Program crahses: caused by infections? Please help

•

What is DaniWeb IT Discussion Community?

You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 456,515 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,817 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.

Join our community!

Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community

Thread Tools Display Modes

Views: 1175 | Replies: 8

•

Join Date: Sep 2007

Posts: 6

Reputation: Kagaman is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

Kagaman

Offline

Newbie Poster

Program crahses: caused by infections? Please help

Oct 2nd, 2007

I would appreciate it if someone could please have a look at this logfile. I am experiencing sudden and unexplained program crashes, and have just recovered from a trojan attack and a missing ntldr problem. I have done everything I can think of, short of reformatting the hard drive and reinstalling the OS and everything else. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:14 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Sunbelt Software\iHateSpam\siClientUI.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMain.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...date?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf5.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf5.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf5.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf5.dll
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_se...zTCPConfig.CAB
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - http://prod1.centra.com/SiteRoots/ma...aUpdaterAx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\HENRYV~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10800 bytes

•

Join Date: Jun 2007

Posts: 15

Reputation: strix is an unknown quantity at this point

Rep Power: 2

Solved Threads: 1

strix

Offline

Newbie Poster

Re: Program crahses: caused by infections? Please help

Oct 2nd, 2007

The only thing I see is:

•

O10 - Unknown file in Winsock LSP: c:\windows\system32\laf5.dll

Check your hard disc drive with Spybot S&D from Kolla.de or LSPFix from Cexx.org. This entry should not be fixed! Your best bet to repair it is to try the LSPFix from Cexx.org.

Download LSPfix and use it. Hope this will help.

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,016

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 455

crunchie

Offline

Spyware Killer

Re: Program crahses: caused by infections? Please help

Oct 3rd, 2007

That LSP indicates a Smitfraud infection.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster

Please do not PM me for help. Instead, post in the public forum where others may benefit.

•

Join Date: Sep 2007

Posts: 6

Reputation: Kagaman is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

Kagaman

Offline

Newbie Poster

Re: Program crahses: caused by infections? Please help

Oct 3rd, 2007

Strix: thanks for your suggestions. Both Lspfix and Spybot S&D cam up clean.

Crunchie: I ran Smitfradufix and here's the logfile:
SmitFraudFix v2.236

Scan done at 17:53:12.47, Wed 10/03/2007
Run from C:\Downloads\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Sunbelt Software\iHateSpam\siClientUI.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32

C:\Windows\system32\laf1.dll FOUND !
C:\Windows\system32\laf1.ini FOUND !
C:\Windows\system32\laf2.dll FOUND !
C:\Windows\system32\laf2.ini FOUND !
C:\Windows\system32\laf3.dll FOUND !
C:\Windows\system32\laf3.ini FOUND !
C:\Windows\system32\laf4.dll FOUND !
C:\Windows\system32\laf4.ini FOUND !
C:\Windows\system32\laf5.dll FOUND !
C:\Windows\system32\laf5.ini FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Henry van Zyl

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Henry van Zyl\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HENRYV~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

Description: Dell Wireless 1450 Dual-band (802.11a/b/g) USB2.0 Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,016

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 455

crunchie

Offline

Spyware Killer

Re: Program crahses: caused by infections? Please help

Oct 4th, 2007

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

•

Join Date: Sep 2007

Posts: 6

Reputation: Kagaman is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

Kagaman

Offline

Newbie Poster

Re: Program crahses: caused by infections? Please help

Oct 4th, 2007

Thanks, Crunchie. Below is the rapport.txt file:
SmitFraudFix v2.236

Scan done at 20:23:34.65, Thu 10/04/2007
Run from C:\Documents and Settings\Henry van Zyl\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.255.255.255 serial.alcohol-soft.com
127.255.255.255 www.alcohol-soft.com
127.255.255.255 images.alcohol-soft.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0235096C-ADD1-4C17-AEC6-39D24E38372C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45998A7F-E9D4-4A7B-AA70-4ED62A49E81D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,016

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 455

crunchie

Offline

Spyware Killer

Re: Program crahses: caused by infections? Please help

Oct 5th, 2007

•

Originally Posted by crunchie

please copy/paste the content of that report into your next reply along with a new HijackThis log.

You helped me get an extra post

. Hijackthis log please.

•

Join Date: Sep 2007

Posts: 6

Reputation: Kagaman is an unknown quantity at this point

Rep Power: 0

Solved Threads: 0

Kagaman

Offline

Newbie Poster

Re: Program crahses: caused by infections? Please help

Oct 6th, 2007

•

Originally Posted by crunchie

You helped me get an extra post . Hijackthis log please.

It sounds as if want to see to logs. The smitfraud log has already been posted. Below is the latest hijackthis log. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:09:33 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Common

Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Windows\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://r.office.microsoft.com/r/rlid...date?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -

C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt

Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d

locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver -

res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program

Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program

files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf7.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf7.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf7.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf7.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: vzTCPConfig -

http://www2.verizon.net/help/fios_se...zTCPConfig.CAB
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} -

http://prod1.centra.com/SiteRoots/ma...traUpdaterAx.c

ab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro

ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/ho...ative/x86/win3

2/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation

Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9}

(AxLoaderPassword Class) -

http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime

Environment 1.4.2) -

http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create &

Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System

Requirements Lab) -

http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools

WebPlayer Class) -

http://a532.g.akamai.net/f/532/6712/...m/downloads/pl

ayer/Install3.5/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave

Flash Object) -

http://fpdownload2.macromedia.com/ge...ash/swflash.ca

b
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent

ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 -

{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -

C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml -

{807563E5-5146-11D5-A672-00B0D022E945} -

C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D

LL
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PRISMAPI.DLL -

C:\Windows\SYSTEM32\PRISMAPI.DLL
O20 - Winlogon Notify: WgaLogon -

C:\Windows\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier -

C:\Windows\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,

Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -

Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program

Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. -

C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: SessionLauncher - Unknown owner -

C:\DOCUME~1\HENRYV~1\LOCALS~1\Temp\DX9\SessionLaunch

er.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division

Software - C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common

Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe

•

Join Date: Feb 2004

Location: Oztralya

Posts: 8,016

Reputation: crunchie is a jewel in the rough

Rep Power: 23

Solved Threads: 455

crunchie

Offline

Spyware Killer

Re: Program crahses: caused by infections? Please help

Oct 6th, 2007

For some reason you are now posting a log from a previous version of hijackthis. Please post a log from version 2.0.2. You also need to check the formatting of the log in your post before you go. That last one looks like crap.

==

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "laf7.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.