|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-12-2005, 09:38 AM
|
#1 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Trouble with Haxdoor-H / SpySherrif - HJT Log included
Have been having serious trouble with my system since this morning.
Seems I'm having trouble with Haxdoor-H trojan and/or Spy Sherrif (Don't know if these are related or it's just a coincidence) Have tried running full scan with AdAware but system keeps crashing during the scan System is running XP Pro but Service Pack 2 not applied. Have realised since reading on forums this might have helped me  Have seen another few threads regarding removal of this but am not sure if it's safe to follow the procedures in one of these Thanks in anticipation. Barry Details of the HijackThis log are below. HJT was run whilst in safe mode with no browsers, etc open as requested: Logfile of HijackThis v1.99.1 Scan saved at 16:20:20, on 12/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe O4 - HKLM\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKLM\..\Run: [win-x388] C:\WINDOWS\winz_dzen.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-12-2005, 01:32 PM
|
#2 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Hi and Welcome to TSF!
Unfortunatley you are heavily infected. I have added removal instructions for SpySheriff, Haxdoor and Vundo.B. Please follow the below instructions very carefully. Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. . = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Place a shortcut to Panda ActiveScan on your desktop. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Download smitRem.zip and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Download KillBox v2.0.0.175 - Save to desktop. Download & Install CleanUp! Download Ewido Security Suite - Install & Update it's database but do not run it yet. If you have not already installed Ad-Aware SE 1.06, download and update Ad-Aware SE Setup. Don't run it yet! Download and save to your C: drive HSFIX.zip Unzip the contents of HSFix.zip and an HSFix directory will be created We'll need this later. Please download VundoFix.zip to your desktop.[list][*]Double-click VundoFix.zip and extract it to your C:\ directory.[*]Copy the instructions below and paste them into Notepad for reference.
Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~ Reboot to SafeMode
~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe O4 - HKLM\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKLM\..\Run: [win-x388] C:\WINDOWS\winz_dzen.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll ~~~~~~~~~~~~~~ Enable the viewing of Hidden files
Locate and delete the following file(s), if present: C:\WINDOWS\repair\imgvga.dll ~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows:
~~~~~~~~~~~~~~ Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Navigate to the HSFix directory and double-click on HSFix.bat. It will produce a log file, located here: C:\hslog.txt Please post that log in your next post ~~~~~~~~~~~~~~ Open Ad-aware and close ALL other windows.
~~~~~~~~~~~~~~ Run Ewido:
~~~~~~~~~~~~~~ Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, smitfiles.txt, hslog.txt, Ewido Log and the vundofix.txt which can be found in this folder: C:\VundoFix Let us know if any problems persist.
__________________
  Last edited by POADB; 08-12-2005 at 02:36 PM. |
|
|
|
|
08-13-2005, 07:59 AM
|
#3 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Hi - firstly, many thanks indeed for taking the time to help.
OK, I've followed the instructions and everything has went fine until locating and deleting the following files: C:\WINDOWS\repair\imgvga.dll (Can't be deleted as it's being used by another person or program) C:\WINDOWS\System32\paytime.exe (Tried deleting twice which caused a "blue screen of death" crash each time) C:\WINDOWS\iccontrol.exe (Tried to delete and also caused a BSOD) At this point I thought best to check how I should proceed. The last thing I did was to run a HJT scan, the details of which are below in case it helps: Logfile of HijackThis v1.99.1 Scan saved at 14:51:33, on 13/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\paytime.exe C:\WINDOWS\ms2.exe C:\WINDOWS\csrss.exe C:\winstall.exe C:\WINDOWS\tool2.exe C:\WINDOWS\System32\tibs.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe |
|
|
|
|
08-13-2005, 08:34 AM
|
#4 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Are you sure you followed my instructions correctly?
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\System32\paytime.exe C:\WINDOWS\ms2.exe C:\WINDOWS\csrss.exe C:\winstall.exe C:\WINDOWS\tool2.exe C:\WINDOWS\System32\tibs.exe Open KillBox, using the options as before, copy and paste each of the following, one at a time, pressing the X button after each one. Choose NO when asked to Reboot. C:\WINDOWS\System32\paytime.exe C:\WINDOWS\ms2.exe C:\WINDOWS\csrss.exe C:\winstall.exe C:\WINDOWS\tool2.exe C:\WINDOWS\System32\tibs.exe Go into Add/Remove in the Control Panel and uninstall:[b] SpySheriff Run HJT and fix these only: O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKCU\..\Run: [System] C:\WINDOWS\csrss.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe Now reboot your computer. Rerun HJT and paste the log in your next post. We'll tackle Vundo and Haxdoor on the next pass.
__________________
Last edited by POADB; 08-13-2005 at 08:46 AM. |
|
|
|
|
08-13-2005, 09:03 AM
|
#5 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
OK - so far so good. Below is the latest HJT log.
A couple of points that might or might not be important though.... There was no longer any sign of "O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe" to delete when I ran the HJT scan I noticed another reference to paytime.exe (04 - HKLM\..\Run:[paytime]C:\WINDOWS\system32\paytime.exe) but did nothing with this as it wasn't mentioned in your previous post. As you'll see, this is till in the HJT log below. On the bright side though - there seems to be no Spy Sherrif pop ups occurring now  Logfile of HijackThis v1.99.1 Scan saved at 15:56:19, on 13/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe |
|
|
|
|
08-13-2005, 09:13 AM
|
#6 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. . = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Download Process Explorer vundo.txt - Right click the file you downloaded ..and rename it to "vundo.reg". Download and save to your C: drive HSFIX.zip Unzip the contents of HSFix.zip and an HSFix directory will be created We'll need this later, so do not run it yet! Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO SAFE MODE
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Navigate to the HSFix directory and double-click on HSFix.bat. It will produce a log file, located here: C:\hslog.txt Please post that log. Double click on vundo.reg & answer Yes when prompted to merge. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Enable the viewing of Hidden files
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unzip Process Explorer and double click on procexp.exe
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O2 - BHO: MSEvents Object - {C3A64E2B-748B-4CA4-B20C-8C2817E12A6F} - C:\WINDOWS\repair\imgvga.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ms2] C:\WINDOWS\ms2.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O20 - Winlogon Notify: imgvga - C:\WINDOWS\repair\imgvga.dll = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Locate and delete the following file(s), if present:
Make Sure That These Files Are Deleted!!! - If you come into any resistance - use KILLBOX! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Do an online scan at one of the following sites:Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In your next post, please include fresh logs from:
__________________
|
|
|
|
|
08-13-2005, 11:32 AM
|
#7 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
OK - everything done as instructed. System seems to be behaving much better now - although the virusscan report still doesn't look too good!
HSFix, HJT and Panda activescan logs below. Horseserver Removal Tool v1.05 by Atri - - 1. Registry Fix Started - Registry fix complete - 2. Deleted Services - - 3. Finding files Located on system - ps.a3d tmp*.exe tmp*.tmp w32tm.exe - 4. Deleting files that were found. - - 5. Checking for and Removing Winupdate - - - Logfile of HijackThis v1.99.1 Scan saved at 18:23:55, on 13/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe Panda Activescan log Incident Status Location Virus:Bck/Haxdoor.CF Disinfected C:\WINDOWS\system32\mszx23.exe Dialer:dialer.bb No disinfected C:\WINDOWS\system32\dktibs.exe Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\system32\systime.exe Virus:Bck/Haxdoor.AW Disinfected C:\WINDOWS\system32\cz.dll Virus:Bck/Haxdoor.CM Disinfected C:\WINDOWS\system32\vdmt16.sys Virus:Bck/Haxdoor.BG Disinfected C:\WINDOWS\system32\winlow.sys Virus:Trj/Mitglieder.EE Disinfected C:\WINDOWS\system32\msnethlp32.exe Virus:Trj/Mitglieder.EE Disinfected C:\WINDOWS\system32\msnethlp32.dll Possible Virus. No disinfected C:\WINDOWS\repair\imgvga.dll Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\valent.inf Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\hosts Virus:Bck/Haxdoor.CF Disinfected C:\WINDOWS\kl.exe Virus:Trj/Downloader.DTS Disinfected C:\WINDOWS\tool1.exe Virus:Trj/Mitglieder.EE Disinfected C:\WINDOWS\tool3.exe Possible Virus. No disinfected C:\WINDOWS\ms3.exe Possible Virus. No disinfected C:\WINDOWS\winz_dzen.exe Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini Adware:adware/twain-tech No disinfected C:\WINDOWS\support.cn Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Barry\Local Settings\Temp\st.exe Virus:Trj/Goldun.AV Disinfected C:\Documents and Settings\Barry\Local Settings\Temp\3.exe Virus:Trj/Downloader.DKQ Disinfected C:\Documents and Settings\Barry\Local Settings\Temp\dima.exe Dialer:Dialer.BEW No disinfected C:\Documents and Settings\Barry\Local Settings\Temporary Internet Files\Content.IE5\7UJYQQHZ\access[1].cgi Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Barry\Desktop\VundoFix.zip[process.exe] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50a67b1c-5cd1fd81.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50a67b1c-5cd1fd81.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50a67b1c-5cd1fd81.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50a67b1c-5cd1fd81.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-72536c33.zip[a.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-72536c33.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-22be6520-72536c33.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-648b9c65-32a4bb29.zip[Matrix.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-648b9c65-32a4bb29.zip[Counter.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-648b9c65-32a4bb29.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Barry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv408.jar-648b9c65-32a4bb29.zip[Parser.class] Possible Virus. No disinfected C:\Program Files\HTML Guardian\htmlg.exe Adware:Adware/SpySheriff No disinfected C:\Program Files\SpySheriff\Uninstall.exe Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP410\A0272125.DLL Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0274309.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0275310.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0276309.exe Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0276314.dll Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0277310.exe Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0277314.dll Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0278309.exe Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0278313.dll Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0279309.exe Virus:Bck/Haxdoor.CM Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0279311.sys Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0279312.dll Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280309.exe Virus:Bck/Haxdoor.CM Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280311.sys Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280317.exe Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280320.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0281315.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0282315.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283315.exe Virus:Trj/Downloader.KG Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283321.exe Virus:Trj/Downloader.KG Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283322.exe Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283323.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283324.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283325.dll Dialer:Dialer.BZG No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283329.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0284315.exe Virus:Bck/Haxdoor.CM Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0284318.sys Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0285315.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0286315.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0286321.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0286331.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0287331.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0287337.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0287344.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0288343.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0289343.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290343.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290354.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290355.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290359.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290360.dll Adware:Adware/Startpage.ADP No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290364.exe Virus:Bck/Agent.AGW Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290365.exe Virus:Trj/Small.HB Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290366.exe Virus:Trj/Downloader.LP Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290369.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290370.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290373.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290379.exe Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290394.exe Virus:Bck/Haxdoor.AW Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290395.dll Virus:Bck/Haxdoor.CM Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290396.sys Virus:Bck/Haxdoor.CM Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290397.SYS Virus:Bck/Haxdoor.BG Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290398.sys Virus:Bck/Haxdoor.BG Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290399.SYS Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290400.exe Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290401.dll Virus:Bck/Haxdoor.CF Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290402.exe Virus:Trj/Downloader.DTS Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290403.exe Virus:Trj/Mitglieder.EE Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290404.exe Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP370\A0259296.inf Adware:Adware/Twain-Tech No disinfected C:\Recycled\Dc603.inf Adware:Adware/IPInsight No disinfected C:\Recycled\Dc908.inf Adware:Adware/IPInsight No disinfected C:\Recycled\Dc909.ini Adware:Adware/Zango No disinfected C:\Recycled\Dc1281.tmp Virus:Bck/Haxdoor.AW Disinfected C:\Recycled\Dc1421.dll Virus:Trj/ConHook.A Disinfected C:\1.exe Virus:Trj/Qhost.Q Disinfected C:\FOUND.034\FILE0016.CHK Dialer:Dialer.CFJ No disinfected C:\loader.exe Virus:Trj/Goldun.AV Disinfected C:\sys93778594.exe Virus:Trj/Small.HB Disinfected C:\sys12221432.exe Possible Virus. No disinfected C:\hjt\backups\backup-20050813-140837-455.dll Possible Virus. No disinfected C:\hjt\backups\backup-20050813-170928-412.dll Hacktool:Hacktool/Processor No disinfected C:\HSFix.zip[Process.exe] Hacktool:Hacktool/Processor No disinfected C:\HSFix\HSFix\Process.exe Hacktool:Hacktool/Processor No disinfected C:\VundoFix\process.exe Possible Virus. No disinfected C:\VundoFix\backups\backup-20050813-133714-844.dll Possible Virus. No disinfected C:\installation_files\html_guardian\HTMLGuardian.exe[htmlg.CAB][htmlg.exe] Possible Virus. No disinfected C:\installation_files\htmlg_pro.zip[pro.exe][htmlg.exe] Adware:Adware/Zango No disinfected C:\installation_files\ZangoInstaller.exe |
|
|
|
|
08-13-2005, 11:43 AM
|
#8 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Do not run it yet!
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot): C:\WINDOWS\ms3.exe C:\WINDOWS\winz_dzen.exe C:\WINDOWS\alchem.ini C:\WINDOWS\support.cn C:\WINDOWS\repair\imgvga.dll C:\WINDOWS\inf\alchem.inf C:\WINDOWS\Downloaded Program Files\WUInst.inf C:\WINDOWS\Downloaded Program Files\valent.inf C:\Documents and Settings\Barry\Local Settings\Temp\st.exe C:\Documents and Settings\Barry\Local Settings\Temp\3.exe C:\Documents and Settings\Barry\Local Settings\Temp\dima.exe C:\Recycled\Dc1421.dll C:\loader.exe C:\installation_files\ZangoInstaller.exe Delete this folder!! C:\Program Files\SpySheriff Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted. WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!! Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
Re run Panda and post the results along with a new HJT log.
__________________
|
|
|
|
|
08-13-2005, 06:50 PM
|
#9 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Only a few things to note.... there was no sign of any of the following files to be deleted by Killbox:
C:\WINDOWS\Downloaded Program Files\WUInst.inf C:\WINDOWS\Downloaded Program Files\valent.inf C:\Documents and Settings\Barry\Local Settings\Temp\3.exe C:\Documents and Settings\Barry\Local Settings\Temp\dima.exe C:\Recycled\Dc1421.dll Other than that, everything went as expected. Below are the TrendMicro, Panda and HJT logs as requested. Thanks again Barry Started Scanning Internet Cookies Found 'tribalfusion.com' in 'Internet Explorer Cache' Found '2o7.net' in 'Internet Explorer Cache' Programs in Memory Windows Registry Found '' in 'Software\Kazaa' Found '' in 'Software\Kazaa\ResultsFilter' Found '' in 'Software\Kazaa\Transfer' Found '' in 'Software\KaZaA\CloudLoad' Found '' in 'Software\KaZaA\ConnectionInfo' Found '' in 'Software\KaZaA\LocalContent' Found '' in 'Software\Kazaa' Found '' in 'Software\Kazaa\Advanced' Found '' in 'Software\Kazaa\InstantMessaging' Found '' in 'Software\Kazaa\LocalContent' Found '' in 'Software\Kazaa\Skins' Found '' in 'Software\Kazaa\UserDetails' Found '' in 'SOFTWARE\Kazaa\Bandwidth\in' Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate' Found '' in 'SOFTWARE\Kazaa\Bandwidth\out' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\InprocServer32' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\MiscStatus' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\MiscStatus\1' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\ProgID' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\ToolboxBitmap32' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\TypeLib' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\Version' Found '' in 'software\classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\VersionIndependentProgID' Found '' in 'software\classes\FlashAX.FlashXControl' Found '' in 'software\classes\FlashAX.FlashXControl.1' Found '' in 'software\classes\FlashAX.FlashXControl.1\CLSID' Found '' in 'software\classes\FlashAX.FlashXControl\CLSID' Found '' in 'software\classes\FlashAX.FlashXControl\CurVer' Found '' in 'software\classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}' Found '' in 'software\classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\ProxyStubClsid' Found '' in 'software\classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\ProxyStubClsid32' Found '' in 'software\classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\TypeLib' Found '' in 'software\classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0' Found '' in 'software\classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\0\win32' Found '' in 'software\classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\FLAGS' Found '' in 'software\classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\HELPDIR' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\InprocServer32' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\MiscStatus' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\MiscStatus\1' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\ProgID' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\ToolboxBitmap32' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\TypeLib' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\Version' Found '' in 'SOFTWARE\Classes\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\VersionIndependentProgID' Found '' in 'SOFTWARE\Classes\FlashAX.FlashXControl' Found '' in 'SOFTWARE\Classes\FlashAX.FlashXControl.1' Found '' in 'SOFTWARE\Classes\FlashAX.FlashXControl.1\CLSID' Found '' in 'SOFTWARE\Classes\FlashAX.FlashXControl\CLSID' Found '' in 'SOFTWARE\Classes\FlashAX.FlashXControl\CurVer' Found '' in 'SOFTWARE\Classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}' Found '' in 'SOFTWARE\Classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{BF8F3D4F-2A19-4645-B3EB-7B0F4953130F}\TypeLib' Found '' in 'SOFTWARE\Classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0' Found '' in 'SOFTWARE\Classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\0\win32' Found '' in 'SOFTWARE\Classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\FLAGS' Found '' in 'SOFTWARE\Classes\TypeLib\{A0126017-3B4D-451B-AE12-DF7FE7B43330}\1.0\HELPDIR' Found 'LastSearchHash' in 'Software\Kazaa' Found 'ScanFolder' in 'Software\Kazaa\Advanced' Found 'IgnoreAll' in 'Software\Kazaa\InstantMessaging' Found 'adult_filter_level' in 'Software\Kazaa\ResultsFilter' Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate' Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in' Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out' Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in' Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out' Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in' Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out' Found 'CacheDiscoveryTime' in 'Software\Kazaa\Transfer' Found 'CacheHost' in 'Software\Kazaa\Transfer' Found 'CachePort' in 'Software\Kazaa\Transfer' Found 'CountryCode' in 'Software\Kazaa\UserDetails' Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent' Found 'DlDir0' in 'Software\Kazaa\Transfer' Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent' Found 'AutoConnected' in 'Software\Kazaa\UserDetails' Found 'firewall_filter' in 'Software\Kazaa\ResultsFilter' Found 'SkinsDir' in 'Software\Kazaa\Skins' Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer' Found 'UserName' in 'Software\Kazaa\UserDetails' Found 'FirewallStatus' in 'SOFTWARE\Kazaa' Found 'ListenPort' in 'SOFTWARE\Kazaa' Found 'my_ip_address' in 'SOFTWARE\Kazaa' Found 'network_config' in 'SOFTWARE\Kazaa' Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa' Found 'UDP_receive_status' in 'SOFTWARE\Kazaa' Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate' Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo' Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1' Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}' Internet URL Shortcuts Files and Directories Found 'TFRBF.dat' in 'C:\Documents and Settings\Shannen\Application Data\Microsoft\MSN Messenger\2940108762\CustomEmoticons' Found 'Mss32.dll' in 'C:\Program Files\ladbrokesMPP' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Documents and Settings\Shannen\Application Data\Microsoft\MSN Messenger\2940108762\CustomEmoticons\TFRBF.dat' in shortcut areas. Checking for 'C:\Documents and Settings\Shannen\Application Data\Microsoft\MSN Messenger\2940108762\CustomEmoticons\TFRBF.dat' in startup areas. Cleaning 'C:\Documents and Settings\Shannen\Application Data\Microsoft\MSN Messenger\2940108762\CustomEmoticons\TFRBF.dat' Checking for 'C:\Program Files\ladbrokesMPP\Mss32.dll' in shortcut areas. Checking for 'C:\Program Files\ladbrokesMPP\Mss32.dll' in startup areas. Cleaning 'C:\Program Files\ladbrokesMPP\Mss32.dll' Finished Cleaning Incident Status Location Dialer:dialer.bb No disinfected C:\WINDOWS\system32\dktibs.exe Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\system32\systime.exe Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\valent.inf Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Barry\Desktop\VundoFix.zip[process.exe] Possible Virus. No disinfected C:\Program Files\HTML Guardian\htmlg.exe Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP410\A0272125.DLL Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280320.exe Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283323.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283324.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283325.dll Dialer:Dialer.BZG No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283329.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290359.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290360.dll Adware:Adware/Startpage.ADP No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290364.exe Virus:Bck/Haxdoor.AW Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290405.dll Virus:Trj/ConHook.A Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290406.exe Virus:Trj/Goldun.AV Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290407.exe Virus:Trj/Small.HB Disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290408.exe Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290609.inf Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290614.inf Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290615.ini Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290648.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292950.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292951.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292953.dll Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292954.inf Dialer:Dialer.CFJ No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292955.exe Adware:Adware/Zango No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292956.exe Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP370\A0259296.inf Possible Virus. No disinfected C:\hjt\backups\backup-20050813-140837-455.dll Possible Virus. No disinfected C:\hjt\backups\backup-20050813-170928-412.dll Hacktool:Hacktool/Processor No disinfected C:\HSFix.zip[Process.exe] Hacktool:Hacktool/Processor No disinfected C:\HSFix\HSFix\Process.exe Hacktool:Hacktool/Processor No disinfected C:\VundoFix\process.exe Possible Virus. No disinfected C:\VundoFix\backups\backup-20050813-133714-844.dll Possible Virus. No disinfected C:\installation_files\html_guardian\HTMLGuardian.exe[htmlg.CAB][htmlg.exe] Possible Virus. No disinfected C:\installation_files\htmlg_pro.zip[pro.exe][htmlg.exe] Logfile of HijackThis v1.99.1 Scan saved at 01:37:06, on 14/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe |
|
|
|
|
08-13-2005, 11:14 PM
|
#10 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 27,002
OS: WinXP and Vista
|
Hello bdt279,
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot into Safe Mode. Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\system32\dktibs.exe C:\WINDOWS\system32\systime.exe C:\WINDOWS\Downloaded Program Files\WUInst.inf C:\WINDOWS\Downloaded Program Files\valent.inf Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following: -Empty Recycle Bins -Delete Cookies -Delete Prefetch files [color=Blue]-[X]Scan local drives for temporary files [/color] (Please uncheck this option) -Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when asked back into Normal Mode. Run another scan with HijackThis and Panda, post both logs here again. |
|
|
|
|
08-14-2005, 06:20 AM
|
#11 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Hi Ried - many thanks for your help
That stage seemed to go fine. Below are the logs from Panda and HJT as requested Thanks Barry Incident Status Location Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\toolbar.exe Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Barry\Desktop\VundoFix.zip[process.exe] Possible Virus. No disinfected C:\Program Files\HTML Guardian\htmlg.exe Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP410\A0272125.DLL Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0280320.exe Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283323.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283324.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283325.dll Dialer:Dialer.BZG No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP415\A0283329.exe Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290359.dll Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290360.dll Adware:Adware/Startpage.ADP No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP416\A0290364.exe Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290609.inf Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290614.inf Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290615.ini Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0290648.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292950.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292951.exe Possible Virus. No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292953.dll Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292954.inf Dialer:Dialer.CFJ No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292955.exe Adware:Adware/Zango No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP417\A0292956.exe Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{EE4D7178-3E4B-44D3-9019-DAD8E28A3D08}\RP370\A0259296.inf Possible Virus. No disinfected C:\hjt\backups\backup-20050813-140837-455.dll Possible Virus. No disinfected C:\hjt\backups\backup-20050813-170928-412.dll Hacktool:Hacktool/Processor No disinfected C:\HSFix.zip[Process.exe] Hacktool:Hacktool/Processor No disinfected C:\HSFix\HSFix\Process.exe Hacktool:Hacktool/Processor No disinfected C:\VundoFix\process.exe Possible Virus. No disinfected C:\VundoFix\backups\backup-20050813-133714-844.dll Possible Virus. No disinfected C:\installation_files\html_guardian\HTMLGuardian.exe[htmlg.CAB][htmlg.exe] Possible Virus. No disinfected C:\installation_files\htmlg_pro.zip[pro.exe][htmlg.exe] Logfile of HijackThis v1.99.1 Scan saved at 12:40:13, on 14/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.blueyonder.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe |
|
|
|
|
08-14-2005, 06:26 AM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,480
OS: N/A
|
Your system is clean
Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:
Here are some additional utilities that will further enhance your safety
After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day.  Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Question - what have you done for the community today? Last edited by sUBs; 08-14-2005 at 06:34 AM. |
|
|
|
|
08-14-2005, 06:38 AM
|
#13 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,480
OS: N/A
|
Sorry.. I missed an entry from your log.
There's a file that needs to be deleted. Please locate & delete this file... C:\WINDOWS\toolbar.exe
__________________
Question - what have you done for the community today? |
|
|
|
|
08-14-2005, 06:42 AM
|
#14 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Hi sUBs - many thanks for your help.
Only one, very minor, thing I've noticed is that my desktop is still set to the "YOUR SYSTEM IS INFECTED" image that appeared shortly after all of this trouble kicked off. When I go into Desktop settings, the list of selectable backgrounds is greyed out making it impossible to change the desktop. Is this anything to worry about or is there just somethign else I have to do to get control of the Desktop properties again. Regards Barry ps - thanks also for all of the tips on keeping the system clean in future as I was going to ask this anyway. |
|
|
|
|
08-14-2005, 06:44 AM
|
#15 (permalink) | |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
did you do this from the first set of instructions?
Quote:
__________________
|
|
|
|
|
|
08-15-2005, 09:49 AM
|
#17 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 24
OS: Win XP
|
Many thanks to sUBs, POADB & Ried
Desktop is back and system is running better even than before. Have taken on board all of the recommendations for future so hopefully won't run into similar problems again (or for a while anyway). Cheers Barry |
|
|
|
| Thread Tools | |
|
|
