Jump to content

Archived

This topic is now archived and is closed to further replies.

istrum

spylocker

Recommended Posts

Spylocker is still in my tray after running RogueRemoverpro... Can someone please help me get rid of this nasty thing!

Thanks, Mike

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:36:49 PM, on 6/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe

C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

c:\program files\panda software\panda antivirus 2007\WebProxy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mike\Desktop\HiJackThis_v2.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: Shell=explorer.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-21-1801674531-515967899-2147161785-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1801674531-515967899-2147161785-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: auditioned - {44e670f2-d57b-4815-a576-955d17dbbf2d} - C:\WINDOWS\system32\eeuydc.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe

 

--

End of file - 5232 bytes

Share this post


Link to post
Share on other sites

First, make sure HijackThis is run from its own folder. This will ensure we have back ups made and are kept securely. Backups allow the restoring of fixed entries when necessary.

 

On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. place the HijackThis.exe file in it, and then run the program from its own folder from now on...

 

~~~~

Next, please download SmitfraudFix (by S!Ri) to the Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract the files to the Desktop

A folder named SmitfraudFix is created.

We will use this program later.

 

~~~~

Run HijackThis, Scan

Check box for:

 

O22 - SharedTaskScheduler: auditioned - {44e670f2-d57b-4815-a576-955d17dbbf2d} - C:\WINDOWS\system32\eeuydc.dll

 

Select: Fix checked

 

~~~~

Start the computer in Safe Mode :

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Open SmitfraudFix

Double-click smitfraudfix.cmd

Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)

You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool also checks if a relevant file, wininet.dll, is infected.

You may be prompted to replace the infected file (if found).

Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

 

~~~~

Restart the computer to complete the removal process.

 

~~~~

Run HijackThis once again to obtain a new log.

 

~~~~

Please post the SmitFraudFix report located at C:\rapport.txt , and a new HijackThis log.

Share this post


Link to post
Share on other sites

I am not able to D/load smitfraud I get this error message can not copy smitfraudfix[2] access is denied!

Share this post


Link to post
Share on other sites

I elimited spylocker with hijackthis by deleting value 022, but now I am unable to restart in (safe mode!) I tried to restart puter then pressing 8 key but will not start in safe mode............?

Share this post


Link to post
Share on other sites

Are you getting a notice from your AntiVirus program, or is it blocking SmitFraudFix?

 

Process.exe is detected by some AntiVirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. AntiVirus programs cannot distinguish between "good" and "malicious" use of such programs, and may alert the user.

 

You may need to temporarily disable your AV program and see if you can download SmitFraudFix.

Share this post


Link to post
Share on other sites

×
×
  • Create New...