[fleamailman]

Sorry, this machine is by now formatted by my friend who couldn't believe nor wait but for next time I still would like to kown what this bug that turned off his testman and your hijackthis program in normal mode was. below is the hijackthis log can someone just name the bug and its teltail signs.

Logfile of HijackThis v1.99.1
Scan saved at 18:58:56, on 20.04.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Virginie\Mes documents\Anti Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [svshost32] svshost32.exe
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [svshost32] svshost32.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Messenger XP] MSMSN32.exe
O4 - HKCU\..\Run: [svshost32] svshost32.exe
O4 - HKCU\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\RunServices: [svshost32] svshost32.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

[Advertisements]

hi there! You say you did a complete reformat?? There are a few things on here that need to be taken care of. You may want to print these steps or save them to a Notepad file on your desktop to make it easier for you to follow them in order.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [svshost32] svshost32.exe
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [svshost32] svshost32.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\Run: [Microsoft Messenger XP] MSMSN32.exe
O4 - HKCU\..\Run: [svshost32] svshost32.exe
O4 - HKCU\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\RunServices: [svshost32] svshost32.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Microsoft AOL Instant Messenger
Microsoft Messenger XP
Please note any other programs that you dont recognize in that list in your next response

After you have done this, please reboot your computer, and post a reply here with another HijackThis log.

[Kat]

hi there! You say you did a complete reformat?? There are a few things on here that need to be taken care of. You may want to print these steps or save them to a Notepad file on your desktop to make it easier for you to follow them in order.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [svshost32] svshost32.exe
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [svshost32] svshost32.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\Run: [Microsoft Messenger XP] MSMSN32.exe
O4 - HKCU\..\Run: [svshost32] svshost32.exe
O4 - HKCU\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\RunServices: [svshost32] svshost32.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Microsoft AOL Instant Messenger
Microsoft Messenger XP
Please note any other programs that you dont recognize in that list in your next response

After you have done this, please reboot your computer, and post a reply here with another HijackThis log.

[fleamailman]

Real sad and sorry, my friend did the reformat then reinstall of XP before I have had the chance to let you help him so now his machine is new but thank you for showing me what was wrong with his hjt scan before he did it; and since I am quite sure he will just go back onto that site where he got infected, that although this case is closed and I am grateful, I still have one question left: does this infection have a name as I am sure it won't be the last time it turns up on this board.

Oh, and perhaps one other question: if one ticks all the fix boxes on a newly installed machine under xp, does windows automaticly recreate the missing files given that all the drivers are plug and play?

Many thanks for this.
Sin.,
Fleamailman

[Kat]

I did not read your original post right, and assumed that the log you posted was from AFTER the reformat. Had I known it was from before, I would not have taken so much time to research the log, and work up a response. I could have been working on a LIVE log for someone who needed help.

In the future, when you want to learn more about Malware, please consider joining GeekU and complete the training that the rest of us do.

Since you state that your friend may become infected again, I will post to you my standard closing speech. Then, I am closing this topic and marking it resolved. IF you have any concerns or problems in the future and need help, please feel free to start a new topic.

Congratulations! Your log is clean!

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein