Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help - log [RESOLVED]


  • This topic is locked This topic is locked

#1
adichiara

adichiara

    New Member

  • Member
  • Pip
  • 7 posts
Hello. One piece of spyware got into my computer and spread very quickly.

The things very evident are Sheriff Spy, desktop.exe (some search thing), 'Virus Hunter', Aurora, other shortcuts on my desktop like 'free psp' etc, a 'cool links' thing that has taken over all links on the internet. And other misc. crap. When I turn on my computer my backdrop is even changed to bright blue and it has an urgent message that says I have a serious spyware malfunction. I desperately need help, and quick (finals next week!).

I am usually decent with this stuff. I know Spybot, Adaware, McAfee/virus scanner/ and CWShedder usually gets the job done. They usually do. I ran all of them with no good outcome. It keeps coming back. Here is my log....

Logfile of HijackThis v1.99.1
Scan saved at 3:17:45 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\sys1733.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sys1533.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\Services\{33B938C9-77BB-48D2-B555-E6F59D82CBC8}\SVCHOST.EXE
C:\Documents and Settings\AndrewD\Desktop\hijackthis\HijackThis.exe
c:\windows\system32\gsxqwp.exe
C:\WINDOWS\System32\Services\{382DB955-C632-45A0-998B-586F7B33BB30}\SVCHOST.EXE
C:\WINDOWS\System32\Services\{382DB955-C632-45A0-998B-586F7B33BB30}\SVCHOST.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {67926445-7204-C3A3-F1BC-D24B4001F6A7} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsh18.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{33B938C9-77BB-48D2-B555-E6F59D82CBC8}\SVCHOST.EXE
O4 - HKLM\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O4 - HKLM\..\Run: [epkbkk] c:\windows\system32\sdgpagj.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® VBScript® Console - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\remove_me.dll (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll (HKCU)
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing) (HKCU)
O9 - Extra button: Microsoft® VBScript® Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O13 - DefaultPrefix: http://www.heretofin...how.php?id=1&q=
O13 - WWW Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Home Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Mosaic Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Gopher Prefix: http://www.heretofin...how.php?id=1&q=
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 195.95.218.170
O15 - Trusted IP range: 195.95.218.170 (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: System - {46F0A330-FBC7-4AD9-83D8-DC747C5F43DA} - vr_sys.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

I think there's something big in there. Even when I have a decent spyware problem those programs fix it. I am typing this from another computer even. Please help, thanks so much.

Edited by adichiara, 21 June 2005 - 01:06 PM.

  • 0

Advertisements


#2
adichiara

adichiara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
<nevermind this last post>

Edited by adichiara, 21 June 2005 - 02:00 PM.

  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi adichiara and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have numerous serious infections. This will a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\wp.bmp
C:\Windows\System32\perfcii.ini
C:\Windows\System32\oleadm.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\msole32.exe
C:\Windows\System32\ole32vbs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {67926445-7204-C3A3-F1BC-D24B4001F6A7} - (no file)


Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

Edited by Excal, 22 June 2005 - 01:20 PM.

  • 0

#4
adichiara

adichiara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I need you to copy all of the Killbox file paths below and paste them into Notepad.

*  Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".


First off, thanks a lot. I truely appreciate this.

What 'KillBox file paths are you talking about? I have no idea. You mean like Program files/KillBox and everything underneath that?

-Andrew

Edited by adichiara, 22 June 2005 - 01:00 PM.

  • 0

#5
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi andrew,


These :tazz:



C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\wp.bmp
C:\Windows\System32\perfcii.ini
C:\Windows\System32\oleadm.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\msole32.exe
C:\Windows\System32\ole32vbs.exe

  • 0

#6
adichiara

adichiara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
When I go onto IE to get to activescan (it doesnt work with Mozilla) I type in the url and that heretofind takes over the command and redirects it to their site. So untill I get that fixed I can't think of a way to get to that site on IE. I tried linking it on AOL IM but it turns on Mozilla. Some of these programs came back even after I followed the steps and used Hijack this.


Logfile of HijackThis v1.99.1
Scan saved at 10:00:39 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\windows\system32\tdobaik.exe
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\System32\Services\{658C5632-459A-41F9-85DF-89EF2089060A}\SVCHOST.EXE
C:\WINDOWS\sys1733.exe
C:\WINDOWS\System32\win32.exe
C:\sys.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\AndrewD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsh18.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{7CED5E45-B937-406D-8519-F666F2245AF8}\SVCHOST.EXE
O4 - HKLM\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O4 - HKLM\..\Run: [btpmwx] c:\windows\system32\tdobaik.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{5E19CEB8-144C-4DC1-9589-B929FABD884B}\SECURITY.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® VBScript® Console - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\remove_me.dll (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll (HKCU)
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing) (HKCU)
O9 - Extra button: Microsoft® VBScript® Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O13 - DefaultPrefix: http://www.heretofin...how.php?id=1&q=
O13 - WWW Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Home Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Mosaic Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Gopher Prefix: http://www.heretofin...how.php?id=1&q=
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: System - {0A15A8D1-024B-41E7-82D0-A3A812B60B01} - vr_sys.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi adichiara,

Not to worry ;) Its going to be a multi step process to clean your serioulsy infected computer, but we will get it fixed :tazz:

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

How to make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Download and run iSearchFix.exe from http://www.atribune..../iSearchFix.exe and allow it to install to its default location. Do not runyet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Do NOT run it yet.Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please open the iSearchFix folder and run isearch.bat. Save the log and post it in your next reply

5. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled. (if present)

6. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

c:\windows\system32\tdobaik.exe
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\System32\Services\{658C5632-459A-41F9-85DF-89EF2089060A}\SVCHOST.EXE
C:\WINDOWS\sys1733.exe
C:\WINDOWS\System32\win32.exe
C:\sys.exe


6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...w.php?id=1&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsh18.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{7CED5E45-B937-406D-8519-F666F2245AF8}\SVCHOST.EXE
O4 - HKLM\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O4 - HKLM\..\Run: [btpmwx] c:\windows\system32\tdobaik.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{5E19CEB8-144C-4DC1-9589-B929FABD884B}\SECURITY.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [sys1733] C:\WINDOWS\sys1733.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\remove_me.dll (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\crt32_v2.dll (HKCU)
O9 - Extra button: (no name) - {9DBB80E2-B681-4765-8A5F-AD3994C9B4F3} - C:\Documents and Settings\AndrewD\Local Settings\Temporary Internet Files\Content.IE5\UHYT6927\access[1].exe (file missing) (HKCU)
O13 - DefaultPrefix: http://www.heretofin...how.php?id=1&q=
O13 - WWW Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Home Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Mosaic Prefix: http://www.heretofin...how.php?id=1&q=
O13 - Gopher Prefix: http://www.heretofin...how.php?id=1&q=
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: System - {0A15A8D1-024B-41E7-82D0-A3A812B60B01} - vr_sys.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


9. click the Fix Checked box

10. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\isrvs
C:\WINDOWS\System32\Services\{5E19CEB8-144C-4DC1-9589-B929FABD884B}
C:\WINDOWS\System32\Services\{7CED5E45-B937-406D-8519-F666F2245AF8}


11. Please remove just the files from the following paths using Windows Explorer (if present):

c:\windows\system32\tdobaik.exe
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\sys1733.exe
C:\WINDOWS\System32\win32.exe
C:\sys.exe
C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\System32\nsh18.dll
C:\winstall.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\crt32_v2.dll
C:\WINDOWS\remove_me.dll
C:\WINDOWS\svcproc.exe


12. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
13. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

14. Run the program CleanUp!

15. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

16. Please post the Active scan log, isearchlog.txt, About:Buster log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#8
adichiara

adichiara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Its working a lot better now. I still see a few problems I can't get rid of using my knowledge gained in this experience. But I am actually posting this from THE computer. The clickseearch didn't leave the first time I rebooted after your instructions but it left for good after I did it another two times. The internet is even running full speed. I don't get any error messages when I turn on my computer or open Mozilla and my desktop image has returned. It looks almost cleaned. But I will try not to use it too much untill you give the okay, just to be safe. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 4:14:32 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\windows\system32\lgvdhq.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\AndrewD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [sjkyhy] c:\windows\system32\lgvdhq.exe r
O4 - HKLM\..\Run: [sjkyhy] c:\windows\system32\lgvdhq.exe r
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® VBScript® Console - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: Microsoft® VBScript® Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe


That Nail.exe and lgvdhq.exe are tough. I couldn't get rid of them. When I did, they reappeared two seconds later. The lgvdhq.exe one changes names when you delete it to names such as 'almhoe.exe'. The svprohost.exe or whatever its called seems gone for now. However, it pops up once in a while too, it won't stay down.

AboutBuster 5.0 reference file 30
Scan started on [6/24/2005] at [3:09:59 PM] ------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:10:14 PM


iSearch Removal Batch 1.00
 
        by Atri         
 
Looking for and terminating running processes
 
 
Fixing the registry
 
"Registry fix complete"
 
Removing the Delprot service
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

 
 
Unregistering and deleting isrvs dll's
 
 
Attempting to delete files and folders
 
 
Removing bad shortcuts from desktop
 
If there are "bad" shortcuts remaining on your desktop please report them with your logs!
 
Emptying the Trusted and Restricted zones
 
 
!!Please post this log as well as a new HijackThis log on the forum!!



...and the Aurora popups are still in there somewhere.

Edited by adichiara, 24 June 2005 - 02:38 PM.

  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Ok lets see if we can get that tricky one :tazz:.


Please download the trial version of Ewido Security Suite Here
Install it, and update the definitions to the newest files. Do NOT run a scan yet. (if you already have, please just update)

Please download Nailfix from Here
Unzip it to the desktop but please do NOT run it yet.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\Nail.exe
c:\windows\system32\lgvdhq.exe


4. Go into Hijack This->Config->Misc. Tools->delete file on reboot. Navigate to this file c:\windows\system32\lgvdhq.exe,
Double click on that file, HJT asks you if you want to reboot, now. Click "yes"

5. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

6. Once in Safe Mode, please double-click on
Nailfix.cmd Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Then please run Ewido, and run a full scan. Post the log from the scan here for me.

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [sjkyhy] c:\windows\system32\lgvdhq.exe r
O4 - HKLM\..\Run: [sjkyhy] c:\windows\system32\lgvdhq.exe r
O18 - Filter: text/html - (no CLSID) - (no file)


11. Please remove just the files from the following paths using Windows Explorer (if present):

c:\windows\system32\lgvdhq.exe

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#10
adichiara

adichiara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Activescan freezes while I use it because my computer goes to sleep and it [bleep]s up the scan. I ran the Ewido thing and it found over 100 things which it corrected. But I don't know how to post it's log, I didn't see one.

Logfile of HijackThis v1.99.1
Scan saved at 9:49:06 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Documents and Settings\AndrewD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft® VBScript® Console - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: Microsoft® VBScript® Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {FF3A98D4-9D39-4922-9FD9-293BD4EC80AE} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe


No more Aurora popus. I haven't encountered any since the last sequence.

Edited by adichiara, 24 June 2005 - 09:24 PM.

  • 0

#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Download Escan: http://www.mwti.net/...e_utilities.asp
Better to disable your own virusscanner while performing the next scan.

In scan-options, check everything.
also, scan all files
When done, click scan.

When the scan is done, you'll get an option to make a log. You'll get a long log.
Open that log and copy and paste all the lines/files where it says 'infected' in your next reply.

Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP