Computer Infected! :-(

[StuKing]

Can some kind person help me sort out this nasty bit of spyware/virus/worm.
All the virus seems to do is hijack my homepage which can be easily fixed but it keeps happening which is now getting on my nerves. A flashing yellow alert triangle sometimes appears in the system tray warning me of a spyware threat then the homepage gets hijacked. Another side affect is a few programs "appear" SHNLOG, INTMON and MSOLE. These can be deleted but re-appear once the homepage gets hi-jacked again.

Any help will be greatly appreciated.

Here's a copy of my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:35, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Admin Tools\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\intmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SmcService] C:\ADMINT~1\smc.exe -startgui
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Admin Tools\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[sUBs]

Hi and Welcome to TSF!

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.


Enable the viewing of Hidden files

Windows XP/2000

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

=============

Download CleanUp! - Install but do not run it yet.

Download Hoster - Save to desktop.

Download KillBox v2.0.0.175 - Save to desktop.

Download DelO15Domains.inf - Right click & choose "Save As...". Save it to Desktop as DelO15Domains.inf.

Download Ewido Security Suite - Install & Update it’s database but do not run it yet.

Download Smitfraud.reg - Right click & choose "Save As...". Save it to Desktop as Smitfraud.reg.

Disconnect from the internet & close all browsers.


=============

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

• Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

• Click on Options>Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
• Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
• After you've done these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

• Go to the Options>Program Options.
• Deselect Load at Windows Startup.
• Click Shields and Deselect all items there.
• Deselect Home page shield.
• Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

• Right-click on the Ad-Watch icon in the system tray
  At the bottom of the screen you will see 2 options Active and Automatic.
• Deselect Active
• Deselect Automatic
• Go to "Tools & Preferences">Options
• Deselectt "Load Ad-Watch at Windows startup"

=============

Uninstall the following programs, if present using Control Panel>Add/Remove Programs :

• Security IGuard
  Virtual Maid
  Search Maid
  AntivirusGold

=============

Go into HiJackThis>Config>Misc.Tools>Open process manager. Select the following and click "Kill process"” one at a time. Some entries may no longer exist.

• C:\WINDOWS\system32\shnlog.exe
  C:\WINDOWS\system32\msole32.exe
  C:\WINDOWS\system32\intmon.exe

=============

Double click on Smitfraud.reg and answer "Yes" when prompted to merge into the registry.

Right click on your Desktop and go to Properties. Next go to Desktop tab>Customize Desktop button>Web tab. Uncheck everything listed there. Then delete all the entries listed except for "My Current Home Page".

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen).

Run Hoster.exe. Choose the 'Restore Original Hosts' button and press OK.

Run CleanUp!...Click 'Yes' when asked to logoff.


=============

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\System32\hp596C.tmp
  C:\WINDOWS\System32\hp5F27.tmp
  C:\WINDOWS\System32\hpC776.tmp
  C:\WINDOWS\System32\hookdump.exe
  C:\wp.exe
  C:\wp.bmp
  C:\bsw.exe
  C:\WINDOWS\sites.ini
  C:\WINDOWS\popuper.exe
  C:\WINDOWS\system32\hhk.dll
  C:\WINDOWS\System32\helper.exe
  C:\WINDOWS\System32\intmonp.exe
  C:\WINDOWS\System32\msmsgs.exe
  C:\WINDOWS\System32\ole32vbs.exe
  C:\WINDOWS\system32\msole32.exe
  C:\WINDOWS\System32\shnlog.exe
  C:\WINDOWS\System32\intmon.exe
  C:\WINDOWS\System32\msmsgs.exe
  C:\WINDOWS\System32\LogFiles\A5281300.so
  C:\WINDOWS\System32\winnook.exe
  C:\WINDOWS\desktop.html
  C:\WINDOWS\screen.html
  C:\WINDOWS\zloader3.exe
  C:\WINDOWS\system32\oleadm.dll
  C:\WINDOWS\system32\oleadm32.dll

Start KillBox.

1. Go to the File menu, and choose "Paste from Clipboard".
   Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


=============

Reboot Your Computer

Close all other windows.
Run a HiJackThis Scan & Select(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click "Fix checked" for HJT to fix them


=============

Do an online scan at one of the following sites:

• Panda
• BitDefender
• Trend Micro
  
• RAV Antivirus
• McAfee

Take note the names and locations of any file it detects but fails to clean.


* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot Again & run a new HiJackThis scan. Save the log file and run KRC HiJackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

In your next post, please include:

• Copy of KRC HiJackThis Analyzer log
• List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

[StuKing]

First of all thanks for replying so quickly, its much appreciated!!
I've carried out all your instructions. Please find attached analyzed HJT log. The online scan at McAfee found no infected files (which has got to be a good thing!)




=================================================================

===
Log was analyzed using KRC HijackThis Analyzer - Updated on

6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o.

- C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~

Logfile of HijackThis v1.99.1
Scan saved at 15:33:33, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [Motive SmartBridge]

C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT

Broadband Help\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program

Files\VIA\RAID\raid_tool.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan

Class) -

http://download.mcafee.com/molbin/is.../tools/mcfscan

/2,0,0,4519/mcfscan.cab
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio

Technologies - C:\Program Files\Kerio\Personal Firewall

4\kpf4ss.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus

Server) - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot

Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
=================================================================

===

[sUBs]

Your log is clean. Well done

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start > Settings > Control Panel > System > Automatic Updates
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Do you have any more problems with your computer? If not, you should be set to go.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[StuKing]

I've finished with the second set of instructions and everything seems to be fine. I've downloaded the recommended programs as well.

Thanks again for your help.