthis.de/logfiles/97da6547b5953a4407d86f644583c056.html

I would be very grateful if you could help me eliminate these ** unpleasant adware/malware scripts from my XP

rex browne
 
 Entry   Kind
(Safe, Nasty, Unknown)     Description     Tip
  Logfile of HijackThis v1.99.1    
Safe.   Shows the version of HijackThis an. The newest version is: v1.99.1!
   This should be the newest version. (v1.99.1)
  Platform: Windows XP SP2 (WinNT 5.01.2600)      
   
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)    
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
   This should be the newest version. (6.00.2900.2180)
  C:\WINDOWS\System32\smss.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\winlogon.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\services.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\lsass.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\Ati2evxx.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\spoolsv.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Bluetooth Software\bin\btwdins.exe    
Safe.   running process. (btwdins.exe)
Bestandteil von DLink Bluetooth Software
   
 
  C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe    
Safe.   running process. (PcCtlCom.exe)
Trend Micro PC-cillin Internet Security
   
 
  C:\WINDOWS\system32\slserv.exe    
Safe.   running process. (slserv.exe)
User-Level Modem Service
   
 
  C:\WINDOWS\system32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe    
Safe.   running process. (Tmntsrv.exe)
Trend Micro Internet Security
   
 
  C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe    
Safe.   running process. (tmproxy.exe)
Trend Micro Internet Security
   
 
  C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe    
Safe.   running process. (ULCDRSvr.exe)
Ulead VideoStudio 8
   
Possibly nasty! According to our database this process runs normally in c:\programme\common files\ulead systems\dvd\! Check if you know this process and arrange a viruscheck where required.
  C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe    
Safe.   running process. (TmPfw.exe)
Trend Micro Personal Firewall
   
 
  C:\WINDOWS\system32\Ati2evxx.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\Explorer.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe    
Safe.   running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies
   
 
  C:\WINDOWS\SOUNDMAN.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe    
Safe.   running process. (pccguide.exe)

   
 
  C:\WINDOWS\system32\rundll32.exe    
Safe.   running process. (rundll32.exe)
RUNDLL32 is the Microsoft Windows program that loads DLLs into memory so that they can be used by specific programs or by Windows.
   
 
  C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe    
Safe.   running process. (jusched.exe)
Java Runtime
   
 
  C:\Program Files\iTunes\iTunesHelper.exe    
Safe.   running process. (iTunesHelper.exe)
Apple iTunes
   Not dangerous, but unnecessary.
 
  C:\WINDOWS\system32\ctfmon.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Microsoft ActiveSync\wcescomm.exe    
Safe.   running process. (wcescomm.exe)

   
 
  C:\Program Files\Novosoft\Handy Backup\hbagent.exe    
Unknown   running process. (hbagent.exe)
Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
   This is a unknown process.
 
  C:\Program Files\Bluetooth Software\BTTray.exe    
Safe.   running process. (BTTray.exe)

   
Possibly nasty! According to our database this process runs normally in c:\programme\belkin\bluetooth software\! Check if you know this process and arrange a viruscheck where required.
  C:\PROGRA~1\MICROS~3\rapimgr.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\iPod\bin\iPodService.exe    
Safe.   running process. (iPodService.exe)

   
 
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE    
Safe.   running process. (BTSTAC~1.EXE)

   
Possibly nasty! According to our database this process runs normally in c:\programme\widcomm\blueto~1\! Check if you know this process and arrange a viruscheck where required.
  C:\Program Files\Internet Explorer\IEXPLORE.EXE    
Safe.   running process. (IEXPLORE.EXE)
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)
   
 
  C:\WINDOWS\system32\users32.exe    
Unknown   running process. (users32.exe)

   This is a unknown process.
 
  C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe    
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD6jnrmkc3gR1l2 Nm5fznNfQAEFtUigG26BIPt+u2+IOszlsWgZPRhJcxRjpXqSmjYaxbcN4EXI34oLd6xxy0g+tjRRkyhF cO96cgBARN5+WIcnpN6Ia7Br2DTp1I2OX/UOHYwWsIjrNUut/V8hbK9yKNiSJuE6MDfWDLG/XFQExg=    
Nasty   This entry should be fixed by HijackThis!
   This entry should be fixed by HijackThis!
  R3 - Default URLSearchHook is missing    
Nasty   This entry was classified from our visitors as bad.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([00000000-59D4-4008-9058-080011001200] - Result: 00000000-59D4-4008-9058-080011001200) has been checked. Hit rate: 100,00%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([00000000-C1EC-0345-6EC2-4D0300000000] - Result: 00000000-C1EC-0345-6EC2-4D0300000000) has been checked. Hit rate: 100,00%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([00000000-F09C-02B4-6EC2-AD0300000000] - Result: 00000000-F09C-02B4-6EC2-AD0300000000) has been checked. Hit rate: 100,00%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00%
   
  O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll    
Unknown   Entries found in this registry zone are potentially nasty. This application ([2513A321-CB50-4C5F-91C5-80342AFACFB1] - Result: ) has been checked. Hit rate: 0,00%
   Unknown application.
  O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([3ceff6cd-6f08-4e4d-bccd-ff7415288c3b] - Result: 3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B) has been checked. Hit rate: 52,78%
   Unknown application.
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([77701e16-9bfe-4b63-a5b4-7bd156758a37] - Result: 77701e16-9bfe-4b63-a5b4-7bd156758a37) has been checked. Hit rate: 100,00%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([7b55bb05-0b4d-44fd-81a6-b136188f5deb] - Result: 7B55BB05-0B4D-44fd-81A6-B136188F5DEB) has been checked. Hit rate: 69,44%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([8333c319-0669-4893-a418-f56d9249fca6] - Result: 8333C319-0669-4893-A418-F56D9249FCA6) has been checked. Hit rate: 80,56%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([9c691a33-7dda-4c2f-be4c-c176083f35cf] - Result: 9C691A33-7DDA-4C2F-BE4C-C176083F35CF) has been checked. Hit rate: 61,11%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([e52dedbb-d168-4bdb-b229-c48160800e81] - Result: E52DEDBB-D168-4BDB-B229-C48160800E81) has been checked. Hit rate: 63,89%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([ffd2825e-0785-40c5-9a41-518f53a8261f] - Result: FFD2825E-0785-40C5-9A41-518F53A8261F) has been checked. Hit rate: 75,00%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe    
Safe.   Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimised their settings
Hit rate: 79,17 % (result)
   
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"    
Safe.   PC-Cillin 2002 antivirus software
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe    
Safe.   Java von Sun
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"    
Safe.   OmniPage SE2
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime    
Safe.   QuickTime
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"    
Safe.  
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe    
Nasty   This entry was classified from our visitors as bad.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe    
Safe.   CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services
Hit rate: 55,00 % (result)
   
  O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"    
Safe.   Active sync for use with Windows CE based palm PC
Hit rate: 54,17 % (result)
   
  O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon    
Safe.   Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
Hit rate: 93,75 % (result)
   
  O4 - Global Startup: BTTray.lnk = ?    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE    
Safe.  
Hit rate: 68,75 % (result)
   
  O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm    
Safe.   The entry Send To &Bluetooth has been identified as safe.
   If the entry 'Send To &Bluetooth ' is not needed anymore, it should be fixed.
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll    
Safe.   The entry has been identified as safe.
   If the entry '' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll    
Safe.   The entry Sun Java Console has been identified as safe.
   If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll    
Safe.   The entry Create Mobile Favorite has been identified as safe.
   If the entry 'Create Mobile Favorite ' is not needed anymore, it should be fixed.
  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll    
Safe.   The entry has been identified as safe.
   If the entry '' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll    
Safe.   The entry Create Mobile Favorite... has been identified as safe.
   If the entry 'Create Mobile Favorite... ' is not needed anymore, it should be fixed.
  O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm    
Safe.   The entry @btrez.dll, has been identified as safe.
   If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm    
Safe.   The entry @btrez.dll, has been identified as safe.
   If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Messenger has been identified as safe.
   If the entry 'Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Windows Messenger has been identified as safe.
   If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab   
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204   
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab   
Safe.   This entry has been identified as safe.
   
  O17 - HKLM\System\CCS\Services\Tcpip\..\{42246CE4-06C7-4492-8335-617B3AF63396}: NameServer = 192.168.1.1    
Safe.   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
   The entered IP or Domain '192.168.1.1' has been identified as safe.
  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)    
Safe.   Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
   This entry has been identified as safe.
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (Ati2evxx.exe) was identified as a good one.
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (btwdins.exe) was identified as a good one.
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (PcCtlCom.exe) was identified as a good one.
  O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (slserv.exe) was identified as a good one.
  O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (Tmntsrv.exe) was identified as a good one.
  O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (TmPfw.exe) was identified as a good one.
  O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (tmproxy.exe) was identified as a good one.
  O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (ULCDRSvr.exe) was identified as a good one.


This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
0
 
LVL 6

Expert Comment

by:Dale May
ID: 16890755
Dear Rex,
Could you please start a new question?  Buy some points and post a new question, and we will be glad to help all we can thenks, D_may
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16891189
DuarteR,

It's a new smitfraud files, pretty much still there!

Is that the latest Hijackthis scan log?
If not, can you give us the latest one and please post it to this link? the site where you posted it is a little confusing for me.(since I don't rely on their analysis)

Can you paste it to this link instead?
Paste the hijackthis log to this site --> http://www.rafb.net/paste/

then at the bottom left corner click "paste"
Copy the address/url and post it here:

0
 

Expert Comment

by:vainternet
ID: 16932175
Well, you won't be able to remove this virus with any virus checker unless you boot your computer in Safe-mode.

If you don't then the registry loads the virus on start up, so the checker won't delete it as it is in use.

To boot in safe mode, restart, then hammer the F8 key.

Choose safe mode, then load your virus check of your choice

Personally we like

kaspersky anti virus http://www.kaspersky.com/ $$
Spybot SD http://www.download.com/3000-2144-10122137.html FREE

Enjoy! Hope this gets rid of your Virus

Michael

http://www.vainternet.co.uk
0
 

Expert Comment

by:Rex_Browne
ID: 16940886
thank you muchly for your help. The  www.hijackthis.de log paste and  analysis followed by deleting of high risk .exe files seems to have fixed all.

best wishes
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question