[Jennlee]

OMG - you guys are so brilliant! As far as I can tell that fixed the remaining browser problem and also enabled Microsoft Help and Support Assistant and the search functionality again!!!!

I also had uninstalled Norton yesterday and installed Avast. When I ran it, it said it found some trojan stuff and one adware thing, and some of the files looked like the ones from that W32.Mytob.ED@mm worm that I thought we got rid of weeks ago - perhaps they were just remnants, though, and not active.

Here's the info from that - I deleted everything it said was infected.

7/16/2005 10:09:32 PM default 3164 Sign of "Win32:Trojano-1714 [Trj]" has been found in "C:\WINDOWS\dnnljdh.exe" file.
7/16/2005 10:21:53 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\WINDOWS\tlsxigjdv.exe" file.
7/16/2005 10:45:26 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS.eml#2803712\important-details.zip#619352719\important-details.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\You have successfully updated your password.eml#2720288\new-password.zip#110514495\new-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Important Notification.eml#2636864\account-details.zip#4015516192\account-details.doc .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Security measures.eml#2552912\account-info.zip#889252256\account-info.txt .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Your password has been successfully updated.eml#2468960\email-password.zip#2104105021\email-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\WARNING MESSAGE- YOUR SERVICES NEAR TO BE CLOSED..eml#2385536\account-report.zip#3843741432\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:31 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Your password has been updated.eml#3643760\updated-password.zip#1794715719\updated-password.doc .scr\[Yoda]\[UPX]" file.
7/16/2005 10:47:31 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Rwjv.eml#3560336\account-report.zip#71893056\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:42 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Inbox.dbx\-DETECTED- Online User Violation.eml#21117392\account-report.zip#409807067\account-report.htm .scr\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Security measures.eml#13269200\account-info.zip#889252256\account-info.txt .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Important Notification.eml#13354208\account-details.zip#4015516192\account-details.doc .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\You have successfully updated your password.eml#13440272\new-password.zip#110514495\new-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS.eml#13525280\important-details.zip#619352719\important-details.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:49 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Rwjv.eml#13613984\account-report.zip#71893056\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:51:46 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP453\A0031705.exe" file.
7/16/2005 10:54:52 PM default 3164 Sign of "Win32:Trojano-1714 [Trj]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP460\A0038149.exe" file.
7/16/2005 10:54:59 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP460\A0038150.exe" file.

And just in case, a new HijackThis log from after the Avast fixes

Logfile of HijackThis v1.99.1
Scan saved at 6:58:47 AM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

So all is well now?

You guys rock!

[Advertisements]

Yep it's clean, you did it great!

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


System Restore will now be active again. Be sure to set a new restore point, and if you need additional help with that, here's a link; http://filext.com/in...thread.php?t=27


Here's some tips for future to prevent spyware;


Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice;
So how did I get infected in the first place?

- Rawe

If you have any further problems/you notice same symptoms on your machine as earlier, please then let me know and post a fresh HJT log. If everything is running fine, you might want to uninstall HJT from your PC.

[Rawe]

Yep it's clean, you did it great!

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


System Restore will now be active again. Be sure to set a new restore point, and if you need additional help with that, here's a link; http://filext.com/in...thread.php?t=27


Here's some tips for future to prevent spyware;


Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice;
So how did I get infected in the first place?

- Rawe

If you have any further problems/you notice same symptoms on your machine as earlier, please then let me know and post a fresh HJT log. If everything is running fine, you might want to uninstall HJT from your PC.

[Rawe]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.