Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Browser hijacked unable to set homepage[RESOLVED]


  • This topic is locked This topic is locked

#1
baloo

baloo

    New Member

  • Member
  • Pip
  • 6 posts
Hello, my son's computer is infected with downloader agents which control the choice of homepages and direct it to unwanted sites. We have used Ad Aware Se, Spy Bot S&D, MS Antispyware. Cwshredder and AVG , they all find problems and clear them but on re boot they appear again. I am posting from my machine . I would be grateful if you could please help me.

Logfile of HijackThis v1.99.1
Scan saved at 19:44:28, on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\netar32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\syskk.exe
C:\hjt\HijackThis.exe new.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epzsk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {12564B4A-41D2-B01D-CDF5-CBD849C16E3B} - C:\WINDOWS\system32\sysxe.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [sdkdy32.exe] C:\WINDOWS\system32\sdkdy32.exe
O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\system32\msxl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109253153456
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\mfczp32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Baloo and welcome to Geeks to Go.

Please post a fresh HijackThis log from the infected PC. The one you have posted appears to have a corruption on it.

I will respond very quickly afterwards.

Edited by Crustyoldbloke, 13 May 2005 - 11:42 AM.

  • 0

#3
baloo

baloo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Crusty, Thanks for the swift reply.This is the second HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:50:39, on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\netar32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe new.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {12564B4A-41D2-B01D-CDF5-CBD849C16E3B} - C:\WINDOWS\system32\sysxe.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\system32\msxl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109253153456
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\mfczp32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Baloo

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

I note that you are in the UK as I am so we wont have a time difference to concern us. There is a lot to do, you have the Extra Service CWS variant. Ill make it as simple as possible.

The reason I asked for another log is that HijackThis has two different file extensions on both logs. This is extremely weird unless you have edited the programme name. perhaps you could let me know with your reply. Now if you are ready, lets get fixing!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CWShredder
About:Buster
CCleaner

Install About:Buster by RubbeRDuckyUnzip the contents of AboutBuster.zip and an AboutBuster directory will be created. Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click OK at the prompt with instructions.
Click Update and then Check For Update to begin the update process.
If any updates exist please download them by clicking Download Update then click the X to close that window.
Now close About:Buster
Boot into Safe Mode (Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode).

Please run About:Busterby RubbeRDuckYClick Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\czsgn.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {12564B4A-41D2-B01D-CDF5-CBD849C16E3B} - C:\WINDOWS\system32\sysxe.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\RunOnce: [msxl.exe] C:\WINDOWS\system32\msxl.exe
O23 - Service: Workstation NetLogon Service ( 11F #`I) - Unknown owner - C:\WINDOWS\mfczp32.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\WINDOWS\system32\netar32.exe
C:\WINDOWS\system32\czsgn.dll
C:\WINDOWS\system32\sysxe.dll
C:\WINDOWS\system32\msxl.exe
C:\WINDOWS\mfczp32.exe

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.
  • 0

#5
baloo

baloo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Crusty. Have what
you said, some of the stuff I couldn't find but on finishing czsn.dlls have come back as uvzgc.dlls . The reason for the corruption at first, I transferred the log to my machine and must have caused it then.

Logfile of HijackThis v1.99.1
Scan saved at 16:03:42, on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\crfx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe new.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} -

C:\WINDOWS\msrj.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\Run: [crfx.exe] C:\WINDOWS\crfx.exe
O4 - HKLM\..\RunOnce: [msns.exe] C:\WINDOWS\system32\msns.exe
O4 - HKLM\..\RunOnce: [javaga32.exe] C:\WINDOWS\javaga32.exe
O4 - HKLM\..\RunOnce: [ippx32.exe] C:\WINDOWS\system32\ippx32.exe
O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
O4 - HKLM\..\RunOnce: [winpo32.exe] C:\WINDOWS\winpo32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program

Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupd...ols/en/x86/clie

nt/wuweb_site.cab?1109253153456
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...trendmicro.com/

housecall/xscan53.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown

owner - C:\WINDOWS\mfczp32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate

Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


3dfx Tools
3dhq 1.09 Beta 10 Drivers
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe Home Edition 3.1
AVG Free Edition
Belarc Advisor 6.0
blueyonder Instant Support Tool
CCleaner (remove only)
Digital Camera Driver
EM-56HAMi Modem Drivers and Utilities
HijackThis 1.99.1
Home Search Assistent
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Search Extender
Shopping Wizard
Spybot - Search & Destroy 1.3
SpywareBlaster v3.3
Sygate Personal Firewall
Tiscali Anna K Screensaver 2 Screen Saver
USB MEMORY BAR Tool
VX2 Cleaner plug-in for Ad-Aware SE
Windows XP Service Pack 2
Windows XP Uninstall
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Baloo

Your HijackThis log is full of extra lines and spaces and therefore quite difficult to read. Could you please post a fresh HJT log so that I can have a sporting chance of reading it.

Before you do that, please boot into safe mode (do this by tapping F8 key whilst your PC is booting - a menu will appear - choose safe mode) and then go to START>SETTINGS>CONTROL PANEL>ADD/REMOVE PROGRAMS and uninstall the following:

Home Search Assistent
Search Extender
Shopping Wizard

That should get rid of a fair bit.

The point I was trying to make in my previous post was about the HijackThis entry. Have a look at it:

C:\hjt\HijackThis.exe new.exe

Normally it looks like this C:\hjt\HijackThis.exe How did it get the extra file extension?

If this hasn't been done by a human, then perhaps it needs to be uninstalled and a fresh copy installed. It is very odd since viruses normally have two extensions to disguise themselves.
  • 0

#7
baloo

baloo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hello Crusty,
Sorry for the extra problems.I had downloaded an old copy Hijack This, then I updated it from Major Geeks and and transferred it to this machine and probably edited it. I have removed it and download the latest from your site. I have tried to remove Home Search,Search Extender and Shopping Wizard in both Safe mode and normal boot. All that happens is a 'No display page 'comes up and action cancelled. Here is the next HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:42:22, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\addfn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\msrj.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\Run: [crfx.exe] C:\WINDOWS\crfx.exe
O4 - HKLM\..\Run: [addfn.exe] C:\WINDOWS\system32\addfn.exe
O4 - HKLM\..\RunOnce: [msns.exe] C:\WINDOWS\system32\msns.exe
O4 - HKLM\..\RunOnce: [ippx32.exe] C:\WINDOWS\system32\ippx32.exe
O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
O4 - HKLM\..\RunOnce: [winpo32.exe] C:\WINDOWS\winpo32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109253153456
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\mfczp32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Baloo

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and choose shutdown Microsoft Antispyware. Lets try and disable the service first and then delete the files; this should work.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
Ewido Security Suite
Hoster

Go to Start>Run and type Services.msc then hit Ok
Scroll down and find this service:

Workstation NetLogon Service or ( 11F #`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

Workstation NetLogon Service

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Next stage:

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uvzgc.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7FFCC75E-5674-7B6F-24F8-13B92DA42ADF} - C:\WINDOWS\msrj.dll
O4 - HKLM\..\Run: [netar32.exe] C:\WINDOWS\system32\netar32.exe
O4 - HKLM\..\Run: [crfx.exe] C:\WINDOWS\crfx.exe
O4 - HKLM\..\Run: [addfn.exe] C:\WINDOWS\system32\addfn.exe
O4 - HKLM\..\RunOnce: [msns.exe] C:\WINDOWS\system32\msns.exe
O4 - HKLM\..\RunOnce: [ippx32.exe] C:\WINDOWS\system32\ippx32.exe
O4 - HKLM\..\RunOnce: [mskj32.exe] C:\WINDOWS\mskj32.exe
O4 - HKLM\..\RunOnce: [winpo32.exe] C:\WINDOWS\winpo32.exe
O23 - Service: Workstation NetLogon Service ( 11F #`I) - Unknown owner - C:\WINDOWS\mfczp32.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Home Search Assistent
Search Extender
Shopping Wizard

Please set your system to show all files; please see here if you're unsure how to do this.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*In the field labelled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\system32\addfn.exe
C:\WINDOWS\system32\uvzgc.dll
C:\WINDOWS\msrj.dll
C:\WINDOWS\system32\netar32.exe
C:\WINDOWS\crfx.exe
C:\WINDOWS\system32\msns.exe
C:\WINDOWS\system32\ippx32.exe
C:\WINDOWS\mskj32.exe
C:\WINDOWS\winpo32.exe
C:\WINDOWS\mfczp32.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Post back a fresh HijackThis log and I will take another look.
  • 0

#9
baloo

baloo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Crusty,
Well done that is a vast improvement. :tazz:
I don't know if it is all clear yet but we can now set the Homepage and browse without trouble. Now when I try to uninstall Shopping wizard, Search extender and Home search assistant they offer an uninstall form for cancellation. These are the latest logs you requested:-

Logfile of HijackThis v1.99.1
Scan saved at 15:09:13, on 16/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109253153456
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:43:43, 16/05/2005
+ Report-Checksum: 4240E9B8

+ Date of database: 16/05/2005
+ Version of scan engine: v3.0

+ Duration: 25 min
+ Scanned Files: 44214
+ Speed: 29.28 Files/Second
+ Infected files: 144
+ Removed files: 144
+ Files put in quarantine: 144
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\naeyyl.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\kev & pauline@S150942[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winyu.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkqc.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ippx32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apiba32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msxl.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlto32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iehu.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apprp32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlwy.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ck.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addgu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msns.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crmo.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipfz32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winqn32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msmq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winqx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3gj32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkpw.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlmc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crfs.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipmw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javadd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3qi.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3kb32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ntpw.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addfn.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3kp32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ms0b920b.dll -> Spyware.Visiter -> Cleaned with backup
C:\WINDOWS\SYSTEM32\uhaa.dll -> TrojanDownloader.Small -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkpr32.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\zptzoh.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\xfyoel.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\msrj.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\vcnsre.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\gdqvwv.txt -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\zejjqf.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\hocajc.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\ealdjy.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\xyvvwa.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\tnyiqm.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\ahbwkn.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\pfxgsu.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\xjxfvr.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\zrxbpb.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\akkvae.dat -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mwnleq.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\twvxxk.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\uparhn.dat -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\oxrlne.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\ccmiqy.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\msww.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\kcpsrt.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\mfzgez.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\sysgs.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\mfcaq32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\bigswc.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\dlypjj.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\umgptx.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\wjihan.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\nadyhx.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\javanm.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ipgs32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\fnejcv.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\gyxfpb.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\aapxpl.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\xmaemt.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\tnmlga.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\plvvcd.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\syskk.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\wqpevk.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\xtibpq.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\cvesww.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\mfcja32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\jzjayl.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ldcxlr.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\sdkei32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\hueiwf.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ifwfrl.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\netmn32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\byspkv.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\vbkmxb.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\ntyg.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\enlbhj.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\yzwxcq.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\kuhffe.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\lfabak.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\msek32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\kwekcr.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\lzpgpy.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\iees.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\wxkplv.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\grplpf.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\on-line.exe -> TrojanDropper.Crutop.a -> Cleaned with backup
C:\WINDOWS\eyxojc.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\mdciqi.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\jmitlw.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\msuz.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\nhnedo.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\claucs.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\cdzutp.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\egsqgw.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\ipns32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ijqxzq.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\huiakl.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\appvd32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\jdvdyx.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\kofzle.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\sdkgi.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\fvkuia.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ggdrvg.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\javaga32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\gktvdi.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\znerxp.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\addxh.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\sjddxo.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\lnvakv.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\sysgh32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\xqghwj.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ytreiq.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\rdqita.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\sgbegh.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\mswe32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mskj32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winpo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\eqcqnx.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ftnmae.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\crfx.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\nettz32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP36\A0007109.exe -> TrojanDropper.Small.ja -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP40\A0010797.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP42\A0010828.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP43\A0010833.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0010870.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0011867.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0011885.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0011899.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0011918.dll -> Trojan.Feat -> Cleaned with backup
C:\System Volume Information\_restore{D7EF6DE3-119E-4422-A20F-925C00F0B878}\RP44\A0011928.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\msx.exe -> TrojanDropper.Small.ja -> Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small -> Cleaned with backup
C:\hjt\backups\backup-20050514-144308-940.dll -> Trojan.Feat -> Cleaned with backup


::Report End
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

+ Infected files: 144
+ Removed files: 144
+ Files put in quarantine: 144



I don't think I've ever seen a figure as high as that before .............and ...........

Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

MOST IMPORTANT: You should update Windows and Internet Explorer to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL A fine free malware detector and removal programme
SPYBOT S&D Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes, having two or more antivirus systems would be really bad as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)

Please note that Blueyonder is very slow today due to their problems announced on their website. Well done Kev.
  • 0

#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Nearly forgot to mention; ensure you enable Microsoft Antispyware again by going through its set up procedure. Make sure you can see the icon in the taskbar.
  • 0

#12
baloo

baloo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello Crusty,
I have done what you said and I thought it sound advice.
It is very good of you to give up your time to help others and to pull them out of the mire. I am very grateful, excellent service excellent work.
Thanks again.
Baloo
  • 0

#13
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP