I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread. The fixes we will use are specific to your problems and should only be used for this problem on this computer. These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1 You need to temporarily disable Spybot S&D TeaTimer. Run Spybot-S&D and go to the Mode menu, and make sure Advanced Mode is selected On the left hand side, choose Tools > Resident Uncheck Resident TeaTimer and OK any prompts. Reboot as normal.
Step 2 Press Ctrl-Alt-Del and choose "Task Manager". Click on the "Processes" tab and click on the "Show processes from all users" check box to put a tick in the box. Click on the column heading "Image Name", then look for each of the following processes in the list. smartdrv.exe officescan.exe system32fab.exe
For each one present, click to highlight then click on "End Process". If a process is listed more than once, you need to end all copies of the process. Close Task Manager.
Step 3 Run Hijack This, don't have any other programs open, and click "Scan". In the scan results, click on the check box for all of the following lines that are present. O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe Click on "Fix checked".
Step 4 Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list. Click My Computer > Tools > View, then put a tick in the "Display the contents of system folders" and "Show hidden files and folders" check boxes. Uncheck the "Hide protected operating system files (recommended)" option. Click "Yes" to confirm. Click "OK". Navigate to the following files and delete each of them. Some may not be present. C:\WINDOWS\system32\smartdrv.exe C:\WINDOWS\system32\officescan.exe C:\WINDOWS\system32fab.exe C:\WINDOWS\system32\office_pnl.dll C:\WINDOWS\system32\runsrv32.exe C:\WINDOWS\system32\susp.exe
Run ATF Cleaner. Click on the check box to select the following options: Windows Temp All Users Temp Cookies Temporary Internet Files Prefetch Recycle Bin Click "Empty Selected". Exit when finished.
Step 6 Download Ewido from www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the "Run Ewido Anti-Spyware 4.0" checkbox. Click "Finish"
When opening screen appears, click "change state" for "Resident Shield" to change state to "inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click Update > Start Update.
Close Ewido.
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Run Ewido again, click Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the "Action" entry if necessary.
Click "Apply all actions"
When the actions have been completed, click Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Reboot as normal.
Step 7 - Java Update - This is essential, earlier versions of Java can be exploited Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7. Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop. Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install.
Once you have it installed, Click Start > Control Panel > Add/Remove Programs. Allow the list to populate, then click on "Remove" for "J2SE Runtime Environment 4.2 Update 3" and any other Java Script entries othewr than the latest version you've just added.
Step 8 Run Hijack This, "Scan" and post the log, together with the Ewido log, as a reply to this thread. I'll check it through, and get back to you.
Bod99
561 Posts
0
August 9th, 2006 16:00
Hi
I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1
You need to temporarily disable Spybot S&D TeaTimer. Run Spybot-S&D and go to the Mode menu, and make sure Advanced Mode is selected
On the left hand side, choose Tools > Resident
Uncheck Resident TeaTimer and OK any prompts.
Reboot as normal.
Step 2
Press Ctrl-Alt-Del and choose "Task Manager". Click on the "Processes" tab and click on the "Show processes from all users" check box to put a tick in the box. Click on the column heading "Image Name", then look for each of the following processes in the list.
smartdrv.exe
officescan.exe
system32fab.exe
For each one present, click to highlight then click on "End Process". If a process is listed more than once, you need to end all copies of the process.
Close Task Manager.
Step 3
Run Hijack This, don't have any other programs open, and click "Scan".
In the scan results, click on the check box for all of the following lines that are present.
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
Click on "Fix checked".
Step 4
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the "Display the contents of system folders" and "Show hidden files and folders" check boxes. Uncheck
the "Hide protected operating system files (recommended)" option.
Click "Yes" to confirm.
Click "OK".
Navigate to the following files and delete each of them. Some may not be present.
C:\WINDOWS\system32\smartdrv.exe
C:\WINDOWS\system32\officescan.exe
C:\WINDOWS\system32fab.exe
C:\WINDOWS\system32\office_pnl.dll
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
Reboot as normal.
Step 5
Download ATF Cleaner from http://www.atribune.org/ccount/click.php?id=1
Run ATF Cleaner. Click on the check box to select the following options:
Windows Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Recycle Bin
Click "Empty Selected". Exit when finished.
Step 6
Download Ewido from www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the "Run Ewido Anti-Spyware 4.0" checkbox. Click "Finish"
When opening screen appears, click "change state" for "Resident Shield" to change state to "inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click Update > Start Update.
Close Ewido.
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Run Ewido again, click Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the "Action" entry if necessary.
Click "Apply all actions"
When the actions have been completed, click Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Reboot as normal.
Step 7 - Java Update - This is essential, earlier versions of Java can be exploited
Go to http://java.sun.com/j2se/1.5.0/download.jsp and download and install JRE 5.0 Update 7.
Click the link "Download JRE 5.0 Update 7". You will then need to select "Accept License Agreement" and click "Continue". Then click the link "Windows Offline Installation, Multi-language", and save it to your Desktop.
Then go back to your Desktop and double click "jre-1_5_0_07-windows-i586-p.exe" to start the install.
Once you have it installed, Click Start > Control Panel > Add/Remove Programs.
Allow the list to populate, then click on "Remove" for "J2SE Runtime Environment 4.2 Update 3" and any other Java Script entries othewr than the latest version you've just added.
Step 8
Run Hijack This, "Scan" and post the log, together with the Ewido log, as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Bod99
561 Posts
0
August 19th, 2006 10:00
It's now been at least 7 days since your last post. I am presuming now that your problem has been solved and this topic is now inactive.
I will keep tabs on this post for another 7 days from this date, after which if you need help you should start a new topic.
If you should wish to reply before the 7 days has passed then simply please post a fresh HJT log before proceeding further.
Thanks,
Bod