Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Ive been having problems with my homepage being hijacked, "security" icons appearing on my desktop, a ! icon appearing on my taskbar (system alert: spyware detected), activex errors (probably for popups i cant see) and ie closing on me. Hijack this logfile availabl, please someone take a look at it. P.S. spybot and adaware both find and remove a bunch of stuff everytime they are run but problem persists.
download stinger and run it. See if that rectifies your problem. Before you run it, probably d/l crap cleaner as well as ATF-cleaner and run them. They will get rid of all the excess junk so your scans don't take so long. Post back
Hopefully my advice will help you...Please post back with your results....thanks
0 
After running the smitrem and roguescanfix, along with cleaning up using hijackthis, spybot, and adaware the results are posted below. Ive done all this before and problem came back a day later (the first time I did all this in safe mode with networking and the malware had loaded probably because I opened ie to come here). Am I missing anything?
Logfile of HijackThis v1.99.1
Scan saved at 7:48:31 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Security\hijackthis\HijackThis.exeO3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dllThanks
0
Are you sure because Ive never come accross any instances of spyfalcon and none of the associated program files or registry entries seem to be in my system.
0
Actually nevermind since all the other files were probably just deleted. The winzdn32 is probably what keeps reinfecting. Is there a reason why I cant just use hijackthis to remove it?
0
Although you have done some of this, follow this procedure then post a new HT log. You only have one 04 running, do you have any item disabled in msconfig.
Download FixSF.reg from this link http://www.bleepingcomputer.com/files/reg/FixSF.reg to you desktop.
Next please download smitRem.zip and save it to your desktop from this link http://noahdfear.geekstogo.com/smitRem.exe
Open the file and it will extract itself to a new folder called SmitRem on you desktop.
Next go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.
Now please reboot your computer into Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Select the first option, to run Windows in Safe Mode.
When you are at the logon prompt, log in as an Administrator.Go to start>control panel>add/remove programs and uninstall SpyFalcon or SpyQuake if found.
Next while still in safe mode close all windows. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.
Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.
Wait for the tool to complete and Disk Cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.While still in safe mode run HT again and remove:
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
Reboot into normal made.
0
Yes I usually have all my msconfig startup items disabled. I followed your instructions, removed 020, ran HT again to verify and it was not found, but the winzdn32.dll remained in system32 folder (unable to delete). When I rebooted and ran HT again it found 020 again. Any other ideas?
0
Download killbox from this link Killbox
Please download
http://www.atribune.org/content/view/19/2/ by Atribune.From safe mode run HT again and remove the 020 item.
Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.C:\WINDOWS\SYSTEM32\winzdn32.dll
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
0
Killbox was unable to delete the file. Might I try deleting on reboot or one of the other options?
0
Absolutely,This will probably work.
In safe mode navigate to C:\WINDOWS\SYSTEM32\winzdn32.dll
Right click on the file>click rename>rename the files to winold.dll>click a blank spot on the screen and see if the file name changed.
If it did run HT again and remove this:
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll (file missing)
Next navigate back to the C:\WINDOWS\System32\winold.dll and delete it.
0
Already did that, renamed it to something obscene but still can't delete. HT did not find it but I havent rebooted yet. What I did was cut and paste into a folder on my desktop for now. I'll reboot, run HT again and try to delete.
0
Victory! After a reboot the file could not load because it had been renamed/moved and therefore was not in use and could be deleted. I should have just done this to begin with. Much thanks for your help jabuck.
0  |
 auto shutdown of pc
|
trojan h91746.exe removal...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
