Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

mz.oucihax.info popup comes at start up [Resolved]


  • This topic is locked This topic is locked

#1
Bosco55

Bosco55

    Member

  • Member
  • PipPip
  • 10 posts
Hello there. Thank you for anyone reading this post!

I'm having a lot of trouble with my computer, at the center of which there seems to be this annoying popup that unfailingly starts every time I boot up the computer. On the whole net I could only find one other user with the same problem (perhaps due to my lack of searching skills), and he's one of your members. He has the same popup demanding info from mz.oucihax.info, either as he starts the computer or tries to connect to the net. A copy of his string can be found at

http://www.geekstogo...nfo-t30190.html

Anyway, in my case, the popup comes at start up. All the different programs I have can't get rid of it. The problem started after I tried to install Windows XP Service Pack 2 on my computer. The installation only went as far as 30-40% or so, before my computer froze. I had no choice but to shut it down manually, which I know was detrimental. After which I was prompted by windows to uninstall the (incomplete/corrupted) Windows XP 2, saying that my system was unstable. After doing so, a number of problems occoured with the computer. Problems such as:

1) Most prominently, the appearance of this mz.oucihax.info popup
2) slower computer
3) more instances of programs not responding, needing to be shut down manually
4) Freeze of programs like MS Word, when I try saving things
5) Commonly getting the message "rundll32.exe" doesn't respond, as I try to save or shut down programs; also at system shut down
6) Inability to open certain programs at all, such as Hijack This! (Hijack this will not run in ordinary mode, only in safe mode), and system information

I know there's a virus on here. AVG detects it as "Trojan horse-Collected.5.L". It is attached to the file: "msdirectx.sys". Most every time, when I start up the computer, the AVG automatic Shield says that it detects this virus--but this notice of detection comes back the next time I boot up the computer. A recent Virus scan in Safe mode detected 4 of these viruses, one of which at msdirectx.sys , as well as another Trojan horse : "IRC/backdoor.sdbot.89.F" . (I should say though that the popup for mz.oucihax.info does not start up during Safe Mode).

It also has another anomylous symptom: My PSP2 mouse only works 2/3 times I start up the computer. If I reboot it though, then I get control of the mouse. However, this problem existed before the Service Pack fiasco, so this might be the sign that something's toasty with my Windows--or perhaps it's some virus thing. I suspect though that my inability to install XP SP2 might be because of the virus causing the mz.oucihax.info popup.

I'm quite certain that this system is on the slow wind-down to its death. My gradual loss of control over the programs is culminating to the inevitable moment where I have to blow everything away in a fit of resignation and loss. I've been here before, but I was hoping that one of you God-sent individuals could help me along in this debacle, so it doesn't get to this point. My only wish is to clean up this computer sufficiently enough so that I can take another go at installing Windows XP Service Pack 2.

System info: Windows XP / Intel Celeron 600 MHz processor/ 64 MB SDRAM

( I know it's too slow and small for Windows XP, but it worked fine before; it came installed with Windows 98; I'm sorry I can't give you more specifics but my System Info icon is frozen)

Hijack this log: I was able to procure a log while running in Safe Mode. I could only run Hijack once in normal mode, but the computer won't let me access the log I saved from then--from the moment I saved it the computer choked down in a fit and I was never able to open up Hijack this! in normal mode again. ANYWAY, this is the log I got in Safe mode, an hour or so ago. Is this reliable at all?)

Hijack this Log (safe mode):

Logfile of HijackThis v1.99.1
Scan saved at 12:33:52 AM, on 08/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\dload\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115694567259
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe



That's about all for now. If anyone actually responds, I'll be suprised, delighted, a million times thankful. Really, you people are god-sends, helping out poor schmucks like myself, who really don't understand the technology that they so depend upon.

I don' t know if this helps, but the other guy who had a similar problem with the mz.oucihax.info popup reported similarily a Virus that wouldn't go away, though was detected daily (in his case, a "Padabot", not a "Trojan horse--collected.5.L" like mine). I'll put his thread down again: that's

http://www.geekstogo...nfo-t30190.html


Okay, thank you so much! :tazz: ;)

Edited by ilago, 28 June 2005 - 05:53 AM.

  • 0

Advertisements


#2
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
UPDATED HIJACK THIS LOG

By a stroke of luck I was able to save and access a "hijack this" log in normal mode. It looks suspicious because I have processes from ICQ running here when I don't have ICQ installed on my computer--though perhaps this is an old remnant of when I did.


Logfile of HijackThis v1.99.1
Scan saved at 9:55:03 PM, on 08/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msconfig32.exe
C:\WINDOWS\System32\rasautou.exe
C:\dload\hj4\HijackThis4.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [ICQ Chat Service] icqjdhs.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115694567259
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe



Someone please have a look, I think the virus is getting worse. At last scan the number of them doubled from 5 to 10-- Trojan horse Collected.5.L is somehow spreading itself throughout my files. It's now putting up a DOS window upon my connecting to the net under the name of /system32/cmd.exe; followed by an Internet Explorer window with C:Temp/ in the address bar.

Also my AVG Anti Virus collapsed after getting its definitions update. I uninstalled and reinstalled it, was able to get the definitions and do a scan, but it's definately wonky. It's telling me that the definitions are not up to date and it's hard to tell if it will survive the next startup.

And lemme tell ya, I had an awesome choke'n'burn system crash when trying to download something--just like the kind of crashes that I used to get, back in the day with ol' WIN 98. It kind of takes me back actually.

It's easy for you to see that this ship is going DOWN. I'm in absolute mid-roast mode, and the seas ain't getting any calmer.

What I need is a man... some kind of hero-man...

A... BAT? ... man ?? :tazz:


SOS from the Bos , out
  • 0

#3
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Bosco55

You certainly have some problems there. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#4
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Wow, I'm so happy that someone responded! :tazz: Thank you so much for taking the time.

I followed your advice and installed SP 1. I know you said SP 1 a, and I'm not sure if this is exactly the same thing. In any case, my computer needed it, so I guess it can only be a step up-- if there is an SP 1 a specifically, you can advise me on that. So, I went through the installation process, and rebooted-- it should be on here, though I should note that it doesn't say "SP 1" on the list of installed programs. I'm not sure if this means anything--should it?

Alright, so here's my log. Because I didn't think anyone responded, I tinkered around on my own (perhaps detrimental, though desperate I was), and some things have changed.

Just to get on a clean page: I don't have any popups anymore, what I have now is my AVG always detecting a virus in the C:Windows/system32 folder, or just the C: folder. It deletes it but it keeps coming back. In these folders, it first was attached to the file msdirectx.sys , but recently the file comes up as rdriv.sys. As well it propogates itself in the C:\System Volume Information file. AVG mainly detected the virus Trojan Horse Collected.5.L , but now has been picking up IRC/ BackDoor.Sdbot.ANP , and IRC / BackDoor. SdBot.BRJ. An online Trojan Scan detected a Rootkit on my system.

Anyway, this is only my first time navigating the computer after the SP1 install, so there might be a lot more symptoms coming up, which I need to observe and list. But, before installing it, those were my main problems: pesky viruses that don't away. Perhaps the best thing I should do is put my HJ log on here, and please let me know if anything seems suspicious on the outset.


Logfile of HijackThis v1.99.1
Scan saved at 5:12:54 PM, on 15/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\dload\framxpro\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\dload\hj4\HijackThis4.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\dload\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115694567259
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)




Alright, so I hope to talk soon! Take care and again, thank you so much.

Bos
  • 0

#5
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Bosco55

You do have a couple of problems still but this log looks better than your first log. SP1 is OK and your log shows it's loaded. That will give you some additional protection.

Please follow all instructions as specified. You may like to print these instructions out so you have a copy of them to follow and ensure all the steps are carried out correctly.

Please download the following programs, but do not run them yet:

1.) rdrivRem.zip
*Unzip it to your desktop.
2.) Ewido Security Suite
*Install ewido security suite
*Launch ewido, there should be a big E icon on your desktop, double-click it.
*The program will prompt you to update click the OK button
*The program will now go to the main screen
*You will need to update ewido to the latest definition files.
*On the left hand side of the main screen click update
*Click on Start
*The update will start and a progress bar will show the updates being installed
3.) CleanUp!
*Install it.
4.) Killbox by Option^Explicit
*Save it to your desktop.
*Go to Step 5 below and copy those instructions. Paste them into notepad and save it for use while in Safe Mode.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key as soon as your computer beeps until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

2.) Double-click the Ewido Security Suite icon to run the program. Set the program up as follows:
*Click on scanner
*Make sure the following boxes are checked before scanning:
*Binder
*Crypter
*Archives

*Click on Start Scan
*Let the program scan the machine
While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK Save the report from ewido.

3.) Run Cleanup! by double-clicking the Cleanup! icon on your desktop.

4.) Run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe


Close HiJackThis.

[START OF INSTRUCTIONS TO COPY FOR USE IN SAFE MODE]

5.) Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\wkssvc.exe
c:\windows\msdirectx.sys
c:\windows\msconfig32.exe
c:\windows\system32\msconfig32.exe
C:\Windows\System32\rdriv.bak
C:\windows\system32\rdriv.sys
C:\Windows\ItunesMusic.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

[END OF INSTRUCTIONS TO COPY FOR USE IN SAFE MODE]

Reboot your computer into normal mode

After computer has restarted continue with the rest of the instructions:

Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.

Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

Then, run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#6
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello. I'm sorry it's been a while since I responded, I was out of town for a few days.

Anyway, I'm going to do everything you instructed, and I'll be sure to post the results of that in 1 or 2 days. I just wanted to let you know that I'm still continuing on with this, and I'll give a more detailed post shortly.

Thanks again!

Bos
  • 0

#7
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Oh, one thing:

I tried to follow your rdrivRem.zip download link but I get transferred to a Geekstogo webpage that tells me:

"Sorry, some required files are missing, if you intended to view a topic, it's possible that it's been moved or deleted. Please go back and try again."

Is there any other way I can download the file?

Once I have access to the file, I can start with the fixes.

Thanks,

Bos
  • 0

#8
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Bosco55

Looks like we might have had a dud link there - try this one.

http://www.geekstogo...pe=post&id=1657
  • 0

#9
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey Ilago, how are you?

Well, I followed your instructions the best that I could, so I'll post the logs, as you requested.

I just wanted you to know of a few things that happened along the way-- possibly these might have been a factor in the result.

1) I was able to get that rdrivRem program on that new link you gave me, but I can't tell if it ran properly. In safe mode, I started it up, and I got the intro screen, which says "press any key to continue". When I did, though, the little DOS window it was running in shut down. I don't know if that just means the program did its bit and everything's fine, or if something was intercepting it from performing more lengthy processes. I tried restarting it 2 more times and got the same result-- it just seemed like the program shut down, with no evidence of scanning for anything, or no interface with me, the user.

2) Concerning the Killbot application. You instructed me to store all of those files in a notepad, open them up in safe mode, and all at once, copy them to a clipboard (CTRL + C), and use Killbot's "copy from clipboard" command to enter them all in, in one shot. Well for whatever reason, I don' t have that clipboard function on my computer, so I couldn't load them in all at once, which seemed kind of important. Rather I just copied them one at a time, and then pressed the "delete" red x after each one. After each one it asked me if I wanted to restart, I said no, because I had another one to cut and paste. At the end, I didn't restart off the programs command, but just closed the program and restarted the computer manually. As a result I didn't get that "Pending Rename OP" prompt that you said would come. As with #1, I don't know how important this was, but I wanted to let you know.

3) Ewido didn't allow me to search the "Archives", for whatever reason. This box was greyed out and wouldn't allow a check.

Even with the glitches, I went ahead and followed all your instructions. Here are the results of the logs:

EWIDO:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:01:05 AM, 21/06/2005
+ Report-Checksum: CED2DCCF

+ Date of database: 21/06/2005
+ Version of scan engine: v3.0

+ Duration: 52 min
+ Scanned Files: 28079
+ Speed: 8.90 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\gglib.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Shuntaro Honzawa\Cookies\shuntaro honzawa@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shuntaro Honzawa\Cookies\shuntaro honzawa@cz4.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shuntaro Honzawa\Cookies\shuntaro honzawa@cz3.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shuntaro Honzawa\Cookies\shuntaro honzawa@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Shuntaro Honzawa\Cookies\shuntaro honzawa@dcsg1lnm6g9xjy0rch86gos1s_1v9d[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{6CA7E891-C3DD-4F8B-87E3-B52BD7EF4043}\RP184\A0042940.sys -> Trojan.Rootkit.k -> Cleaned with backup


::Report End


**************

PANDA ACTIVESCAN


Incident Status Location

Adware:Adware/SuperSpider No disinfected C:\m.exe
Virus:Trj/LowZones.BB No disinfected C:\mioi.exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\mioi.exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\mioi.exe[update.html]
Adware:Adware/SuperSpider No disinfected C:\m.exe
Adware:Adware/MediaTickets No disinfected C:\lc.exe[re11.REG]
Adware:Adware/WUpd No disinfected C:\lc.exe[update.html]
Adware:Adware/MediaTickets No disinfected C:\lhgfhg.exe[re11.REG]
Adware:Adware/WUpd No disinfected C:\lhgfhg.exe[update.html]
Virus:Trj/Multidropper.AMF Disinfected C:\configure32.exe
Virus:Trj/LowZones.BB No disinfected C:\upd1.exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\upd1.exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\upd1.exe[update.html]
********************

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 2:15:30 AM, on 21/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\dload\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\dload\hj4\HijackThis4.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\dload\framxpro\FreeRAM XP Pro 1.40.exe" -win
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115694567259
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C637518D-FBBB-4655-B990-DC2A13906DB0}: NameServer = 216.104.96.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

********************

Alright, so I'll await further instruction from you. It seems that that last code in 23 is suspicious, since I "Fix Check"ed it but it came back for more.

Anyway, thanks again, and looking forward to hearing from you soon,

:tazz:

Bos
  • 0

#10
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi bosco

For the moment let's check if wkssvc.exe is showing in Windows Explorer and check if it's listed C:\WINDOWS\wkssvc.exe. It shouldn't still be there.

Now we are going to remove the service it was running from.

Click Start > Run type services.msc into the Run box and click OK

The service management utility will open. In the list of services find:
Workstation Service Library (Microsoft Locator Service)

Rightclick that line and choose Properties.

On the General tab click "Stop" and set the "startup type" to disabled in the drop-down box.

Close the services utility.

Open HijackThis and click Config > Misc Tools > Delete an NT service

In the dialog box copy and paste (or type carefully): Microsoft Locator Service

Reboot into Safe Mode

Open Windows Explorer and delete these files if they are present.

C:\m.exe
C:\mioi.exe
C:\lc.exe
C:\lhgfhg.exe
C:\upd1.exe


Reboot into Normal Mode and do an online scan here:

http://housecall.trendmicro.com/ Put on 'Autoclean' and delete what it can't clean

Reboot when the scan is finished and post a new HijackThis log.
  • 0

#11
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello. I followed your instructions, so here' s the result of the latest Hijack this scan. I was happy to see that Trend Micro didn't pick up any viruses. My AVG automatically picked up one virus in the System Volume Info (a Trojan horse), but that's been deleted.



Logfile of HijackThis v1.99.1
Scan saved at 6:41:03 PM, on 22/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\dload\framxpro\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\dload\hj4\HijackThis4.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\dload\framxpro\FreeRAM XP Pro 1.40.exe" -win
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115694567259
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Please let me know what you see-- the computer seems to be running well, on my end, so let's hope that's a good thing. I'd like to install SP2 when I can be sure there's no virus to disrupt it.

Thank you,

Bos
  • 0

#12
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi bosco

That log now looks pretty good. This would be a good time to set a new system restore point. This article on system restore is helpful http://www.bleepingc...t56.html#delete

Install Windows SP2 unless you have an application that you know doesn't work with it and hasn't provided an update. If you enable automatic updates, SP2 will slowly download when you are on line - it's a big download in one hit. It's important to keep Windows up to date.

You already have ewido - Some of the features don't work after the evaluation period is over but the scanning function will still work.

Install a third party firewall. The Windows firewall only controls incoming traffic not outgoing traffic. These are free and well known:

Zone Alarm http://www.Zonelabs.com/
Kerio Personal Firewall http://www.kerio.com/kpf_download.html

Do regular scans with Spybot and Adaware and make sure you keep them up to date.

SpywareBlaster will block bad ActiveX and malevolent cookies. Keep it updated.
http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Keep it updated monthly or so. The download is a long way down the page - but the whole page is worth reading to find out more about the problem with malware.
https://netfiles.uiu...ww/resource.htm

Microsoft Antispyware is a good product. It can be downloaded free from the Microsoft site. It includes a realtime system monitor. Whether it stays completely free is not yet certain.

If you don't use Microsoft antispyware then install a realtime monitor that will notify you of attempts to change your system.

WinPatrol:
http://www.winpatrol.com/

The firewall and winpatrol (and/or MSAntispyware) will bring up a lot of alerts when you first install them but once you've allowed access for the programs that are important they won't bother you too much unless something changes.

Consider using an alternate browser that isn't so targetted by nasties as Internet explorer

Firefox: http://www.mozilla.org
Opera: http://www.opera.com

"Adult" and gambling sites are often sources of infection. Some IRC channels, filesharing and P2P software like Kazaa, Bittorrent etc. are also sources of malware infections.

Don't click on any link in spam email and don't click on any advertisements on websites unless you are certain that the links are safe.

If you have any more questions please let me know so I can close this topic.
  • 0

#13
Bosco55

Bosco55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey Ilago, how are you? Everything's running very well here.

Thank you so much for taking the time to help me, and also for your good suggestions in that last post, which I will follow.

Feel free to close the post.

Thanks again! :tazz:
  • 0

#14
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Thanks for getting back to me Bosco. Glad we could help :tazz:

This topic is now closed. If you need it opened again for any reason please contact a moderator.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP