Yet Another Hijacking by Gold Antivirus

[JTyler]

Please help folks;

I have just been Hijacked by Gold Antivirus. After reading some similar posts, I have decided to start from scratch with you. I haven't done anything yet. (That is.. except scream bloody outrage)

I await your wise counsel.

J.

[MicroBell]

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:[list=1][*]Restart your computer[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.[*]Instead of Windows loading as normal, a menu should appear[*]Select the first option, to run Windows in Safe Mode.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.

Let us know if any problems persist.

[JTyler]

Friends;

I did it all . Panda seemed to find some problems still. But I see no problems so far. Here are the logs: Please tell me if more is needed. Thanks so much for the work thus far.

J.




Pre-run Files Present


~~~ Program Files ~~~

AntiVirusGold


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

hookdump.exe


~~~ Windows directory ~~~

screen.html


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:04:03 PM, 7/5/2003
+ Report-Checksum: AC2CA55E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{13898BD6-0873-1991-8C89-C965424CDB1C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1801674531-492894223-854245398-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
C:\Documents and Settings\Tyler1\Cookies\tyler1@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\ET07UPU1\fgxxx[1].jpg -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\180searchassistant\sais.exe -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\180searchassistant\saishook.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\appsp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\gds5.dll -> TrojanDownloader.Small.azf : Cleaned with backup
C:\WINNT\ieno32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\o456apcv.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32:uoaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINNT\system32\appuz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\ce5mko3e.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\ojr85db0.dll -> Adware.SAHA : Cleaned with backup
C:\WINNT\system32\p4k1gd8m.exe -> Adware.SAHA : Cleaned with backup
C:\WINNT\_default.pif:cjvmek -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:ihmcm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:kidhkz -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:qhcxkz -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:xgjsp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_default.pif:xgjspw -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:55:26 PM, on 7/5/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINNT\System32\khooker.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Tyler1\My Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fnllm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fnllm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {7596F99E-D0E0-D10F-1786-8EB23DCDF3BD} - C:\WINNT\ieno32.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds5.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ce5mko3e] C:\WINNT\System32\ce5mko3e.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [appsp32.exe] C:\WINNT\appsp32.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appuz.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe



Incident Status Location

Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SHOP\Auctions.lnk
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180searchassistant
Adware:adware/sahagent No disinfected C:\WINNT\SYSTEM32\SahImages
Adware:adware/powerscan No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\POWER SCAN
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ISTSVC
Adware:adware/sidefind No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{10E42047-DEB9-4535-A118-B3F6EC39B807}
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
Adware:adware/searchaid No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\IRMR2LMJ\avg[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\IRMR2LMJ\webservice[1].htm
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\SXC7GF87\dd[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tyler1\Local Settings\Temporary Internet Files\Content.IE5\WXUNC52R\webservice[1].htm
Virus:Trj/Downloader.CVB Disinfected C:\ms32.tmp
Possible Virus. No disinfected C:\Program Files\SurfAccuracy\SAccU.exe
Adware:Adware/MediaTickets No disinfected C:\RECYCLER\S-1-5-21-1801674531-492894223-854245398-1000\Dc4\America Online 9.0c\download\3.dat
Adware:Adware/Startpage.JM No disinfected C:\RECYCLER\S-1-5-21-1801674531-492894223-854245398-1000\Dc4\America Online 9.0c\download\4.dat

[MicroBell]

Please post another recent hijackthis log. The log you posted is over a week and half old. So is the Ewido log. Problem with your date time or old logs?

Logfile of HijackThis v1.99.1
Scan saved at 10:55:26 PM, on 7/5/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

[JTyler]

Friends:

This was a problem with my date. I guess that got jammed up too! The logs are current. Let me know if I still need to rerun any and forward you the new logs.

Thanks
J.

[sUBs]

Hi and Welcome to TSF!

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!.


= = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install the program.

KillBox v2.0.0.175

About Buster - Unzip to a new folder on Desktop.
Update About Buster & exit the program once that is completed.

cwsserviceremove.zip - Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.

CWShredder - Save it to Desktop.

• Open CWShredder and click [I AGREE]
• Click [Check For Update]
• Close CWShredder after updating

I have attached a file - regdel.txt - to this post. Downalod it & rename to "regdel.reg"
Double-click to run it & answer Yes when prompted to merge into the Registry.

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

• Surf Accuracy

= = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä #·ºÄÖ`I & click the OK button.


= = = = = = = = = = =

Run a HiJackThis scan. Select the following entries & click Fix checked :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fnllm.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fnllm.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7596F99E-D0E0-D10F-1786-8EB23DCDF3BD} - C:\WINNT\ieno32.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINNT\gds5.dll (file missing)
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ce5mko3e] C:\WINNT\System32\ce5mko3e.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [appsp32.exe] C:\WINNT\appsp32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\appuz.exe (file missing)


= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\ms32.tmp
  C:\Program Files\SurfAccuracy\SAcc.exe
  C:\WINNT\fnllm.dll
  C:\WINNT\ieno32.dll
  C:\WINNT\gds5.dll
  C:\WINNT\System32\ce5mko3e.exe
  C:\WINNT\appsp32.exe
  C:\WINNT\system32\appuz.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


= = = = = = = = = = =

Reboot to SafeMode

Run CWShredder:

• Double-click on CWShredder.exe.
• Click "Fix ->" and click "OK" at the prompt.
• CWShredder will scan and clean your system of CWS files.
• Click "Next->" and then "Exit".

Remove the offending service:

• Double-click on cwsserviceremove.reg you downloaded earlier.
• When it asks you to merge the information to the registry click "Yes".

= = = = = = = = = = =

Enable the viewing of Hidden files
1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. enable the option for `Show hidden files and folder´
3. disable the option for `Hide file extensions for known types´
4. disable the option for `Hide protected operating system files´
5. click "Yes" to confirm & then click "OK"

= = =

Locate and delete the following folder(s), if present:

• C:\Program Files\SurfAccuracy\
  C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SHOP\
  C:\DOCUMENTS AND SETTINGS\TYLER1\FAVORITES\SITES ABOUT\
  C:\PROGRAM FILES\180searchassistant\
  C:\WINNT\SYSTEM32\SahImages

= = = = = = = = = = =

Run Cleanup! & configure the program up as follows:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = =

Run About Buster and click [Begin Removal]. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = =

Reboot to Normal-Mode.

Do an online scan at Kaspersky

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = =

In your next post, please include fresh copies of:

1. HiJackThis log
2. List of files that online scans failed to disinfect
3. About Buster's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[JTyler]

Friend:
Could not get referenced file regdel.txt.
I got a vbulletin about attached a file - Please advise

[sUBs]

I attached that file 2 days ago. I thought you've collected & I had it removed.
Here's another one - regdel.txt

[JTyler]

I may be doing something wrong but after I download regdel and rename it and doubleclick, it opens and I can read in notepad the 5 Hkey lines. No prompts come up to merge it into the Registry.

I still have the file on my desktop.

[sUBs]

Sorry...my fault..

You're supposed to rename it to "regdel.reg" before double-clicking.

[JTyler]

I did rename it then double clicked and only get the notepad with Hkey lines.

Am I missing something?

[sUBs]

Try this then... Right click on regdel.reg & select Merge

[JTyler]

Right click does not offer any type of merge option.

[MicroBell]

Try this one. Download this attachment deletereg.txt. Right click it..and rename it to deletereg.reg. Then double click it to merge. IF that doesn't work you can delete the keys manually.

**Note** Since your using Windows 2000...you need to use the regedt32 command...otherwise you will be denied access to to make any changes.

[sUBs]

Enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

Make sure the file is not named regdel.reg.txt (double extension)

[JTyler]

The last suggestion worked and I am now stuck at Killbox. The paste from Clipboard function (nor a direct paste into the box) does not paste all pathnames.

[sUBs]

If some files are missing, just proceed. Let me know which are missing later

[JTyler]

Ok I am through the process : I was unable to have Killbox scan multiple lines: it only took the C:\ms32.tmp. Final scans (Buster and Kaspersky came out clean.

Computer seems to be working fine still.

If all is well from your perspective, please suggest software (freeware?) that I can use to protect against future evil. I Thank you bigtime for the work thus far. You guys are awesome.

J.
-----------------------------------
Here is the Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 8:12:12 PM, on 7/20/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\khooker.exe
C:\Program Files\FaxTalk Communicator\FTCtrl32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Tyler1\Desktop\new driver\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Documents and Settings\Tyler1\Desktop\kaspersky\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Documents and Settings\Tyler1\Desktop\kaspersky\Kaspersky Anti-Virus Personal\kavsvc.exe

[sUBs]

Congratulations! Your system is CLEAN

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   Understanding and Using Firewalls
   
   
5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
7. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
8. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
9. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

• IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
  
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software
  

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[JTyler]

Bravo.

I am clean and armed with knowledge and tools to stay that way. Thank you for the time, patience, and wisdom.

You may marry my sister, borrow my Benz, and eat the last slice of my pizza.


Good triumphs over Evil!!!!

J. Tyler