First we have to take care of the Smitfraud trojan.
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Please right-click:
HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.
Locate "
smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click
YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
I need you to copy all of the Killbox file paths below and paste them into Notepad.
* Please download the
Killbox by Option^Explicit.
*In the event you already have Killbox, this is a new version that I need you to download.
* Unzip to your desktop.
* Please double-click
Killbox.exe to run it.
* Select "
Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click
FIX CHECKED
items to fix
Close HiJackThis.
Reboot into normal mode.
1.) Download
The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.
2.) Right-Click
HERE and Save As to download DelDomains.inf to your desktop.
To use:
RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
I have some additional information. I ran Microsoft AntiSpyware program again and it found 13 registry files infected with iSearch.DesktopSearch. It cleaned them and when I ran it again, it did not find anything.
I was unable to find Security IGuard, Virtual Maid and Search Maid on my system.
My internet explorer still cannot access the internet, even though my email works. All my network connections are still missing.
I have followed your instructions and have been successful at removing the Security warning that displayed in the middle of my screen. I have not however been successful in eliminating the error messages for QCWKICON.exe, WPC55AG.exe, jusched.exe, QCTray.exe msmsgs2.exe.
The only issues I had with your instructions were when attempting to paste the list of files from Noteoad into KillBox, it would not accept the list. I had to to place the files on one line and separate them by a space. It seems to have worked.
When I attempted to run cleanup, I got the following messageCleanup.exe failes to initialize properly 0xC0000005. Click OK to terminate.
Here is the output from the HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 10:03:49 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
When I reboot my PC, if I have my network connected to it, it sees all the network and connects to it. I am able to download my e-mail using outlook express. If I doubleclick my network connections icon, it is empty. It should have in there a LAN definition, a wireless definition, a definition for my work connection, and definitions for other server I connect to. It is telling me that my Network Connections System Folder is empty.
I have some of these network connections as icons on my desktop. When I right-click to look at their properties, it is very slow to respondand then it gives me target type = {BA126AD7-2166-11D1-B1D0-00805FC1270E} and target is set to the same.
I do not get any specific error messages except those on startup (listed earlier). Id I start IE and specifiy an address, nothing happens.
Let's see if cleaning up the log somemore will help you out.
It should...
Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.
Go to
Add/Remove programs and remove(uninstall) the following, if present:
Desktop Search Web Related
The above could appear anywhere within the entry. Be careful not to remove any
personal or
system software.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
Please follow that - and then post back here with a new hijackthis log please.
Having a problem figuring this out?
Here is a private online chat program established to help you in real time with this problem. Follow the instructions below and log on. I am on and off all day long.
Online Assistance.
Just click on the link (left click) and save it to your desktop, or
right-click and select "Save Link As..." or "Save Target As...".
Double-click the downloaded program, it to start it up (you'll need
.NET installed for it to run properly), then just enter your Dell forum
name (mine is "zbestwun2001").
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
I am still getting this error on CleanUp also.
Desktop Search - did not exist Web Related - did not exist
irbjf3ype4jr.dll - did not exist
I did get an error while running fix checked, but it seems to have removed teh files.
Here is the latest output from HiJackThis:
Logfile of HijackThis v1.99.1 Scan saved at 11:51:12 AM, on 6/8/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Thanks, but I will not be to able to chat. If you have the time, can you tell me what I need to do in the future to prevent such a disaster from occurring? I was just surfing looking for furniture when everything went haywire.
My data appears to be OK. Do you think it is safe to copy it to another computer via CD before reinstalling?
I will log on to the assister if you want to chat now, if you want to chat.
Steve
Online Assistance.
Just click on the link (left click) and save it to your desktop, or
right-click and select "Save Link As..." or "Save Target As...".
Double-click the downloaded program, it to start it up (you'll need
.NET installed for it to run properly), then just enter your Dell forum
name (mine is "zbestwun2001").
I have run that program as instructed. It removed 75 additional infected files. I rebooted, still get the same errors on reboot. When Irun Kav I get file wininet.dll isinfected, but it cannot correct it.
When save data I think of documents, songs, pictures, favorite places etc.ve
What I would do is back all that up. The programs that you have installation disks for you will install after you are up and running.
I would make a list of programs that you donwnloaded and installed and also put them all on a disk. Some will have to be installed anyway on the new OS but make of list of the progmans that you have.
Other than that, before you even plug your Ethernet cord in make sure you have a firewall up and running. This is very important. I use 2 just to be safe.
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 7th, 2005 18:00
Let's see if we can get this straightened out.
First we have to take care of the Smitfraud trojan.
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.
Locate " smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.
*IMPORTANT* CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES
I need you to copy all of the Killbox file paths below and paste them into Notepad.
* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
* Unzip to your desktop.
* Please double-click Killbox.exe to run it.
* Select " Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
* Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
* Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt. Click " No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Make sure you can view hidden files.
Using Windows Explorer, delete the following, if found, ( please do NOT try to find them by "search" because they will not show up that way)
FOLDERS to delete (in bold) if found:
C:\Program Files\ Search Maid
C:\Program Files\ Virtual Maid
C:\Windows\System32\ Log Files
C:\Program Files\ Security IGuard
While still in Safe Mode, do the following:
Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED
items to fix
Close HiJackThis.
Reboot into normal mode.
1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.
2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
3.) Download, install, and run CleanUp!
4.) Run this online virus scan: ActiveScan - Save the results from the scan!
Post a new HiJackThis log along with the results from ActiveScan.
Steve
astroj
8 Posts
0
June 8th, 2005 01:00
Hi Steve,
I have some additional information. I ran Microsoft AntiSpyware program again and it found 13 registry files infected with iSearch.DesktopSearch. It cleaned them and when I ran it again, it did not find anything.
I was unable to find Security IGuard, Virtual Maid and Search Maid on my system.
My internet explorer still cannot access the internet, even though my email works. All my network connections are still missing.
Thanks again for any help you can offer.
astroj
8 Posts
0
June 8th, 2005 01:00
Scan saved at 10:03:49 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IPSec Client\trayicon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {319A68DB-06D0-46DA-9F93-A810D5A70836} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NPDTray] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WPC55AG.exe] C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: IPSecClient Icon.lnk = C:\Program Files\IPSec Client\trayicon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud1.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.05.04&http://www.toyota.com/vehicles/2004/highlander/ext360.html
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.factset.com/iNotes.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100494940146
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://gsg.pharma.com/msrdp.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://192.168.100.8:7779/forms90/jinitiator/jinit.exe
O20 - AppInit_DLLs: irbjf3ype4jr.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: tcpGDC - C:\WINDOWS\SYSTEM32\tcpGDC.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 8th, 2005 02:00
What happens when you try to get to the net?
What error message do you get when trying to get ot a site?
Steve
astroj
8 Posts
0
June 8th, 2005 13:00
When I reboot my PC, if I have my network connected to it, it sees all the network and connects to it. I am able to download my e-mail using outlook express. If I doubleclick my network connections icon, it is empty. It should have in there a LAN definition, a wireless definition, a definition for my work connection, and definitions for other server I connect to. It is telling me that my Network Connections System Folder is empty.
I have some of these network connections as icons on my desktop. When I right-click to look at their properties, it is very slow to respondand then it gives me target type = {BA126AD7-2166-11D1-B1D0-00805FC1270E} and target is set to the same.
I do not get any specific error messages except those on startup (listed earlier). Id I start IE and specifiy an address, nothing happens.
Do you recommend that I rebuild my PC?
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 8th, 2005 13:00
Give me some time to research this and I will get back to you.
Steve
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 8th, 2005 14:00
It should...
Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.
Go to Add/Remove programs and remove(uninstall) the following, if present:
Desktop Search
Web Related
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O3 - Toolbar: (no name) - {319A68DB-06D0-46DA-9F93-A810D5A70836} - (no file)
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.05.04&http://www.toyota.com/vehicles/2004/highlander/ext360.html
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://192.168.100.8:7779/forms90/jinitiator/jinit.exe
O20 - AppInit_DLLs: irbjf3ype4jr.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: tcpGDC - C:\WINDOWS\SYSTEM32\tcpGDC.dll
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\WINDOWS\isrvs
files...
C:\WINDOWS\msmsgr2.exe
C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\SYSTEM32\tcpGDC.dll
Search for...
irbjf3ype4jr.dll
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 8th, 2005 15:00
You have a infection that needs a 'process' to remove.
It is described here in a Post by CalamityJane
Please follow that - and then post back here with a new hijackthis log please.
Having a problem figuring this out?
Here is a private online chat program established to help you in real time with this problem. Follow the instructions below and log on. I am on and off all day long.
Online Assistance.
Just click on the link (left click) and save it to your desktop, or
right-click and select "Save Link As..." or "Save Target As...".
Double-click the downloaded program, it to start it up (you'll need
.NET installed for it to run properly), then just enter your Dell forum
name (mine is "zbestwun2001").
Steve
astroj
8 Posts
0
June 8th, 2005 15:00
Thank you for your help.
I will try and follow the new instructions tonight. Will update then.
astroj
8 Posts
0
June 8th, 2005 15:00
I did what you suggested. I am still getting the following errors when I reboot.
QCWLICON.exe, WPC55AG.exe, QCTray.exe, jusched.exe
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
I am still getting this error on CleanUp also.
Web Related - did not exist
I did get an error while running fix checked, but it seems to have removed teh files.
Here is the latest output from HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:51:12 AM, on 6/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\IPSec Client\trayicon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NPDTray] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WPC55AG.exe] C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\WPC55AG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: IPSecClient Icon.lnk = C:\Program Files\IPSec Client\trayicon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud1.sports.sc5.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.factset.com/iNotes.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100494940146
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://gsg.pharma.com/msrdp.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CAFECAFE-0013-0001-0008-ABCDEFABCDEF} (JInitiator 1.3.1.8) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://192.168.100.8:8888/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://192.168.100.8:7779/forms90/jinitiator/jinit.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
astroj
8 Posts
0
June 10th, 2005 20:00
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 10th, 2005 20:00
Steve
Online Assistance.
Just click on the link (left click) and save it to your desktop, or
right-click and select "Save Link As..." or "Save Target As...".
Double-click the downloaded program, it to start it up (you'll need
.NET installed for it to run properly), then just enter your Dell forum
name (mine is "zbestwun2001").
astroj
8 Posts
0
June 10th, 2005 20:00
I have run that program as instructed. It removed 75 additional infected files. I rebooted, still get the same errors on reboot. When Irun Kav I get file wininet.dll isinfected, but it cannot correct it.
At this point, I am ready to reinstall my OS.
Thanks for your help
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 10th, 2005 21:00
What I would do is back all that up. The programs that you have installation disks for you will install after you are up and running.
I would make a list of programs that you donwnloaded and installed and also put them all on a disk. Some will have to be installed anyway on the new OS but make of list of the progmans that you have.
Other than that, before you even plug your Ethernet cord in make sure you have a firewall up and running. This is very important. I use 2 just to be safe.
Steve