Zlob-Related: Can Disable but not Delete ActiveX Add-ons
I tried to d/l a fake video codec earlier and stupidly clicked OK to some ActiveX scripts. Now, in IE 7 only, there is [was] something going on, sort of like my homepage has been hijacked even though it still opens with Yahoo Mail, which I want. I get a "Spyware Found" type of window and when I try to close it I am redirected to here [DANGER - MALWARE]
Aside from IE everything seems to be working fine and Firefox is unaffected. Here is a screenshot of one of the "SpywareFound" windows (which opened with Firefox even though it originated with IE):
I remembered allowing a few (possibly 3) ActiveX script installs and Spybot-S&D asked me if I wanted to allow them (I did each time). I posted an HJT log at the Spyware Warrior forum but there is no reply at this time.
I found this article on How To Delete Internet Explorer 7 ActiveX Controls and decided to investigate. I must have mis-read the article b/c I chose "Add-ons currently loaded in IE" instead of "Downloaded ActiveX Controls" from the Show: drop-down box. I noticed 3 odd-sounding controls:
Diagnose Connection Problems - Browser Extension (one of the phony IE windows)
Research - Browser Extension
"Soplygui" - Browser Helper Object (rgf.dll)
I am able to Disable these items but for some (suspicious) reason the "Delete" button in the "Delete ActiveX" box is greyed out:
IE seems to be working fine now but I would feel better if those ActiveX controls were completely off of my XP SP3 system.
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\k.txt (Trojan.FakeAlert) -> No action taken.
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Run a full scan again with MBAM and this time remove the object.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm
==
Download HijackThis Executable from here. Save it to your desktop.
Currently running:
AMD Hexacore 1090T BE @ 4050Mhz 1.375vcore
Gigabyte GA-890FXA-UD5
GSkill 2x2 Flares @ 1800Mhz 6-8-6-22-1T
XFX 5850 XXX EKFC block
Asus 9800GT
GSkill Phoenix Pro 120Gb SSD
DFI LP DK 790FXB M2RSH, Phenom II 940BE @ 3.75Ghz 1.425vcore Watercooled, 4Gb (2x2) GSkill PC8500 Pi @1100MHz 5-5-5-16 2T, HIS HD4870 Watercooled, 1Tb WD Black, XP Pro & W 7 Pro Dual boot.
I did another full scan with MBAM and removed the object.
I have run the SmitFraudFix and here is the log:
SmitFraudFix v2.356
Scan done at 9:24:27.60, Fri 10/03/2008
Run from C:\Documents and Settings\John\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!
Description: MSI/Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 208.71.161.249
DNS Server Search Order: 204.174.16.4
DNS Server Search Order: 204.174.18.2
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:42 AM, on 10/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.
C:\WINDOWS\system32\rgf.dll
Currently running:
AMD Hexacore 1090T BE @ 4050Mhz 1.375vcore
Gigabyte GA-890FXA-UD5
GSkill 2x2 Flares @ 1800Mhz 6-8-6-22-1T
XFX 5850 XXX EKFC block
Asus 9800GT
GSkill Phoenix Pro 120Gb SSD
DFI LP DK 790FXB M2RSH, Phenom II 940BE @ 3.75Ghz 1.425vcore Watercooled, 4Gb (2x2) GSkill PC8500 Pi @1100MHz 5-5-5-16 2T, HIS HD4870 Watercooled, 1Tb WD Black, XP Pro & W 7 Pro Dual boot.
I will do that. I found in Spybot the "Allowed registry changes" (there were 4) that gave me the BHOs. Have not deleted them yet. Also, a Spybot-S&D scan turned up SpyHunter which I also plan to delete.
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Scanner results
Scan taken on 03 Oct 2008 21:21:53 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Malware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Adware.Bho.73
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found not-a-virus:FraudTool.Win32.TotalSecure2009.s
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Last file scanned at least one scanner reported something about: serwer.exe (MD5: 1934bf3f2c2f3d3cbbc90dac11f70bea, size: 17456 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Win32.Malware
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Agent.afly
G DATA BehavesLike:Win32.Malware
Ikarus Virus.Trojan.Win32.Agent.afly
Kaspersky Anti-Virus Trojan.Win32.Agent.afly
NOD32 X
Norman Virus Control W32/Agent.IRJD
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit".
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done .
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
===============
Scan with HijackThis and then place a check next to all the following, if present:
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.
Select the first option to run Windows in Safe Mode hit enter.
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Currently running:
AMD Hexacore 1090T BE @ 4050Mhz 1.375vcore
Gigabyte GA-890FXA-UD5
GSkill 2x2 Flares @ 1800Mhz 6-8-6-22-1T
XFX 5850 XXX EKFC block
Asus 9800GT
GSkill Phoenix Pro 120Gb SSD
DFI LP DK 790FXB M2RSH, Phenom II 940BE @ 3.75Ghz 1.425vcore Watercooled, 4Gb (2x2) GSkill PC8500 Pi @1100MHz 5-5-5-16 2T, HIS HD4870 Watercooled, 1Tb WD Black, XP Pro & W 7 Pro Dual boot.
I have now done everything in your last post (well, actually I deleted C:\WINDOWS\system32\rgf.dll with KillBox last night before reading your last post). Spybot's TeaTimer is re-enabled (nice to find out about ResetTeaTimer.bat).
Here's my latest Trend Micro HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:26 PM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Many thanks for all of your kind help! Btw, there were no hidden or "in use" C:\WINDOWS\system32\rgf.dll files and I didn't need to use Safe Mode.
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Under Main choose: Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
====
Use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera, which in my opinion, is better still.
====
Use a firewall. It is an essential part of your computers security. There is a link to a good, free firewall in my signature.
====
Install and keep updated, Spybot S&D.
Run it on a regular basis, following the maker's recommendations.
====
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
====
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
=====
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
-
Happy surfing,
crunchie.
Currently running:
AMD Hexacore 1090T BE @ 4050Mhz 1.375vcore
Gigabyte GA-890FXA-UD5
GSkill 2x2 Flares @ 1800Mhz 6-8-6-22-1T
XFX 5850 XXX EKFC block
Asus 9800GT
GSkill Phoenix Pro 120Gb SSD
DFI LP DK 790FXB M2RSH, Phenom II 940BE @ 3.75Ghz 1.425vcore Watercooled, 4Gb (2x2) GSkill PC8500 Pi @1100MHz 5-5-5-16 2T, HIS HD4870 Watercooled, 1Tb WD Black, XP Pro & W 7 Pro Dual boot.
Thanks for all of the tips. I have been using CCleaner almost daily for over a year now. Why do you suggest to Uncheck "Cookies" under "Internet Explorer"? I always go to CCleaner's Options > Cookies and manually choose which to keep. As for alternative browsers I use Firefox occasionally but prefer IE. I would switch to Opera immediately (I have used v7 & v8 off and on in the past) if only they would support RoboForm.
For a firewall & AV I use ESET's Smart Security (NOD32 antivirus). I typically run Spybot-S&D once a month or so. I also have SpywareBlaster. I do a manual check for Windows Updates the 2nd Tuesday of every month.
I will "flush" the XP system Restore Points today.
“If Ernest Hemingway was going to go big-game hunting in Africa, Hunter S. Thompson wanted to use a submachine gun to hunt wild boar in Big Sur, Calif. He was dangerous, like handling nitroglycerin, and he liked to keep it that way.”
Virus and malware writers prefer IE too . Leaving the cookies is up to the individual. I choose that option so that the cookies that allow you to log in automatically do not get deleted .
Currently running:
AMD Hexacore 1090T BE @ 4050Mhz 1.375vcore
Gigabyte GA-890FXA-UD5
GSkill 2x2 Flares @ 1800Mhz 6-8-6-22-1T
XFX 5850 XXX EKFC block
Asus 9800GT
GSkill Phoenix Pro 120Gb SSD
DFI LP DK 790FXB M2RSH, Phenom II 940BE @ 3.75Ghz 1.425vcore Watercooled, 4Gb (2x2) GSkill PC8500 Pi @1100MHz 5-5-5-16 2T, HIS HD4870 Watercooled, 1Tb WD Black, XP Pro & W 7 Pro Dual boot.
Reply With Quote
.
Originally Posted by 307WRC
Bookmarks