Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis Log + $ tip for help :) [RESOLVED]


  • This topic is locked This topic is locked

#1
AnthonyGill

AnthonyGill

    New Member

  • Member
  • Pip
  • 4 posts
Hello!

I bought a new old computer from a friend and I didn't realize until it was too late that he didn't have many security upgrades. ;)

After fighting with the Malware, I got Service Pack 2 installed. I also have the following programs:

Microsoft Antivirus
Ad-Aware
Spybot S&D
HijackThis
Ewido

I've tried them all from safe mode, but things still revert. I also manually removed one of the trojans (Haxdoor) manually, but it somehow came back. (An excellent thread on removing Haxdoor is here:
http://forums.maddok...opic=2659&st=0)

If you can walk me though reclaiming my system, I'd be tip $20 your way for your much appreciated time.

Spyware Symptoms:
- My normal desktop is overlayed with another program, all blue, reading "Windows Error" Blah blah blah, use the anti-spyware program that has been conveniently installed by force.
- A program called SpywareNo keeps surfacing.
- I often see the following files, either through spyware removal tools or through Spybot's tea time: ffisearch, paytime.exe, winstall.exe, fast.exe, haxdoor, klogini.dll, drct16.dll, and others.

My HijackThis log is below:

=============================================
Logfile of HijackThis v1.99.1
Scan saved at 2:05:34 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareNo\SpywareNo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike Zeitzmann\Desktop\AntiSpyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dzeaoss] c:\windows\system32\fafzuh.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{70E68D8C-0651-453A-9DF7-0EA17A214270}\SVCHOST.EXE
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Rosa] C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117242723234
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe



=============================================

Any help would me much appreciated. I'm a programmer by trade, so feel free to get technical if you need to.

Thanks,
- Anthony :tazz:
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Anthony and welcome to GTG.

Please try not to mention any tip/payment for our help. If you want to donate, feel free to do so, but don't post saying you will pay $$ for help. We are glad to help and provide this as a free service. :tazz:

OK, you have a handful of problems here. I mentioned this in the fix below but have to stress it again. There is a file that I want you to delete called svchost.exe. Make SURE you delete them in the specified folders only. There is a svchost.exe in the SYSTEM32 folder, so DON'T delete that valid one.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpywareNo
Desktop Search
BullsEye Network
CashBack
NaviSearch
Internet Optimizer


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [dzeaoss] c:\windows\system32\fafzuh.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{70E68D8C-0651-453A-9DF7-0EA17A214270}\SVCHOST.EXE
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Rosa] C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe


Do you know what the following program(s) are for? If not, uninstall it and fix it in HijackThis:

O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
C:\Program Files\SpywareNo\
C:\WINDOWS\isrvs\
c:\windows\system32\fafzuh.exe
C:\WINDOWS\nmmst.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Services\{70E68D8C-0651-453A-9DF7-0EA17A214270}\
C:\WINDOWS\System32\win32.exe
C:\winstall.exe
C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\svchost.exe - make SURE you are deleting it from the WINDOWS folder ONLY
C:\WINDOWS\System\svchost.exe - make SURE you are deleting it from this SYSTEM folder only


Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and run a new HijackThis scan. Save the log file and post it here.

Download this file and rename that .txt extension to .reg instead. Double click and say yes to add/merge it. See if you can change the background now.
  • 0

#3
AnthonyGill

AnthonyGill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Greyknight,

Thanks for the quick reply. I gave it a shot and I think we wounded the troll, but it regenerated.

Let me recap what I did:

- Enabled 'Show hidden files and folders' and 'Display the contents of system folders'

- Installed "Del015Domains.inf". (Note: I didn't use IE to download it, I used Windows Explorer. They are basically the same beast, though. Not sure if that was an issue)

- Checked Control Panel > Add/Remove Programs. The only thing of interest in there was SpywareNo. Removed it.

- Tried to install Panda's scanner, but it held for 10+ minutes without progress after the ActiveX applet was approved. Eventually I killed it.

- Tried to run the TrendMicro scanner, and it found two trojans. But when it came to removing them, it required some kind of ticket. I tried to register, but upon submitting the program didn't respond. Had to move on.

- Ran SpyBot. It found Kazaa.Irc.DarkIrc11.LiteStalky. According to TeaTime, when SpyBot removed it, it killed the C:\WINDOWS\svchost.exe and a registry key.

- Ran Ad-Aware. It came up with nothing.

- Ran Microsoft AntiSpyware. It found the PayTime trojan and a "Possible Browser Hijack" start page of http://www.clicksearchclick.com

- Ran CWShredder. It found nothing.

- Ran Ewido. It found:
c:\windows\system32\vxh8jkdq7.exe (TrojanDownloader.Small.awa)

- Downloaded Cleanup.exe. Didn't run it.

- Rebooted system into Safe Mode with Networking.

- Checked Add/Remove Programs. Found nothing of interest.

- Ran HijackThis. Removed:
ffisearch.exe
fafzuh.exe
taskswitch.exe (It is described as CoolSwitch, and keeps regenerating)
nmmst.exe
win32.exe
winstall.exe
oopr.exe

(Note: The SecureClean files are commercial. They are safe.)

- Searched for OOPR.exe. Only found "c:\windows\prefetch\OOPR.EXE-1E563B2B.pf". Inside are many .pf files. I'm not sure what program created this \prefetch directory, but many of the files are based on legitimate files. (FIREFOX.EXE, DEFRAG.EXE, REALPLAY.EXE, etc. Maybe some program is marking executables) For now I've left it alone.

- Did the rest of the searching by hand using Windows Explorer. Could not find any of the files/folders. (Hidden files and system files are visible)

- Ran the .reg file. Was informed the additions were successful.

- Re-ran HijackThis. The log is below:

====================================
Logfile of HijackThis v1.99.1
Scan saved at 6:58:34 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mike Zeitzmann\Desktop\AntiSpyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117242723234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe

====================================

- Rebooted. Was greeted by the blue desktop over the real desktop and several TeaTimer warnings about malware trying to get installed. :tazz: Specifically:
c:\windows\system32\win32.exe
c:\winstall.exe
oopr.exe
C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
c:\windows\svchost.exe
c:\windows\isrvs\ffisearch.exe
c:\windows\system32\fafzuh.exe
c:\windows\system32\taskswitch.exe
c:\windows\nmmst.exe
c:\windows\system32\paytime.exe
Attempts to delete: c:\windows\system\svchost.exe /s
Attempts to delete: grpconv -o


So I'm almost back to where I started, but so far SpywareNo hasn't returned. I think that's more because I'm denying the above files from being installed. Microsoft AntiSpyware also stops winstall.exe from being run.

I get the feeling fast.exe is involved, because I have seen two of them - Fast.exe and fast.exe. But overall I'm a bit stumped. Any ideas?

Thanks for your help thus far,
- Anthony
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
fast.exe should be a legitimate process. If you are unsure, do a search for it and see how many instances of it you can find. Then upload that file/files to this site and submit it. Post the analysis back here. taskswitch.exe is also ok to keep. It's a XP PowerToy.

Do you remember what the two infected files were that was detected by TrendMicro?

OK since you are describing some symptoms that sound like another infection we know about, I want you to do the below. Fix whatever applies, if it doesn't, just continue on:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
c:\windows\system32\win32.exe
c:\winstall.exe
oopr.exe
C:\Documents and Settings\Mike Zeitzmann\Application Data\oopr.exe
c:\windows\svchost.exe
c:\windows\isrvs\ffisearch.exe
c:\windows\system32\fafzuh.exe
c:\windows\nmmst.exe
c:\windows\system32\paytime.exe


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
c:\windows\isrvs\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\


Restart your computer.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.
  • 0

#5
AnthonyGill

AnthonyGill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Greyknight,

This seems to have worked! Everything is showing up clear now, and has been for several reboots.

Thanks for the help! You guys rock!

Take care,
- Anthony
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Anthony, I'm glad everything is working better now, but can you please post all those logs I requested for? I need to take one more look to make sure that nothing else bad is in there.
  • 0

#7
AnthonyGill

AnthonyGill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sure things Grayknight! Here are the logs. About 11 items did pop up in Pandascan, and it only fixed a few of them.

HijackThis:
====================================
Logfile of HijackThis v1.99.1
Scan saved at 6:58:34 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mike Zeitzmann\Desktop\AntiSpyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117242723234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
====================================


Pandascan:
====================================

Incident Status Location

Virus:Bck/Haxdoor.A Disinfected Operating system
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mike Zeitzmann\Favorites\Forced Sex.url
Adware:Adware/ISearch No disinfected C:\WINDOWS\tool2.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame?.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\ms2.exe
Virus:Trj/Downloader.BWL Disinfected Operating system
Adware:Adware/Nowfind No disinfected C:\WINDOWS\system32\hst32.dll
Virus:Trj/Small.LV Disinfected Operating system
Adware:Adware/G-search No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mike Zeitzmann\Favorites\Forbidden Conversations.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mike Zeitzmann\Favorites\Forced Sex.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mike Zeitzmann\Favorites\Young Preteen Models.url
Adware:Adware/MediaTickets No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4784B189-812B-4536-BD2D-40AD73\12CC42A5-AECC-46DE-B4C2-B5D184
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\ms1.exe
Adware:Adware/SpywareNo No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\pvrakgx.exe
Adware:Adware/Nowfind No disinfected C:\WINDOWS\system32\hst32.dll
Virus:Trj/Downloader.UV Disinfected C:\WINDOWS\system32\newdial.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame4.exe
Adware:Adware/Nowfind No disinfected C:\WINDOWS\system32\wcnl32.dll
Adware:Adware/Beginto No disinfected C:\WINDOWS\tool2.exe
====================================


If I need to do anything, just let me know!

Thanks,
- Anthony
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Almost done. Just need to get rid of those adware files :tazz:

Delete these files:

C:\WINDOWS\tool2.exe
C:\WINDOWS\system32\vxgame?.exe
C:\WINDOWS\ms2.exe
C:\WINDOWS\system32\hst32.dll
C:\Documents and Settings\Mike Zeitzmann\Favorites\Forbidden Conversations.url
C:\Documents and Settings\Mike Zeitzmann\Favorites\Forced Sex.url
C:\Documents and Settings\Mike Zeitzmann\Favorites\Young Preteen Models.url
C:\WINDOWS\ms2.exe
C:\WINDOWS\pvrakgx.exe
C:\WINDOWS\system32\hst32.dll
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\vxgame4.exe
C:\WINDOWS\system32\wcnl32.dll
C:\WINDOWS\tool2.exe


Empty out all the contents in this folder:
C:\Program Files\Microsoft AntiSpyware\Quarantine\

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP