Options
desktop
Hi guys. I've tried to follow the instructions I have seen yet I still can't seem to get rid of this thing. It's the problem with the dwwin.exe error. I've deleted intel32.exe with hijack this and also tried it manually but it keeps coming back. Here is my hjt log and also the panda log. Any help would be greatly appreciated.
Logfile of HijackThis v1.99.0
Scan saved at 10:37:01 PM, on 7/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Aladdin Systems\StuffIt Standard\stuffit.exe
C:\Program Files\Aladdin Systems\StuffIt Standard\stuffit.exe
C:\Documents and Settings\Raju\Application Data\Aladdin Systems\StuffIt\Temp\KillBox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\explorer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Print Spooler - Unknown - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Incident Status Location
Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\RAJU\FAVORITES\ONLINE GAMBLING\Online Gambling.url
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\SYSTEM32\winupdak.dll
Adware:adware/popuper No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Online Dating.url
Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\PSGuard spyware remover.lnk
Adware:adware/cws.yexe No disinfected C:\messanger.ini
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Admilli Service
Spyware:spyware/iesearchtoolbarNo disinfected C:\PROGRAM FILES\IESearchToolbar
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\Recommended Hotfix - 421701D
Adware:adware/startpage.aco No disinfected C:\DOCUMENTS AND SETTINGS\RAJU\FAVORITES\ADULT STORE
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/topconvert No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN
Adware:adware/instdollars No disinfected HKEY_CLASSES_ROOT\CLSID\{861FDA2A-2B57-4BDA-8B8B-305C9D5D8604}
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK
Virus:Trj/Lowzones.T Disinfected C:\Documents and Settings\Raju\Desktop\backup-20041214-185251-284.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinAdServX.dll.tcf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Virus:Trj/Lowzones.T Disinfected C:\WINDOWS\inet10054\1.02.05.dll
Virus:Trj/Dao.A Disinfected C:\WINDOWS\sys2416.exe
Virus:Trj/Gritz.D Disinfected C:\WINDOWS\system\user32.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20041203-183447.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20041203-184511.backup
Virus:Trj/Adfavo.A Disinfected C:\WINDOWS\system32\myin.hta
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\system32\tmp.exe
Virus:W32/Mitglieder.AT.worm Disinfected C:\WINDOWS\system32\windllsys32.exe.tcf
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Virus:Trj/Runet.A Disinfected C:\WINDOWS\_h.html
Adware:Adware/Startpage.LI No disinfected C:\WINDOWS\_s.html
Logfile of HijackThis v1.99.0
Scan saved at 10:37:01 PM, on 7/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Aladdin Systems\StuffIt Standard\stuffit.exe
C:\Program Files\Aladdin Systems\StuffIt Standard\stuffit.exe
C:\Documents and Settings\Raju\Application Data\Aladdin Systems\StuffIt\Temp\KillBox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\explorer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Print Spooler - Unknown - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Incident Status Location
Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\RAJU\FAVORITES\ONLINE GAMBLING\Online Gambling.url
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\SYSTEM32\winupdak.dll
Adware:adware/popuper No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Online Dating.url
Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\PSGuard spyware remover.lnk
Adware:adware/cws.yexe No disinfected C:\messanger.ini
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Admilli Service
Spyware:spyware/iesearchtoolbarNo disinfected C:\PROGRAM FILES\IESearchToolbar
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\Recommended Hotfix - 421701D
Adware:adware/startpage.aco No disinfected C:\DOCUMENTS AND SETTINGS\RAJU\FAVORITES\ADULT STORE
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/topconvert No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN
Adware:adware/instdollars No disinfected HKEY_CLASSES_ROOT\CLSID\{861FDA2A-2B57-4BDA-8B8B-305C9D5D8604}
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK
Virus:Trj/Lowzones.T Disinfected C:\Documents and Settings\Raju\Desktop\backup-20041214-185251-284.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinAdServX.dll.tcf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Virus:Trj/Lowzones.T Disinfected C:\WINDOWS\inet10054\1.02.05.dll
Virus:Trj/Dao.A Disinfected C:\WINDOWS\sys2416.exe
Virus:Trj/Gritz.D Disinfected C:\WINDOWS\system\user32.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20041203-183447.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20041203-184511.backup
Virus:Trj/Adfavo.A Disinfected C:\WINDOWS\system32\myin.hta
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\system32\tmp.exe
Virus:W32/Mitglieder.AT.worm Disinfected C:\WINDOWS\system32\windllsys32.exe.tcf
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Virus:Trj/Runet.A Disinfected C:\WINDOWS\_h.html
Adware:Adware/Startpage.LI No disinfected C:\WINDOWS\_s.html
0
Comments
Most malware is designed to attack unpatched XP systems - exploiting the available 'holes' - and can bypass third-party protection on an unpatched system. The most that can be done with an unpatched system is put a temporary bandage on it. Your system can potentially be reinfected within minutes of cleaning it.
----
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:===================================================
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
===================================================
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan it will prompt you to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoNext go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.