Please help me analyze this log!

Author

Topic: Please help me analyze this log! (Read 1179 times)

I see a couple of problems here.
1) You have an outdated version of Java which creates a slight security risk. You should uninstall the version you have, and reinstall the latest version.

2) Your system is infected with the Smitfraud application Spyfalcon.

3) You have an unknown trojan infection.

First, click start-->control panel-->add/remove programs
Scroll down and locate the Java application and click Remove. When the uninstallation completes, reboot the computer.

Reinstall the latest Java software from here.

When the installation completes, reboot the computer.

Print out these instructions as we will need to close every window that is open later in the fix.

Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

http://www.bleepingcomputer.com/files/reg/FixSF.reg

Confirm that the file FixSF.reg now resides on your desktop as we will need it later.

Please download ewido security suite trial version.

Install Ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
http://download.ewido.net/ewido-signatures-full-current.exe

Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Please download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.
1) Run Ad-Aware, and click Check for updates now.
2) Select Configurations (click the Gear wheel at the top) as follows:

General Button > Safety & Settings: Check (Green) all three.
Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Don't run it yet!
Exit Ad-aware.

Download smitRem.exe and save the file to your desktop.
Alternate links:
smitRem.exe
smitRem.exe

Double-click on the SmitRem.exe file. You will now see a screen.
Click on the Start button and the program will start extracting the files into a folder on your desktop called SmitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called SmitRem..

Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button.

Next, please reboot your computer into Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

When your computer has started in safe mode and you see the desktop.
Click on the Start Menu
Click on the Control Panel option.
Double-click on the Add or Remove Programs icon.
Find the entry for SpyFalcon and double-click on it. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.
When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

Run HijackThis, and press "Scan". When the scan is complete place a check mark next to the following entries:

O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\system32\hp3BBA.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com

After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."
===================================================
Close Hijackthis.

Then search for and DELETE the following file(s)/folder(s) indicated in Bold text IF PRESENT:

C:\Windows\System32\dxmpp.dll
C:\Windows\System32\ginuerep.dll
C:\Windows\System32\twain32.dll
C:\Windows\System32\reglogs.dll
C:\Windows\System32\appmagr.dll
C:\Windows\ctfmon.exe <--please note this file is the bad one. The legit file is located in the System32 folder. This one in the Windows[/color] folder should be deleted.
C:\WINNT\system32\atmclk.exe
C:\WINNT\system32\dcomcfg.exe

C:\Program Files\SpyFalcon\ <--folder (Do not be concerned if this folder does not exist):

Close all open Windows.
Ã‚Â· Open the smitRem folder on your desktop

Double-click on the RunThis.bat file, to start the tool.
When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller.

Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and SmitRem will prompt you to continue. Now you should press any key to continue.

When no more uninstallers can be found, the tool will continue. Your desktop will disappear[/color] and you will start seeing text scroll across the screen. This is normal[/color] and nothing to be concerned about. When SmitRem has finished running it will automatically start the Disk Cleanup program.

This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.

When the tool is finished, it will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
Click on Complete System Scan and the scan will begin.

This scan can take quite a while to run, so please be patient .
While the scan is in progress, you will be prompted to clean the first infected file it finds.
Choose Clean.
Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. The best place to save it would probably be your Desktop.

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" or "Desktop Uninstall" if present.

Reboot your computer back to normal mode.

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.

Once you get to the Panda site, scroll down a bit and click on Scan your PC
A new window will appear; click on Check Now!
A new window will appear; fill in the boxes (Country, State, email addy)
Click on Scan Now! >
If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
From "Select a device to scan...", choose "My Computer"
Allow the scan to run. It'll take a while.
When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
Please post that report in your next reply. Simply open the text file, then copy/paste the content here. Also, please include a fresh HJT log, your Ewido report, and your Smitrem log. Thanks!

Good Luck!

Regards,
Disabled Vet

Spreading the knowledge:

It is very hard to fight Computer parasites alone in internet space. If you have a website we would be more than happy if you would help us to spread the knowledge about latest threats. You can help your visitors to manage their Computer system manually without aditional expences. Knowledge is the power, we just need to spread it.