also @ TechSpot: Leaked next generation iPhone casing photos validate multiple rumors

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

Help please

Discussion in 'Virus and Malware Removal' started by ippymiss, Oct 11, 2008.

Thread Status:: Not open for further replies.

Page 1 of 2

ippymiss Newcomer, in training
Hi, I have a puter that is running very slow the last week.Screen freezes, I have porno ads on this screen as I am typing. Also, IE closes unxpectanly when I am useing it.

I just bought a dell 22 inch monitor and since then it has not been the same. (not sure or think that is the problem.

I am unable to run Malwarebytes when I do it gives me a blue screen and says
Driver IRQL not less or equal

I have ran CCCleaner and did what was recommended.

My AVG froze and unable to finish the scan.
Java upgraded

High jack file enclosed along with

Smithfraud files

Thanks for your help.
Attached Files:
- hijackthis.log
  
  File size:
  
  10.2 KB
  
  Views:
  
  8
- rapport.txt
  
  File size:
  
  1.9 KB
  
  Views:
  
  6
ippymiss, Oct 11, 2008

#1
CCT Newcomer, in training

Boot to Safe Mode and try AVG and malwarebytes again.

If that fails, pull the hd, slave it inanother comp and run the scans on it.

CCT, Oct 12, 2008

#2
ippymiss Newcomer, in training

I will try the boot, but I dont have another puter to try also. Thanks

ippymiss, Oct 12, 2008

#3
BillAllen55 Newcomer, in training

Please go to this website paste your hijackthis! logs to the area that is shown and follow the directions. - You definitely have things going on that can be easily resolved and possibly help with your issue.
http://hjt.networktechs.com/parse.php Good luck!

BillAllen55, Oct 12, 2008

#4
tw0rld TechSpot Enthusiast

The error above suggest that you have a hardware or device driver problem. You might have a faulty or incompatible hardware or software(driver). could be the driver for your monitor. try updating it from the device manager.
Instructions:
Start > run > devmgmt.msc > click on monitor

look to see if the hardware is in a error state(usually represented by a yellow exclamation).
Update the driver by right clicking the device then select "update driver".

tw0rld, Oct 12, 2008

#5
rf6647 Newcomer, in training

BA_55
Regarding automated parsing, please read this post
Give a response there and share your perspective. I think xxdanielxx is trying get us all on the same page, so to speak.

Ippymiss
These should be deleted (imho) . Use safe mode to delete the files.
O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)

Consult your smithfraud log for o22 entry's filename.

It would be great to get things working for Malwarebytes.

rf6647, Oct 12, 2008

#6
Bobbye Helper on the Fringe

Bill, I don't know you, but why would you want to send someone to another site to help with the HijackThis logs? Isn't that what we do here?

ippymiss, I've checked the current logs and will review them AFTER you run Malwarebytes and SuperAntispyware and post the logs. You will find the information in Parts 4 and Par 5 here:
http://www.techspot.com/vb/post645589-1.html
I do have two questions about things I saw in the log: there are numerous processes starting at boot for both 'iespell' and RoboForm. For instance, one iespell is for Wikipedia. Do you have to load the application separately for any site you may want to use it on the internet? I that is the case, you could get the Google Toolbar with the spell check for everything on the internet, with email not included!

As for RoboForm, can't you bring that up manually when you need the feature? I'll go over the entire log you run again AFTER Malwarebytes and Superantispyware.

In the meantime, please take this OUT of your trusted zone:
O15 - Trusted Zone: http://www.mycoupons.com

Bobbye, Oct 12, 2008

#7
ippymiss Newcomer, in training

Ive checked my monitor in my device manager., and everything is good.
I booted to safe mode and completed a malwarebytes scan, log included.
safe mode for superantispy and my puter froze 3 on one file took me 3 attempts and 6 hours.I gave up.......
the file is
C:/program files/common files/microsoft shared/smart tag/FStock.DLL.

I also included a hijackthis log.

I will do what you all have asked me to and post back with more logs......Thanks !!!!!

I taken that website off my trusted also In my startup msconfig files I cant find the iespell or the roboform, I do not need either of these all the time. actually I do not need any of these. I can take them off completly.
I am going to find the files Fr66 asked me to delete, Thanks

ippymiss, Oct 12, 2008

#8
ippymiss Newcomer, in training

In safe mode I deleted one file only, it would not let me delete the 018 file. Filter Hijack.

I did another malware scan and posted the results. What now. I also deleted the programs that I did not use . Thanks

ippymiss, Oct 12, 2008

#9
rf6647 Newcomer, in training

Bobbye is the man on this problem. He has the depth to lead you.

While waiting, see what you can do to perform a deep scan using malwarebytes.

The quick scan seems stalled as far as keeping some re-infection from occurring.

HJT and malwarebytes should be run in normal mode, not safe mode. Perhaps the freezes and errors were related to some of the malware that has been removed / weakened.

Re-post fresh logs (all 3) just as you would following the 8-step procedure.

rf6647, Oct 12, 2008

#10
ippymiss Newcomer, in training

I've tried running deep scans but it keeps freezing on one file...... the Fstock.dll
doesnt that file have to do with Office?? I dont even use office anymore...lol

I do NOT have any idea as to why?? it is doing that?

Should I maybe?
delete the dll file and download another one?

I'm at a loss!
Thanks
I will keep trying what you recommend

ippymiss, Oct 12, 2008

#11
rf6647 Newcomer, in training

one reference @ MS for Fstock dll
Buried on the page describing a work around.

It could be a disk error. CMD window > chkdsk /f > restart the computer

If not using Office, the Rename > Move trick should work. That is rename the file. Use Explorer to move the file to the desktop or some temporary folder. This may delay the need to repair the installation of MS OFFICE.

Delete file is an option, but the recycle bin will lose this file if emptied.

[edit]
File delete uses Windows Explorer. HJT delete means check the box.
o18 corrective action was meant to say "file delete"
I believe you understood this. This is added as a precaution.
It appears this is a type of Smithfraud. Maybe a re-run of this remedy is needed. Normal mode / safe mode - whatever seems to work.
[/edit]

rf6647, Oct 12, 2008

#12
Bobbye Helper on the Fringe

1. mbam-log-2008-10-12 (09-23-06).txt10/12/2008 9:23:06 AM shows removal of Zlob, Hotbar and other adware and Trojans.
2. mbam-log-2008-10-12 (14-50-54).txt 10/12/2008 2:50:54 PM shows the same removal of Hotbar, adware and other Trojabs, but no section for Zlob.
It appears you may have posted the same log twice, leaving the 'Zlob' section off the second log.
3. You ran the first HijackThis in Safe mode Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008.
4. You posted the same HijackThis log again Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:14, on 10/12/2008

When we tell you to check specific items in a HijackThis log, following though with a reboot after all has been done and tell you to scan with HijackThis again and post the log, that does NOT mean copy the previous log. The only way we can see if the removals have worked is by viewing the subsequent log.

Please see Part 5 here: http://www.techspot.com/vb/post645589-1.html For SuperAntispyware. Attach the log.

Make these changes if still on the log, run SuperAntispware, THEN HijackThis again and post both logs. No need to do Mbam again:

Please reopen HijackThis and scan. Put a check next to the following processes:

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - (no file)
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)

NOTE: The entry for 'monln.dll is for the Comodo AntiVirus. You are running AVG v8 which has AV+AntiSpyware. You should only run one AV program. The last entry for 'dikage' is from Zlob Trojan that infects you with the VirusHeat rogue anti-spyware program.

I am breaking the following entries out separately. All of these processes for the two programs shouldn't run from startup. If you don't want either program, check ALL the entries in each group:
For RoboForms:

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

NOTE: If you decide to keep RoboForm and start it Manually when you need it, remove all the entries above. When you boot into Safe Mode below, open the Roboform program and disable any of it's startups.

For iespell:

O8 -
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

When through close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Go to Start> Run> tyoe in 'msocnfig' without quotes> enter> Selective Startup> Startuo tab> UNCHECK everything except the AVG processes> Apply> OK
Control Panel> Add/Remove Programs> Uninstall iespell and RoboForm if you don't use them. Uninstall Comodo Security suite. Look for any other programs that are unused and uninstall them.
Start> Run> type in 'services.msc' without quotes> enter> look for Comodo Anti-Virus and Anti-Spyware Service> right click> Properties> change Startup type to Disabled> Apply> OK

Remove ALL from Trusted Zone- leave the in the internet zone- it's safer:

O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: http://www.mycoupons.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net

Reboot into Normal Mode> You will get a nag message that you can ofnore after checking 'don't show this message again'. Stay in Selective Startup.

Scan with HijackThis again and post a NEW log. Include the log from SuperAntispyware.

If you neeed a spell checker for the internet, I suggest the Google Toolbar. You don't have to enable all the available options, but it has a good spell checker and pop-up blocker:
http://www.download.com/Google-Toolbar-for-IE/3000-12777_4-10056938.html

Use this version as v5 is a beta version- still testing. We can add jut the Comodo firewall to our system if wanted.

Bobbye, Oct 13, 2008

#13
ippymiss Newcomer, in training

I did attach a hijack this file. My AVG, found nothing but a few cookies that needed cleaned, and I could not even save a log file.

I am still running a bit slow and still do freeze, but not as much as I did. Anything else?? Thanks

ippymiss, Oct 14, 2008

#14
rf6647 Newcomer, in training

Note to Bobbye

This is some kind of booger

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll

Research @ whatthetech viewing topic
MBAM detects & deletes "msiebbar.dll"
DelDomains.inf is invoked before running MBAM (Link to download file)

There is no explanation. It's beyond me.

This is related to comodo. Is this broken and/or redundant AV-Firewall?
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Unknown owner - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe (file missing)

rf6647, Oct 15, 2008

#15
ippymiss Newcomer, in training

I have not ran comodo for ages. I uninstalled it totally awhile ago.
HiJack will not take off this file.........

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} – C:\WINDOWS\system32\msiebbar.dll

Do I still download the deldomains file you want , without taking off the other bad file? Thanks

ippymiss, Oct 15, 2008

#16
rf6647 Newcomer, in training

Note to ippymiss

bobbye is driving this. My earlier post found evidence that MBAM removed msiebbar.dll . I am asking that bobbye use this information to direct us. That extra step/file had no explanation & may not help. I do not know.

Be specific. What other bad file?

rf6647, Oct 15, 2008

#17
Bobbye Helper on the Fringe

rf6647, thank you for catching this- I did overlook it:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

I checked the mban log and it does not show removing this CLSID. Please scan with Malwarebytes again and see if it picks up the msiebbar.dll. I can't ID the CLSID- only info is 'Generic Downloader' so it makes specific removal impossible.

AFTER rerunning Malwrebytes:
Scan with HijackThis again. Check the following:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

Now close all windows other than HiJackThis, then click Fix Checked.Close HiJackThis and reboot into Safe mode:
Right click on Start> Explore> Windows> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK>>> then click onSystem32 on the left> look on the right screen for msiebbar.dll. If you see the file there, do a right click> Delete.

If you don't see it> click on dll cache> look on the right- same thing, right click> delete if found.
Go back into Folder Options and UNCHECK 'show hidden files and folders> Apply> OK.

The Comodo entries have been removed. Make sure any Comodo program showing in Add/Remove Programs is also uninstalled- it can be done while in Safe Mode. You still have extra entries for iespell. decide if you need them- if not, have HijackThis fix.

Boot into Normal Mode> scan with HijackThis once more to see if the 018 entry has been handled. Attach the log.

Bobbye, Oct 15, 2008

#18
ippymiss Newcomer, in training

Thanks!
I ran Hijack and found the 018

file. O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

But it wont delete it. saved the log
Went to safe mode did a search for the file in my System32 and my dll cache. NOPE not there!
I went back to my AVG antivirus, that file is in my Resident shield Protection file, but then says it ihas been moved to my virus vault....... its not there!. and I cant get the files out of the resident shield . and moved to anywhere else in AVG

Comondo is not on the puter anymore I did a search and found nothing. I think I took off all the iespell. AVG still found nothing.

I dont know what to do about this problem? HELP!!. And Thanks !

ippymiss, Oct 15, 2008

#19
Bobbye Helper on the Fringe

Your system should be running better without all the RoboForm and iespell entries. But this needs to be checked. On original log, AVG program shows. On latest log, it's missing:

On HJ1: Scan saved at 17:58:29, on 10/11/2008Scan

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

On last: saved at 17:51:17, on 10/15/2008

Does not show AVG program
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

The auto-loading 04 entry is still there as well as the two 023 Services, but the program is missing from the programs list. Please check the status of that.

As for the 018 entry:

O18 - Filter hijack: text/html - {25969f07-5cf6-4598-92a8-6c5d947de1a9} - C:\WINDOWS\system32\msiebbar.dll

I have to assume it's malware. The CLSID is not identifiable and this is strange either way- bad or good. Since you've used Malwarebytes, the remaining suggestion is:

Download the following free removal program: SmitFraudFix: Please scroll ldown to this:
Removal Instructions:
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download SmitfraudFix.exe from here and save it to your desktop:
follow download and screen shots here:
http://www.bleepingcomputer.com/forums/topic17258.html

Follow the instructions exactly. Screen shots will help you through.

When you have finished, rerun HijackThis and post both logs. I would still encourage running SuperAntispyware and including that log also.

Bobbye, Oct 16, 2008

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved