Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Seems I can't remove this malware [RESOLVED]


  • This topic is locked This topic is locked

#1
Gothos

Gothos

    Member

  • Member
  • PipPip
  • 34 posts
Ugh .... :tazz:

So far I have ran AdAware, Spybot S&D, CW Shredder, Trojan Hunter, and 2 online scanners. (Kapersky and Trend Housecall in safe mode, network connection). I have also ran Ewido. Still have a bizarre desktop splash screen that seems to be JAVA controlled.

Below is the Ewido log;

+ Created on: 2:15:20 PM, 6/25/2005
+ Report-Checksum: 5B72A6BD

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 50 min
+ Scanned Files: 171807
+ Speed: 56.54 Files/Second
+ Infected files: 87
+ Removed files: 87
+ Files put in quarantine: 87
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM32\lwv.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ms.exe -> TrojanDownloader.Vb.Cw -> Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Erl6A.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Searchx.htm -> Spyware.TwainTech -> Cleaned with backup
C:\WINDOWS\SYSTEM32\YhaJ.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\KfmJ8U3.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Rydo84km.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Bnqw5T.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ATPartners.dll.tcf -> TrojanDownloader.Rameh.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\іеxplore.exe -> Spyware.PurityScan.am -> Cleaned with backup
C:\WINDOWS\SYSTEM32\hookdump.exe -> Trojan.Agent.ep -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Dlv273d8.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\FnpZ1lX.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Ifojyc.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Lppk3f.exe.tcf -> TrojanDownloader.VB.em -> Cleaned with backup
C:\WINDOWS\bundles\bs5-vwqouc.exe -> Spyware.BookedSpace.c -> Cleaned with backup
C:\WINDOWS\bundles\32wu54rd.exe.tcf -> TrojanDropper.Small.gt -> Cleaned with backup
C:\WINDOWS\nmvrnx.dat -> TrojanDownloader.Agent.an -> Cleaned with backup
C:\WINDOWS\oqgoid.dat -> TrojanDownloader.Agent.an -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx.tcf -> Spyware.MediaTickets.f -> Cleaned with backup
C:\WINDOWS\stoolbd.dll.tcf -> Spyware.FastLook -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Trojan.Searcher -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Hijack\backup-20050116-013110-620-Microsoft Windows.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
C:\Hijack\backup-20050625-130219-702-Microsoft Windows.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.cy -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\THI752.tmp\preInsMt.exe -> Spyware.BiSpy.q -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Local Settings\Temp\bnnf.exe -> Trojan.Agent.ep -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.x10[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@adcontent.gamespy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.monster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@mediamgr.ugo[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S140456[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S122915[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bcentral[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@eqvault.ign[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@mediamgr.ugo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bannerspace[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.specificclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ad4.lbn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S119703[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@www.xzoomy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.x10[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.monstermoving[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@campaigns.f2.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.crosswinds[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@S140456[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads08.hyperbanner[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@eqvault.ign[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@list[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.monster[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.specificclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@gostats[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@dcs7sl75d21e5hek6e95sli2p_2u4f[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@fcstats.bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@bcentral[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@real[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@mediamgr.ugo[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@30848670[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@vip.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@11274796[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@eqvault.ign[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Mmilbert\Cookies\mmilbert@ads.monster[5].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\ntdetect.RB0 -> TrojanDropper.Inor.cj -> Cleaned with backup
D:\Ini system\SYSTEM\H@tKeysH@@k.DLL.tcf -> Not-A-Virus.Tool.Game.HotHook -> Cleaned with backup


::Report End

Below is the latest HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 2:26:55 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\SpywareGuard\sgbhp.exe
C:\ewido\security suite\ewidoctrl.exe
C:\ewido\security suite\ewidoguard.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://lc2.law13.hot.../cgi-bin/login"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113054576218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido\security suite\ewidoguard.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

I have not updated the PC to SP2 yet till I get the system cleaned. Thanks for the assist

~G~
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Gothos, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

We must stop, disable and delete an added service (023)

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)


1. To stop a service and set to 'disabled'

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.

Service: WebSeach Toolbar support NT service (TBPSSvc)

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


2. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type TBPSSvc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Run HJT, Scan and place a checkmark beside the following items:

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)


Now, with all windows closed except HJT, click Fix checked and EXIT the program.

7. Using Windows Explorer, locate and DELETE the following file/folder (if it still is present):

C:\WINDOWS\System32\ms.exe <--File
C:\PROGRAM FILES\Toolbar<--Folder and content

8. REBOOT back into Normal Mode

9. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#3
Gothos

Gothos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Stopped and disabled the service, cleared the "check-offs" and didn't find the 2 files/folders to delete them. New HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 5:36:03 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\SpywareGuard\sgbhp.exe
C:\ewido\security suite\ewidoctrl.exe
C:\ewido\security suite\ewidoguard.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack\HijackThis.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://lc2.law13.hot.../cgi-bin/login"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Mmilbert\Application Data\Mozilla\Profiles\default\tbrbt0id.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [THGuard] "C:\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: SpywareGuard.lnk = C:\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113054576218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido\security suite\ewidoguard.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Got'Em All

Congratulations, your new log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


3. Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#5
Gothos

Gothos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Still unable to change back to the wall paper I had before ... (It's presently an HTML file of some sort)
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We will try this first,

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Regards,

Trevuren

  • 0

#7
Gothos

Gothos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
THAT GOT IT! WooT!

Ya'll are the best .... Thanks again...

:tazz:

~G~
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Make sure your Restore point now reflects the correct desktop configuration:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"


Regards,

Trevuren

  • 0

#9
Gothos

Gothos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Done!

Points restored, sys files re-hidden, and presently downloading and installing the hot fixes and rolling up to SP2 for XP Pro.

Thanks again ... all is running great. (And quite a bit faster I may add)

*Happy dance*

:tazz:

~G~
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP