Thank you very much Ron. After running smitfraudfix I got the browser settings back and the virus alert in the task bar is also gone. I think the problem is solved. To make sure about the same I have listed the contents of the Hijackthis log file and rapport.txt contents below.
Contents of HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:50:39 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Contents of rapport.txt after running smitfraudfix :
SmitFraudFix v2.41
Scan done at 22:38:51.01, Mon 05/08/2006
Run from C:\Documents and Settings\Janaki Venkatesh\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them. To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions. As an alternative you can dump adobe completely and use fox-it instead: http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast! http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable: * Flash Player 8.0.22.0 and earlier * Flash Professional 8 * Flash Basic * Flash MX 2004 * Flash Debug Player 7.0.14.0 and earlier * Flex 1.5 * Breeze Meeting Add-In 5.1 and earlier * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
RKinner
2 Intern
•
5.9K Posts
0
May 8th, 2006 23:00
Start with this:
http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=34432
then post a new HJT log as a reply and tell me if you still have problems.
Ron
janakivenkatesh
4 Posts
0
May 9th, 2006 02:00
Scan saved at 10:50:39 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Janaki Venkatesh\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/0.9.0944.26/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142300621238
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLE - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
Run from C:\Documents and Settings\Janaki Venkatesh\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
RKinner
2 Intern
•
5.9K Posts
0
May 9th, 2006 13:00
Log looks good.
Ron
A Few Recommendations.
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
http://www.f-secure.com/v-descs/sfc_dis1.shtml
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Always run a firewall. The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Turn on Autoupdates so you always get the latest patches from Windows.
Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/
Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
http://www.java.com/en/download/help/uninstall_msvm.xml
The automated removal tool is no longer available on Microsoft's site but can be obtained here:
Download the MSJVM Removal Tool from:
http://www.majorgeeks.com/download4158.html
and run it.
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them.
To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast!
http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable:
* Flash Player 8.0.22.0 and earlier
* Flash Professional 8
* Flash Basic
* Flash MX 2004
* Flash Debug Player 7.0.14.0 and earlier
* Flex 1.5
* Breeze Meeting Add-In 5.1 and earlier
* Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
Also advise you to dump weatherbug if you have it. Start, Control Panel, Add/Remove Programs.
If you need weather then get The Weather Channel's program at:
http://www.weather.com/services/desktop.html?from=wxtoolspage&refer=wxtoolspage
janakivenkatesh
4 Posts
0
May 10th, 2006 12:00