View Full Version : Please Help!
gegwilson
2006-04-07, 12:34
I've recently recieved my computer back from a 'friend' who I lent it to for a while while I was away. It's now fully of viruses and other nasties. I've run loads of virus scanner and spybot, but everything just keeps coming back and the internet grinds to a halt everytime I use it. I need help!
My Hijack this log is a s follows:
Logfile of HijackThis v1.99.1
Scan saved at 08:30:08, on 07/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad6.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsotl.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122132570671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143409678203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NtDIC(ntdic) (NtDIC) - Unknown owner - C:\WINDOWS\system32\icntrl.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
pskelley
2006-04-07, 14:24
Hi Greg and welcome to the forum. You do indeed have a nasty infection and we will be about the business of cleaning it up soon. First we have another major issue.
You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206 I would like this done first, but because of the severity of the infection, you may not be able to do so. It would be best if you can do this first if possible.
Thanks to Metallica and any others who helped with this fix.
Instructions for the removal process starts here, it is important that you follow the directions.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
There will be more to do.
Thanks...pskelley
Safer Networking Forums
gegwilson
2006-04-11, 10:39
Thanks for your help so far - I really appreciate it.
I've followed your instructions - I'm down to one anti-virus program and have installed all the programs and run them like you said.
The Ewido text report is as follows:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 22:24:03, 10/04/2006
+ Report-Checksum: 3B0FBC49
+ Scan result:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LABK9Q3\zo[2].exe/mmxxxxmas2.exe -> Downloader.VB.jl : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LABK9Q3\zo[2].exe/themasterz.exe -> Hijacker.Small.hh : Cleaned with backup
C:\WINDOWS\system32\mtrui.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\system32\EZSMDB32.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ukrrtosa.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m2nq0c55ef.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\muhtml.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hp2023fmg.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\awsmsext.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv2ql9f51.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\repairs302972988.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\GWILSON\Local Settings\Temp\mit8.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\GWILSON\Local Settings\Temp\mit8.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\GWILSON\Local Settings\Temp\ICD1.tmp\WinATS.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@bulldog.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@banners.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@as-us.falkag[3].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@sel.as-us.falkag[3].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\GWILSON\Cookies\gwilson@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP178\A0041729.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP178\A0041730.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP178\A0041731.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0050268.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0050269.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0050270.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051248.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051253.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051258.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051262.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051380.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051382.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051390.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051391.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052443.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052444.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052445.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052458.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052463.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052470.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052475.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052478.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0052483.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054639.exe -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054641.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054642.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054643.exe -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054648.dll -> Adware.CommAd : Cleaned with backup
C:\zoo.exe/mmxxxxmas2.exe -> Downloader.VB.jl : Cleaned with backup
C:\zoo.exe/themasterz.exe -> Hijacker.Small.hh : Cleaned with backup
::Report End
and the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:30:05, on 10/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad6.exe
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsotl.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122132570671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143409678203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NtDIC(ntdic) (NtDIC) - Unknown owner - C:\WINDOWS\system32\icntrl.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
I look forward to your reply. Thanks again.
Gareth
pskelley
2006-04-11, 14:43
Good morning Gareth and thanks for returning the information, let me first point out that your Java program is outdated and that is a security issue and might be the reason you got the infection: Please use the information in this link to close that security breach: http://forums.spybot.info/showthread.php?t=2559
ewido anti-malware - Scan report Created on: 22:24:03, 10/04/2006
Looks like ewido was able to clean all it found, no surprises. I see bad stuff in your System Restores files and we will clean them before we finish.
A check of valid services here: http://castlecops.com/O23.html returns nothing on this item:
O23 - Service: NtDIC(ntdic) (NtDIC) - Unknown owner - C:\WINDOWS\system32\icntrl.exe (file missing) but a seach for icntrl.exe returns this:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-26,GGLD:en&q=icntrl%2Eexe You have a nasty trojan here: http://www.sophos.com/virusinfo/analyses/w32tileboteg.html You need to review the information under all tabs in that link. Your security has been severely compromised, and you will need to take some action.
Allows others to access the computer
Downloads code from the internet
Reduces system security
Installs itself in the Registry
Exploits system or software vulnerabilities
Let's get rid of that item first:
1) Disable the offending Service
Click Start > Run and type services.msc
Scroll down to NtDIC and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
2) Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type NtDIC and press OK.
OK any prompts, close HijackThis, and restart your computer.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard6.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad6.exe
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsotl.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsotl.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
(next two, if you do not use the Alexa toolbar, then check and remove these resource wasters)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O23 - Service: NtDIC(ntdic) (NtDIC) - Unknown owner - C:\WINDOWS\system32\icntrl.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
search for and delete these files if still present
msconfig32.exe
mscdconf.exe
microsotl.exe
c:\windows\keyboard6.exe
c:\windows\mousepad6.exe
C:\WINDOWS\system32\icntrl.exe
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post a new HJT log, let me know how you are running.
Thanks...Phil
gegwilson
2006-04-12, 12:19
Morning Phil
I've done as you said. Last night the computer was running very badly. As soon as I'd connect to the internet the start bar would freeze and I wouldn't be able to open internet explorer or windows explorer. When I shut down I got not responding messages for messenger and connections tray. It then got stuck on the 'windows is logging off' screen so I had to force a shut down. That said, this morning it was running great, but I only had it on for a couple of minutes. I'll try it for longer tonight and let you know how it goes.
My new Hikjackthis log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 07:31:51, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122132570671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143409678203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
pskelley
2006-04-12, 15:22
Hi Gareth, First...let me say the HJT log looks clean to start on a up note:bigthumb: Now this was a nasty infection and I was hoping the script from Metallica would fix it because that does a better job. Since we had to remove all of the junk manually, It may be that we could not get it all, and I would like you to run that script again. Please note, you will not see anything happening, it is over quickly, just want to see if it will clean anything we missed. I will post it again for you and I hope you have not removed the tool yet:
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows
As soon as I'd connect to the internet the start bar would freeze and I wouldn't be able to open internet explorer or windows explorer.This could be something else? Keep a record of the "word for word" error messages and post them for me. Since we have a clean HJT log, keep me posted after you run the BFU. Give me as much information as possible.
Here are some suggestions, since all issues are not malware related, you want to make sure your maintenance is up to date, especially after removing all of that junk. Defrag and scandisk, etc. Might be best to run them in safe mode.
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
I also think it would be good to look at a diagnostic. You can run one free here: http://www.pcpitstop.com/ and if you do not understand anything, post here for help with that: http://pcpitstop.invisionzone.com/index.php?showforum=6 I would appreciate it if you would link me to those results so I can see them.
Keep me posted
Thanks...Phil:wink::
gegwilson
2006-04-13, 19:25
Hi Phil
I'm afraid things aren't going well with my PC. I tried to install Service pack 2 to get my machine up to date. It downloaded OK, but I then got the message 'Updates were unable to be installed'. I then ran the online scan from Panda to see if that would tell me anything and got the following results:
Incident Status Location
Adware:Adware/WinTools Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DAR0PIF\zo[1].exe[mmxxxxmas2.exe]
Virus:Trj/LowZones.RK Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DAR0PIF\zo[1].exe[themasterz.exe]
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\microsot1.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\system32\bk.exe
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Adware:Adware/CommAd Not disinfected C:\WINDOWS\R2FyZXRoIFdpbHNvbg\lZIVtrlCKIxDvJhSv0.vbs
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\GWILSON\Cookies\gwilson@adtech[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\GWILSON\Cookies\gwilson@tribalfusion[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\GWILSON\Cookies\gwilson@maxserving[1].txt
Adware:Adware/WinTools Not disinfected C:\blue.exe[mmxxxxmas2.exe]
Virus:Trj/LowZones.RK Not disinfected C:\blue.exe[themasterz.exe]
Some of this looks worryingly familaiar as do some of the entries in the new Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 18:13:53, on 13/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsot1.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsot1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122132570671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143409678203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
I also happened to look at my internet security settings. They were set to custom, with everything turned off, presumably the work of one of the infections. I've reset all these to default now.
What to do next???
Gareth
pskelley
2006-04-13, 20:12
Hello Gareth, You should not have tried to install Service Pack 2 while this clean up is still in progress. http://news.com.com/XP+owners+shunning+security+update/2110-1002_3-5776622.html
See the instructions from Microsoft:
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
What you should know
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
Instructions start here:
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsot1.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsot1.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Use these instructions to start the computer in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
search for these files or folders and delete them:
C:\blue.exe[mmxxxxmas2.exe]
C:\blue.exe[themasterz.exe]
C:\WINDOWS\ubber60.ini
C:\WINDOWS\R2FyZXRoIFdpbHNvbg\lZIVtrlCKIxDvJhSv0.vbs <<< folder
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\microsot1.exe
(I have never seen this before, Temporary Internet Files folder in c:\Windowns\System32\ folder?? if they are there, which Panda says they are, delete the content of the TIF folder)
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DAR0PIF\zo[1].exe[mmxxxxmas2.exe]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DAR0PIF\zo[1].exe[themasterz.exe]
C:\Documents and Settings\GWILSON\Cookies\gwilson@adtech[2].txt
C:\Documents and Settings\GWILSON\Cookies\gwilson@tribalfusion[1].txt
C:\Documents and Settings\GWILSON\Cookies\gwilson@maxserving[1].txt
(delete all cookies in the cookies folder (not the folder)
Empty the Recycle Bin and restart the computer.
Please do an online scan with Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a new HJT log.
Thanks
gegwilson
2006-04-15, 18:30
Hi Phil
I've done as you said. Here are the logs:
KASPERSKY ON-LINE SCANNER REPORT
Friday, April 14, 2006 12:29:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/04/2006
Kaspersky Anti-Virus database records: 188111
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 59905
Number of viruses found 18
Number of infected objects 57
Number of suspicious objects 0
Duration of the scan process 00:39:06
Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\DHU.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\DHU.exe NSIS: infected - 1 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720 ZIP: infected - 3 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720 WiseSFX Dropper: infected - 3 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052467.exe.bac_a00720 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052465.exe.bac_a00720 Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\Installer.exe.bac_a00720 Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052459.dll.bac_a00720 Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0051234.DLL.bac_a00720 Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\iWssdo.dll.bac_a00720 Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\irlogmsg.dll.bac_a00720 Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\A0052441.exe.bac_a00720 Infected: not-a-virus:AdWare.Win32.MediaMotor.k skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\command.exe.bac_a00720 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\SS1001.exe.bac_a00720/data0010 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\SS1001.exe.bac_a00720 NSIS: infected - 1 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\SS1001.exe.bac_a00720 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\GWILSON\.housecall\Quarantine\asappsrv.dll.bac_a00720 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051316.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0051316.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054646.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054646.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054647.exe/data0010 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP181\A0054647.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056794.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056795.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056796.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056797.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056798.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056799.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056800.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056801.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056802.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056803.exe/mmxxxxmas2.exe Infected: Trojan-Downloader.Win32.VB.jl skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056803.exe/themasterz.exe Infected: Trojan-Clicker.Win32.Small.hh skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056803.exe/vipz.exe Infected: Trojan-Downloader.Win32.Adload.ab skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP182\A0056803.exe CAB: infected - 3 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP184\A0059944.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059978.exe/data.rar/mmxxxxmas2.exe Infected: Trojan-Downloader.Win32.VB.jl skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059978.exe/data.rar/themasterz.exe Infected: Trojan-Clicker.Win32.Small.hh skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059978.exe/data.rar/vipza.exe Infected: Trojan-Downloader.Win32.Adload.aj skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059978.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.aj skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059978.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059980.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059989.exe/data.rar/mmxxxxmas2.exe Infected: Trojan-Downloader.Win32.VB.jl skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059989.exe/data.rar/themasterz.exe Infected: Trojan-Clicker.Win32.Small.hh skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059989.exe/data.rar/vipza.exe Infected: Trojan-Downloader.Win32.Adload.aj skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059989.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.aj skipped
C:\System Volume Information\_restore{651C2CFC-F752-4A3A-B20F-9A2CD1752606}\RP185\A0059989.exe RarSFX: infected - 4 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 18:13:53, on 13/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsot1.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsot1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122132570671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143409678203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Gareth
pskelley
2006-04-15, 19:32
Hi Gareth, Understand that I keep giving you instructions and you never tell me you were not able to complete the instruction so I believe they are done. You must tell me when you can not complete an instruction. This repair has been very difficult because of this lack of communication:(
First follow these instructions:
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
You must have all files and folders enabled or you can not see this junk:
Then with all files and folders enabled: Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
You may have to boot into safe mode to remove a few of these, I will save those until last.
C:\Documents and Settings\GWILSON\.housecall\Quarantine\ <<< open that quarantine folder and delete all of the contents.
C:\System Volume Information\_restore <<< These are your System Restore files and I was going to do this last, but let's do it know.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
This is the part that may require safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
C:\WINDOWS\system32\i <<< delete this file
C:\WINDOWS\DHU.exe/data0001 <<< delete this file
C:\WINDOWS\DHU.exe/data0001 <<< delete this file
C:\WINDOWS\system32\microsot1.exe <<< file W32/Gaobot.gen.worm must be deleted understand that this is the worm that has caused all of your problems and you must be sure it is gone from the computer.
Gareth, These two lines are still in your HJT log:
O4 - HKLM\..\Run: [Microsoft Configuration 35] microsot1.exe G
O4 - HKLM\..\RunServices: [Microsoft Configuration 35] microsot1.exe
were you successful in deleting this: microsot1.exe ??
see this information: http://www.superadblocker.com/definition/microsotl/
and this: http://virusinfo.prevx.com/pxparall.asp?PXC=3dc515011728
Did you remove the lines from HJT once you deleted the file?
Panda shows the file as being here: C:\WINDOWS\system32\microsot1.exe
If you look at the information in the prevx link above, they are saying:
MICROSOTL.EXE may use 35 or more path and file names, these are the most common
As soon as you are sure this is gone, that you have deleted it: C:\WINDOWS\system32\microsot1.exe
then do this:
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Use search companion to make sure it is gone from the computer.
Use HJT to remove the two lines, then run another Kaspersky scan and post the scan results and a clean HJT log.
Thanks
This topic will be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.