• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
halbo

Hijacked By smart search

5 posts in this topic

i v been hijacked by smartsearch cws shredder as u all know removes but it comes back i want to know the dll file and the registry entry to remove

and i cant find on the log ahh and one more thing i had to change the name of hijackthis cause everytime i open it it gets closed so i thought the cws is closing it

cause it knows the file name of hijack this so i changed to anything {wfd.exe} and it worked

 

 

 

here is the hijackthis log:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:12:10 AM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\scrgrd.exe

C:\WINDOWS\System32\wnetlogin.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\lsac.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\WINDOWS\System32\svxhost.exe

C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\WINDOWS\explorer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Wafaa El Dars\Desktop\New Folder\wfd.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [uC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [updateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] wnetlogin.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xkevbf.exe

O4 - HKLM\..\Run: [Microsoft Update] lsac.exe

O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe

O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe

O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Microsoft Update] lsac.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?

O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra 'Tools' menuitem: IBM Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O11 - Options group: [JAVA_IBM] Java (IBM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8174.5380671296

O17 - HKLM\System\CCS\Services\Tcpip\..\{393F04B8-C6CC-48CF-A7BC-53A3E88CB16A}: NameServer = 163.121.128.134,212.103.160.18

O17 - HKLM\System\CS1\Services\Tcpip\..\{393F04B8-C6CC-48CF-A7BC-53A3E88CB16A}: NameServer = 163.121.128.134,212.103.160.18

Share this post


Link to post
Share on other sites

Hi,

Worms and Trojans ... oh my!

 

svxhost.exe = WORM_SDBOT.JB :alarm:

Caused by failure to patch your machine!

 

scrgrd.exe = WORM_SPYBOT.BR :alarm:

You must follow thru manually with additional Registry edits.

Print this article out, you'll need it.

 

wnetlogin.exe = WORM_DONK.C :alarm:

Caused by failure to patch your machine!

You will also need to edit your HOSTS file. Print this article out, you'll need it.

 

lsac.exe = Gaobot.XW :alarm:

Caused by failure to patch your machine!

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files: [required step]

Open the Windows Explorer | Tools | Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, rescan with HijackThis

Place a check in each of the following then click "Fix checked".

 

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] wnetlogin.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\xkevbf.exe

O4 - HKLM\..\Run: [Microsoft Update] lsac.exe

O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe

O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe

O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKCU\..\Run: [Microsoft Update] lsac.exe

 

Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\System32\svxhost.exe <--this file

C:\WINDOWS\System32\scrgrd.exe <--this file

C:\WINDOWS\System32\wnetlogin.exe <--this file

C:\WINDOWS\System32\lsac.exe <--this file

C:\WINDOWS\System32\xkevbf.exe <--this file

 

While still in Safe Mode, make the needed Registry changes.

Then edit your HOSTS file as mentioned above ...

 

Restart normally and then ...

 

Visit icon11.gifWindows Update and install all the "Critical Updates"

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0