Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter #1
I had a really stubborn case of spyware that my computer contracted 1 week ago. My internet browser was re-directed to an ad site and I noticed an IE toolbar had been placed on my computer and in my programs folder.

I downloaded and used loads of different spyware tools with no real results until I was finally able to get my internet home page back to normal thanks to hjt. (I deleted the files that I easily recognized because they were the same as the web address that my webpage was redirected to) But I really dont know what other files to remove. I want to make sure I kill everything because for whatever reason the threats that have been removed previously keep popping back up when I re-start my comp.


Logfile of HijackThis v1.99.1
Scan saved at 5:33:24 AM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.lycos.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.lycos.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Info] C:\WINDOWS\system32\bootok.exe
O4 - HKCU\..\Run: [Info] C:\WINDOWS\system32\bootok.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF3A24-3829-49D0-BE34-57DC11A711E4}: NameServer = 204.117.214.10,204.97.212.10
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



this file I added to my ignore list- not sure if it should be deleted or not?

04-HKCU\..\Run: [RunOnce] mshta file:///C:/WINDOWS/system32/kiil.hta
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hi and Welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

We recommend that you subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please scroll up to the 1st post of this thread. Click Thread Tools and then Subscribe to this thread; on the next page, make sure "Instant notification by email" is selected, then click Add subscription.


Thanks.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello again.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer > Tools > Folder Options > View tab & ensure that the following are enabled;

  • Show hidden files and folders.
  • Display the contents of system folders
  • Uncheck the Hide protected operating system files option.
Close all other windows & open HijackThis and click on Scan. Check & then click Fix checked the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
04-HKCU\..\Run: [RunOnce] mshta file:///C:/WINDOWS/system32/kiil.hta
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedollar.com/sdImage/XUpload.ocx


Delete the following file

C:/WINDOWS/system32/kiil.hta

Download ,install & run CleanUp!.
Go to options..
Select 'custom cleanup'
Put a check to
* Recycle Bin
* Cookies
* Prefetch
* Temp
* All users​
Click on the cleanup! button to start cleaning. Click 'yes' when it asks you if you want to logoff.


If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Select the “autoclean” option when using Trend Micro. Note the names and locations of any file it detects but fails to clean.

* Note: You should turn off the real time scanner of any existing antivirus program while you're doing the online scan

Run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.
 

·
Registered
Joined
·
18 Posts
Discussion Starter #4
I deleted the hjt files that you prompted, ran clean up and ran the online virus scan which found no viruses. Heres the follow up hjt logfile.

Thank you for all your help!!!

______________________________________________________________



Logfile of HijackThis v1.99.1
Scan saved at 1:39:34 AM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.lycos.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.lycos.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Info] C:\WINDOWS\system32\bootok.exe
O4 - HKCU\..\Run: [Info] C:\WINDOWS\system32\bootok.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF3A24-3829-49D0-BE34-57DC11A711E4}: NameServer = 204.117.214.10,204.97.212.10
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Your log is clean. Now, just a few bits of housekeeping to help keep it that way:

System Restore's cache may contain some malware. We need to clear the infection out of the restore folder and give you a clean restore point -

  1. Click Start > Run > type sysdm.cpl & press Enter
  2. Click System Restore Tab
  3. Tick Turn off System Restore on all drives & Click Apply
  4. Then untick Turn off System Restore on all drives & Click OK
This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster , and a real time spyware program such as Spyware Guard , to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are usually of no use & often have malware bundled in them.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial.
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top