Tech Support banner

Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
Spysheriff attacked my computer. I used the following programs:

Clean up
Ad-aware SE
CWShredder
Spybot S&D
Ewido Security Suite
Windows Update

I did everything while in safe mode (including the downloading) because I couldn't really get anything done otherwise. I don't know if that really matters. Anyways, after all is done, most stuff seems to be ok and I'm back in my normal windows but I still can't access the task manager. The popup says it has been disabled by the administor as it did when I when I was really infected. Also I can't change my desktop background which I heard is a common side effect of the spysheriff. Also, when I first load into windows I get 2 popups that read:
1. "Error loading D:\WINDOWS\cpu.dll
The specified module could not be found."
2. "Windows cannot find "C:\WINDOWS\System32\divxenc.exe." Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click Search."

I reran all of the scans (in normal Windows) and took a fresh HJT log which is posted below.

I also noticed OIN in my add/remove programs and would like to get rid of that as well.

Thanks in advance for any help.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:14 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\load.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/default...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/default.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [AVShell] C:\WINDOWS\System32\load.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [Service Process] C:\WINDOWS\system32\config\service.exe
O4 - HKLM\..\Run: [Instance 001] c:\sys1367017508.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Lcuhpkki] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [divx] "C:\WINDOWS\System32\divxenc.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125372499765
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: AOL Instant Messenger - {F430CAD2-C18F-5523-690A-AB76EA020655} - c:\program files\aim95\wincujbd32.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\ijddnldl.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Mqhage32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi tunidawn and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

PleaseSubscribe to this thread (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

Thanks,

RavenMind

(P.S., Sorry it's taken so long for someone to reply. I actually replied last night, but due to some apparent database problems, it erased all of my posts. :nonono:)
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi tunidawn, thanks for being patient while I worked on your fix.

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you lose your internet connection. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are following the procedures below.

Before we proceed you need to relocate your copy of Hijack This. You are running it from the general Program Files directory. The program creates backup files that we may need to use later, and if it's in a general directory such as Program Files, then you may lose track of the logs & the backups. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT , or another name of your choice.


Enable the viewing of hidden files/folders.

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.


Download Cleaning Tools

You have Kazaa installed on your computer. Kazaa is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. It needs to be removed. Download KazaaBegone, a Kazaa uninstaller which scans and removes all elements of all Kazaa versions, as well as all of the bundled software that comes with it. Warning, This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix just in case you need it (if it breaks your internet connection). Do not run Kazaabegone yet, we have other things to do first.

I see you have already used CWShredder & AdAware SE, but it doesn't look like they got everything they were supposed to, or you were reinfected. So go to this site and make sure you have the latest version of CWShredder, and here for AdAware. Do not run them yet.

Also please be sure you have Ewido still installed before you proceed.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link does not workhttp://www.greyknight17.com/spy/Cleanup.exehttp://www.greyknight17.com/spy/Cleanup.exe) and install it. Do not run the program yet, as we have more work to do first.

Download DelO15Domains by right clicking on this link and choose Save As. Save it to your desktop. Do not Run DelO15Domains yet.

Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop. Don't run it yet!


Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one, (If they still exist). You must kill them one at a time.

C:\WINDOWS\System32\load.exe


Add/Remove Programs

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs, (if they exist):
SpywareNO
P2P Networking
Kazaa
SpySheriff



Stop & delete an NT service.

Click Start > Run, then type in “services.msc” and hit OK.
Look for the following service: Loading Outpost Connections (KDE)

Once you’ve found it, double click to open it’s properties.
Click the Stop button, and then choose Disabled under the Startup Type drop-down menu.

Now it needs to be deleted.
Go to the command prompt by doing the following:
Click Start > Run, type “cmd”, & hit Enter.
Now type “sc delete Loading Outpost Connections” & hit enter.
Close the Command Prompt window
______________________________________________________________

Now run KazaaBegone

Run CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.
______________________________________________________________


HiJack This Fixes:

Open Hijack This and click on Scan then check the following entries, (make sure you do not miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Service] C:\WINDOWS\System32\service.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [winsock32] msupdate32.exe
O4 - HKLM\..\Run: [Service Process] C:\WINDOWS\system32\config\service.exe
O4 - HKLM\..\Run: [Instance 001] c:\sys1367017508.exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Lcuhpkki] C:\WINDOWS\System32\?ti2evxx.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [divx] "C:\WINDOWS\System32\divxenc.exe"
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\ijddnldl.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Mqhage32.dll (file missing)
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)

Remember to close all other windows, including browsers, then click Fix checked.


File Deletions

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\P2P Networking
C:\WINDOWS\System32\ service.exe
C:\WINDOWS\ tool3.exe
msupdate32.exe
C:\WINDOWS\system32\config\ service.exe
c:\sys1367017508.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERVICE\
C:\WINDOWS\System32\ symcsvc.exe
C:\winstall.exe
C:\WINDOWS\ tool2.exe
C:\Program Files\apsi\
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
C:\WINDOWS\System32\divxenc.exe
C:\WINDOWS\SYSTEM32\tcpG4T.dll
C:\WINDOWS\System32\ijddnldl.dll
C:\WINDOWS\System32\Mqhage32.dll
C:\WINDOWS\System32\cmdtel.exe
_________________________________________________________


Right click on "DelO15Domains," which we saved to your Desktop and choose Install. It will run immediately. (You won't be able to see anything happen.) You may delete DelO15Domains after it is finished running.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run a scan with AdAware.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Run Cleanup! & configure the program as follows:
  1. Click Options...
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click OK
  5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup!

Reboot your system in Normal Mode.


Now we need to identify this file so we can delete it: C:\WINDOWS\System32\?ti2evxx.exe
dir C:\WINDOWS\System32\?ti2evxx.exe /a h > files.txt
notepad files.txt
Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

You have quite a few trojans in your log. I'm surprised that Ewido didn't take care of them when you scanned with that. So go perform an online scan with Kaspersky Web Scanner. Please post the names & locations of any files it detects but doesn't clean.

Please post a fresh Hijack This log, and logs from Ewido & SmitRem. Also remember to post the text from the "FindFile" you did, and anything that Kaspersky may not have been able to fix.

Thanks,

RM
 

·
Registered
Joined
·
4 Posts
Discussion Starter #4
I appreciate all of your help but my computer seems to have gotten worse since I last posted. I can't even log into safe mode anymore without it freezing after a minute. (I'm using another comp to post this) I can't run any scans or anything so I'm just going to wipe everything off my comp and reformat. I'm sorry you went through all of the trouble but thanks anyways for your help. You guys do good work here!
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
tunidawn,

Glad to help. Let me know if you have any problems with the format & reinstallation. If you get this before you've wiped your HDD, remember that using XP you have the option of doing a repair install. That may help to keep you on the system long enough to get it cleaned out without erasing all your files.
Remember to get all your system updates before doing anything else on the internet. If you would like me to look over your HJT log after your reinstall then let me know, otherwise please respond to this post so I can mark it as resolved.

Thanks!

RavenMind



P.S., Here's some other recommendations to protect your system:

Preventative Measures:

  1. Use an Alternative Browser. Most of the spyware/viruses/trojans out today target known flaws in I.E. Using an alternative browser closes most of those loopholes & you will find yourself getting far fewer (if any) infections. I'm a fan of FireFox for it's functionality, security, & low demand on system resources. Here are a few of the more popular alternative browsers:
  2. Secure Internet Explorer. If you choose to stay with Internet Explorer, your likelihood of reinfection is much higher. Therefore you should follow these steps to help make I.E. more secure.
    • Don't add sites to the "Trusted Zone". Ever.
    • Download IESpyAd. This will add over 4000 known bad websites to the Restricted Zones list & help prevent you from being redirected to them.
    • Download & install Javacool's SpywareBlaster. This program will help block the download of malicious Active-X controls, block tracking cookies, and add known bad websites to the Restricted Zones list.
  3. Obtain & use a good firewall. Firewalls are important in preventing direct attacks on your system as well as notifying you when you have malware trying to dial out. A few good free firewalls are:
  4. Obtain & use a good AntiVirus program. The best solution to keeping your system clean is to prevent it from becoming infected. Therefore everyone nowadays should have a real-time antivirus program. Unless you go with Ewido, I would suggest against purchasing an AV (especially Norton, which is a resource hog & is nearly impossible to get out of your system once "infected"). There are several good AVs available for download:
  5. Anti-Spyware Programs. You should consider downloading & using the following programs if you haven’t already. I have found for best results, a moderate internet user should use these at least once every two weeks.Important: Please visit this site to learn how to configure & use the preceding programs. And remember to check for updates often!
  6. Keep Windows Updated! Microsoft comes out with patches & security updates all the time. Please remember to visit this site often for updates, or better yet, configure your automatic update feature to do it for you.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #6
Hjt

Here's my new log...should be clean

Logfile of HijackThis v1.99.1
Scan saved at 9:43:18 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126060196804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126227978078
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello again tunidawn. Your HJT log is clean! Did you wind up formatting & reinstalling windows? I'm glad to see you using Firefox instead of IE, is it working out for you. I would just read through my Preventative Measures suggestions again and try to incorporate some of those things into your system, including a firewall, and regular scans with AdAware & Spybot.

The only other issue I have is that I see you are using Microsft AntiSpyware.
Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it.
For further reading please see here.

Other than that, everything looks good! Are you experiencing any other problems, or have any other questions?
 

·
Registered
Joined
·
4 Posts
Discussion Starter #8
I ended up doing the repair install. I got the zone alarm firewall and I've also got avast. I'll still use spybot and adaware; I just got my comp back to running yesterday so I hadn't gotten that far yet. Firefox is working great. Thanks again for all of you help!
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
My pleasure! Unless you have any other issues, I'll go ahead & mark this thread as resolved.

Thanks for visiting TSF!

RavenMind
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top