View Full Version : Malaware - Hijack?
:scratch:
Hi,technophobe - so please be gentle!!
HP/Pav8760-Using WindowsXPHome-broadbandISP(uk)-IE6 browser-Zone Alarm-CA AVG [was using GrisoftAVG(free) but it blocked/conflicted with my mail],replaced with Computer Associates.Spyware hijack a few days ago as start page? My ISP/homepage changed to spyware -changed it to MSN.(Can I get my ISP homepage back please - How?). Now for all Favourites IE6 not responding,even from MSN address bar browser - send error report to Micro$oft.Done their checklist:-security updates for IE6,Windows software updates,Anti-Spyware(Spybot)+Adaware Pro SE6 progs and ran them both.Ran Spybot in default mode: WinFixer2005 and others - removed - same problem IE6 not responding.Tried advanced mode (Spybot) unchecked IE tweaks(but I'm only user) reboot - no luck.Selected re-check IE Tweaks.Put Winfixer back in restore - still no luck - removed it.Re-ran Spybot twice;25 mins 1st time and about same for 2nd time 2 mins later - should it be this slow? "Congrats.No immediate threats found!"
Should I swap to Firefox browser and if I import my favourites to it - WILL they be infected too - or will I have to cut+paste all URLS into new browser?
shelf life
2006-04-03, 00:03
hi iasus,
post a hjt log to make sure everything looks good.
see this link about downloading/using hjt:
http://forums.spybot.info/showthread.php?t=288
hi iasus,
post a hjt log to make sure everything looks good.
see this link about downloading/using hjt:
http://forums.spybot.info/showthread.php?t=288
shelf life,
Thanx for the reply.Have created folder for hjt, but where is it (Hjt.exe) located to for me to download?Told you I was a technophobe!! :-) I tried the link under downloads htpp://merijn.org/files/HijackThis.exe and got a page of updates.
The nearest/newest download I could find was down the page,dated Dec 15/04? Didn't download it! I am also unfamiliar with zip files!
Thanx for your patience though!
shelf life
2006-04-04, 02:26
hi iasus,
i clicked that link and was prompted to save a file. try again
http://www.merijn.org/files/HijackThis.exe
click the save button and save it to your desktop, its the .exe version no "unzipping" needed.
once you find it on your desktop, right click somewhere from the desktop, select new, then folder. a "new folder" should appear. hit the backspace key and rename the folder HJT. hold cursor over hjt icon, click right mouse button and drag the hjt icon (holding right mouse button down) to new folder, release mouse button and select move here. hjt should now be in hjt folder
see if that works
shelf life
hi iasus,
i clicked that link and was prompted to save a file. try again
http://www.merijn.org/files/HijackThis.exe
click the save button and save it to your desktop, its the .exe version no "unzipping" needed.
once you find it on your desktop, right click somewhere from the desktop, select new, then folder. a "new folder" should appear. hit the backspace key and rename the folder HJT. hold cursor over hjt icon, click right mouse button and drag the hjt icon (holding right mouse button down) to new folder, release mouse button and select move here. hjt should now be in hjt folder
see if that works
shelf life
Shelf life,
as requested HJT log/report - Many thanx for simple instructions!
Logfile of HijackThis v1.99.1
Scan saved at 15:02:16, on 05/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\PROGRA~1\HomeBase\homebase.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Russell\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R3 - URLSearchHook: (no name) - {AC752366-B042-30E2-A7B8-0354BF830A06} - ATLIEHELPER.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\system32\winbrume.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - Startup: HomeBase.lnk = C:\Program Files\HomeBase\UNWISE.EXE
O4 - Startup: Update HomeBase.lnk = C:\Program Files\HomeBase\WiseUpdt.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140538194700
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143703560032
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC2C81-3CF8-410D-AC06-6A4CD7160D79}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
shelf life
2006-04-05, 22:44
hi iasus,
ok good. your log dosnt look bad. ok we will use hjt to clean it up:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
R3 - URLSearchHook: (no name) - {AC752366-B042-30E2-A7B8-0354BF830A06} - ATLIEHELPER.dll (file missing)
O2 - BHO: (no name) - {C8F21DFE-B35C-4274-82EC-1E072D09025E} - C:\WINDOWS\system32\winbrume.dll
------------------------------------
also do this:
start>settings>Control Panel> click the Internet options icon
Next:
Click on Delete Cookies.
Click on Delete Files, Make sure Delete all offline content is checked and then click on OK
Then click on Settings, then click on View Files if there is any thing in there, delete what you can
(edit>select all--- then file>delete)
Then at the top in the address bar, at the end where it says:
\Temporary Internet Files
change it to \Temp then hit enter and delete what you can in there.
-------------------------
reboot computer once, scan and save the hjt log file like you did before, then copy paste the new log in next reply.........shelf life
PS: do you know what this file is: HomeBase? did you install that?
shelf life,
Thanx for instructions.Followed them up until View Files part,when an
EMPTY TIF window appeared.Closed all previous windows from that operation
until back to MSN homepage (that's the only URL in address bar on page).
Do Istill need to change TIF's page to \Temp and delete or have these all
been removed anyway?Need I do anything more - my apologies if I've
missed anything simple or done something wrong - I really am a
technophobe!!
I am a bookseller and Homebase is a book inventory management
sofware tool/program to upload files/book info via FTP, which I downloaded
myself from abebooks.com.
Here's the scan anyway, below.
Logfile of HijackThis v1.99.1
Scan saved at 09:05:53, on 06/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\HomeBase\homebase.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Russell\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - Startup: HomeBase.lnk = C:\Program Files\HomeBase\UNWISE.EXE
O4 - Startup: Update HomeBase.lnk = C:\Program Files\HomeBase\WiseUpdt.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140538194700
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143703560032
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC2C81-3CF8-410D-AC06-6A4CD7160D79}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O17 - HKLM\System\CS3\Services\Tcpip\..\{0E70E380-F486-4015-819A-1492873B33A6}: NameServer = 85.255.116.83,85.255.112.176
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PS,My AVG (CA EZAntivrus) is trying to prompt me to update, but the operation keeps failing - is this temporary until we fix this problem.As far as I know I only have Zone Alarm and maybe Windows firewalls activated.
Thanx for your clarity.
shelf life
2006-04-07, 00:01
hi iasus,
log looks ok, dont worry about the TIF.
My AVG (CA EZAntivrus) is trying to prompt me to update
you have two antivirus? AVG and CA EZ? its ok as long as only one is resident, really one is sufficent. i only see the EZ in the log. which one is failing to update, did you try manually updating it or is it set automatically to check for updates. i dont think its related to anything in your log.
since you run Zone alarm it would be a good idea to make sure xp builtin firewall is off. start>settings>control panel> look for security icon? i think.
shelf life
Hi again, shelf life,
Whilst AVG (Grisoft) is the brand name, I was using AvG as a generic term - my fault! I was using Grisoft(freeware) but it caused conflict with my email.I switched to CA EZ to resolve that, then I had the spyware/malaware drop on me!It's the EZ avg that is failing to update.I have it set to automatic update,but I still get the update icon in task bar and when clicking on that it runs but fails to upload.From that I'm advised to check proxy server settings[I'm 4MB broadband],check firewall,config EZ firewall (or is that not needed?) making sure following is enabled/allows permanent internet access:VetMsg.exe, ISafe.exe, ISafeInst.exe, caavTray.exe,Autodown.exe and CAFIX.exe.[I don't think EZ Firewall is installed - it's not part of the free trial?]Check and view other sites/favourites (those unavailable - before this stage of the fix,IE stopped responding when accessing a secure,sign on page, no response from cursor when trying to sign on,(sent error report to M$) - now I can sign on,next page says I'm signed on, then seconds later,page goes back to sign on page with message saying I need to be signed on to view!! Advised to check own Internet settings, and if unsure contact my ISP.
If I try the EZ update window within the program -update fails and error message "Fatal error 3 during download.Please see log file C:\ProgramFiles\CA\eTrustInternetSecuritySuite\eTrustEZAntivirus\autodown.log for more info" occurs.Latest update failure was about 30 mins ago,0918,07/04/06.
Have tried to disable Windows Firewall, but after following your instructions,I get error message "Due to an unidentified problem, Windows cannot display Windows Firewall settings".
Any help/advice greatly appreciated and thank you for your patience and understanding.
shelf life
2006-04-08, 01:09
hi iasus,
ok so you only have one antivirus, its computer associates (CA) EZ.
i dont know if the trial version of CA-EZ comes with the firewall or not, but from the looks of your log i only see zone alarm firewall.
does the trial version include CA support? can you search there site with the 'fatal error 3" message?
for the windows firewall msg, see if this link helps:
http://windowsxp.mvps.org/sharedaccess.htm
------------------------
since you are still on a trial basis with CA, i can provide links to 2 other free for home users antivirus if you want to try them.
--------------------------
but before all that LonnyRJones suggests that you download and run the trial version of f-secure backlight.
click the i Accept button then download:
http://www.f-secure.com/blacklight/try.shtml
helpful to read this first;
http://www.f-secure.com/blacklight/help/#whatis
----------------------------------------------------
shelf life,
Thanx for your reply, my apologies for absence and my reply.
Read the windows links, understand that - but I really am a technophobe -
and felt timorous about the Run Command Prompt bit (cmd.exe?) Means?
How to? Unsure about Launch applet from Control panel (this is the Windows
Firewall icon - right?) to config WF settings.(What are the parameters/guidelines - is this a default/advanced thing or am I prompted in choices?I get a message also my current settings prohibit AciveX controls -
do I enable this?
As I have ZA Firewall, I checked that and noticed that the Windows firewall box was ticked disabling WF.Is this why I get the original Windows error message.Do I need to to enable windows fw here? I haven't
downloade the windows sharedaccess link thing yet.I looked at the blacklite thing and feel confident in running that, but haven't done that yet either, until the windows fw sorted.You can send the other two links you mentioned.
I looked at the CA EZ Antivirus support pages - some answers but not all - I'll try again.(BTW, the flashing CA automatic download updates icon with ? indicating download error/failed) has,today, disappeared!) No doubt, it'll be back at next failed update!
Thanx again for your patience and understanding.
Cheers, iasus.
How is it going iasus
tashi,
Thanx for your enquiry.Have just replied to shelf life, explaining how far
I haven't got!!!My fault - not their's!!!
HAve a great Easter break.
iasus.[technophobe!]
shelf life
2006-04-14, 22:10
hi iasus,
ok the two other links for antivirus (free for home users)
if you try one, uninstall CA EZ via add/remove programs panel first and reboot once after the uninstall process. then install the new antivirus.
http://www.avast.com/eng/free_virus_protectio.html
http://www.free-av.com/
-----------------------
hold off on the link about windows firewall fix for now
you have zone alarm, so yes you should disable windows firewall
go to start>settings>control panel or start>control panel
click the security center icon.
down near the bottom it says you can manage security settings for the firewall
click on windows firewall icon, make sure its off.
then to the right under resources, there is a link: change the way security center alerts me. click that and make sure firewall isnt checked.
that should stop the "popups" about windows firewall.
--------------------------------------
shelf life
This topic will be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.