I have a friend who is having some difficulties with trojans and the like. I helped him clear some of it out but some keeps coming back and was hoping for some input.
Sometimes he get popups including these:
clean-xp.com, fixregerror.com, e-regclean.com as well as
this - error:reg-3328
Here's his log file:
Logfile of HijackThis v1.99.1
Scan saved at 3:55:20 PM, on 8/10/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Please read through the instructions before you start (you may want to print this out or copy it into a word program).
Please download and install these programs - don't run them yet!!
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Exit Ewido. DO NOT scan yet. Tutorial if needed
Please download and unzip AboutBuster to a folder.
AboutBuster MUST be updated before you use it.
Check the AboutBuster Tutorial for instructions.
Don't run it yet.
Download and unzip HSfix to your desktop. use link below: DownloadItHere
The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Important Step
2. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Remote Procedure Call (RPC) Helper
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - javakl32.exe, javakl32.dll, javakl32.dat)
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
6. Double click on the HSfix and when asked to merge say yes.
7. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.
8. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
9. Run Ewido Security Suite
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
11. Reboot into normal mode and open up Internet Explorer
I had him follow the instructions. The about blank is now gone but he is still having pop ups asking to visit sites to remove ad/spyware. Here are the Hijack and Ewido logs. He didn't know where the Aboutbuster log went but I told him to look for it in the Aboutbuster folder it would have created.
Logfile of HijackThis v1.99.1
Scan saved at 3:50:20 PM, on 8/12/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
When the program is open, select the option labeled Delete on reboot.
Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.
When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.
Had friend download and run killbox.
Here's what he emailed me:
"Still have pop ups on system messenger, have developed a new wall paper that tells me of errors in my computer and that I should buy Razespyware to fix it."
Here's his hijack log after running killbox:
Logfile of HijackThis v1.99.1
Scan saved at 9:01:20 PM, on 8/14/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
download this Right click here and go to Save As (in IE it's Save Target As) in order to download the smitfraud reg to your desktop.
Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.
After the merged successfully prompt, using Windows Explorer, navigate to the following folder:
C:\WINNT\Prefetch
If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)
Reboot your computer.
now you should be able to change your desktop to what ever you want
Post back a new log, and let me know how everything goes.
Here's the latest log file after following the instructions. He also emailed this info:
"The good news is the warnings have stopped - I suppose that's because the messenger might still be disabled. The leftover is the Razespyware crap as it is still in charge of the screen. Right click does not respond when activated on the screen while the razecrap is on. When I tried to find the Prefetch folder I could not find it in WINNT I searched the computer with no luck."
Logfile of HijackThis v1.99.1
Scan saved at 5:19:59 PM, on 8/17/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Now it's time to put SP4, the rollup package, and all critical updates on.
I'd be a bit suspicious of regsvc.exe - this is the remote registry service. It's only used on Win2K Server and workstations administered over a network. On a standalone machine it can be disabled.
Something to look at - set the folder options to show hidden and system files and unhide known extensions. Go into documents and settings - his username - desktop - and if there's a desktop.ini file in there delete it.
Friend followed the above suggestions. With his limited memory/space had trouble getting the SP4 but finally did. Also, had trouble with regsvc.exe and could not get rid of it.
Here is what he has now:
"I'm getting this "Run Time Error 5 at 004047C5" [0=zero] just before Razespyware takes over the wallpaper."
Hijack log critique
Linear Mode
