Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Please download FixWareout from one of these sites:

• http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
• http://swandog46.geekstogo.com/Fixwareout.exe

And save it to your desktop.

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate FixWareout.exe and run it.

• Click Next, then Instal
• Make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.

When your system reboots, follow the prompts.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O17 - HKLM\System\CCS\Services\Tcpip\..\{08D8DA42-BC92-4410-B7DD-2E7D25F87049}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E72861C-4A8F-443C-AFFD-CD1DCBE6AA7F}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C31373F-AB3E-4EF0-AEC6-E31EC2C4AA38}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC7A9B18-AA1D-413B-AFA1-BF8C32625D11}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2F96C86-E927-49F4-AEED-37C58A29F783}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D8DA42-BC92-4410-B7DD-2E7D25F87049}: NameServer = 85.255.116.101,85.255.112.184

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT YOUR COMPUTER

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

 

Thank You Soooooo Very Much.
I did as directed, and just rebooted. The PC is running at normal speed - though I haven't tried anything yet. Here are the log files:
Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\qvmmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSHQL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


Logfile of HijackThis v1.99.1
Scan saved at 9:55:01 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\DaddyFish\Desktop\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c....microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096696646936
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe



P.S. What was this???

 

whoops! double posted.

 

The infections name is known as WareOut

Please delete this files:

C:\WINDOWS\System32\CSHQL.EXE

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

O.K, Here's the report from Kaspersky:


KASPERSKY ON-LINE SCANNER REPORT
Friday, March 10, 2006 08:05:31
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/03/2006
Kaspersky Anti-Virus database records: 170184
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 141289
Number of viruses found: 10
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 3850 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118175F1.tmp Infected: Trojan-Downloader.Java.OpenConnection.ac
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118175F1.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118175F1.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118175F1.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118175F1.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11841FED.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11841FED.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\119147DF.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\119147DF.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25D6596B.tmp Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25D6596B.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25D6596B.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25D6596B.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25D6596B.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\478376E3.tmp Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\478376E3.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\478376E3.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\478376E3.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\478376E3.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1B495A.tmp Infected: Trojan.Java.ClassLoader.z
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1B495A.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1B495A.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1B495A.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1B495A.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\DaddyFish\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a14d203-5cd6e98d.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\DaddyFish\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv505.jar-2a14d203-5cd6e98d.zip Infected: Trojan-Downloader.Java.OpenStream.c
C:\RECYCLER\S-1-5-21-1004336348-1965331169-682003330-1003\Dc15.exe Infected: Trojan-Clicker.Win32.Small.kg
C:\RECYCLER\S-1-5-21-1004336348-1965331169-682003330-1003\Dc17.exe Infected: Trojan.Win32.Small.hl

Scan process completed.

 

Follow the instructions outlined here to clear Sun Java's cache.

You should remove the infected files from Symantec's quarantine folder. Please use Symantec's guide to remove them.

Please download CleanUp! and install it. Do not run it yet!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click "Options..."
• Set the slider to "Standard CleanUp!"
• Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
• Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

Report back with a new Panda Scan and HJT log and a description on how your system is now.