Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

'bloodhound.w32.ep' virus [RESOLVED]


  • This topic is locked This topic is locked

#1
stuck

stuck

    Member

  • Member
  • PipPip
  • 25 posts
Hi there,

Just yesterday my lapsed norton antivirus detected the bloodhound.w32.ep virus on my computer but cannot get rid of it. Apparently it is corrupting my wininet file (not sure what this file is). So currently, my computer is running really slow and it takes me forever to do even a scan.

I've done all the prechecks that you required me to do before posting my hijack this log but nothing seems to be working. The norton messages are still popping up and my computer is still really slow. I would appreciate it if anyone could help me out here..thanks a million.

Here's my hijack this log.....

Logfile of HijackThis v1.99.1
Scan saved at 8:16:28 PM, on 8/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javars.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\soff.pif
C:\WINDOWS\system32\msmc.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ingig.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ingig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D8017933-B2A5-8733-0290-960149CE4D0D} - C:\WINDOWS\mfcop32.dll
O2 - BHO: Class - {FD28144A-BE74-ABB6-5C2B-E60BF82588B7} - C:\WINDOWS\addrb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [atleh32.exe] C:\WINDOWS\system32\atleh32.exe
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\JU-GUA~1\LOCALS~1\Temp\C.tmp" /m
O4 - HKLM\..\Run: [msmc.exe] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {76214031-5F02-4CCF-9F41-C1AA29F93440} (Main Class) - http://www.free-[ble..... ARCHIVES.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Once again, thanks for your help..

Jon
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi,

Thanks for coming to my aid!! I really do appreciate that.

Rite, tried installing SP1 as u adviced, but it doesnt allow me to. It says that the wininit.dll file is open or in use by another application. This happens everytime. And then the norton virus message pops up everytime I click on retry. Perhaps I could try installing it later after Ive cleared all the viruses, or at least most of them?? Please do let me know. Thanks again!!

Jon
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jon,



Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#5
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi tampabelle,

Thanks for the reply. I've ran the checks you recommended and followed the steps you'd listed.

The norton antivirus message is still popping up. Also, now it seems that I can't access internet explorer by just clicking on its icon. Everytime I click on the icon, the norton message pops up. But I've managed to get to internet explorer by clicking on the *PS Guard icon in my icon tray (which whenever i click on it, it opens a browser window and takes me to the PS Guard website).

I've posted the logs as required of you. Thanks for your help so far.


Kaspersky log:-
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 01, 2005 01:53:56
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/09/2005
Kaspersky Anti-Virus database records: 137739
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 37248
Number of viruses found: 11
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 5897 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\backups\backup-20050807-170912-308-winlogon.exe Infected: Trojan.Win32.StartPage.lo
C:\eied_s7.cab/eied_s7_c_2.exe Infected: Trojan-Downloader.Win32.Mediket.ay
C:\eied_s7.cab Infected: Trojan-Downloader.Win32.Mediket.ay
C:\surfya.exe Infected: Trojan.Win32.Dialer.kq
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029256.exe Infected: Trojan-Downloader.Win32.Keenval.d
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0031529.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033579.exe Infected: Trojan.Win32.StartPage.lo
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033590.dll Infected: Trojan-Downloader.Win32.Agent.ns
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033594.old Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034686.exe:dqxncb:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034687.ini:wazpux:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034689.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034705.exe:dqxncb:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034706.ini:wazpux:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034732.exe:dqxncb:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034733.exe:dqxncb:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\clock.avi:pgpfqx:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\control.ini:pzcvvv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\desktop.ini:wazpux:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\DirectTVIcon.ico:kqnwro:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ieeb32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ipto.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\LUINSTALL.LOG:eqtnrq:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\LUINSTALL.LOG:funran:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Rhododendron.bmp:dagtpo:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\sysqr.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\intell32.exe Infected: Trojan.Win32.Small.ev
C:\WINDOWS\system32\javars.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev
C:\WINDOWS\system32\runs.pif Infected: Backdoor.Win32.Rbot.aap
C:\WINDOWS\system32\soff.pif Infected: Backdoor.Win32.Rbot.yw
C:\WINDOWS\updaterInstall_109.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\updaterInstall_109.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\updaterInstall_109.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\updaterInstall_109.exe Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\_tpiu000.exe:dqxncb:$DATA Infected: Trojan.Win32.Agent.bi

Scan process completed.

----------------------------------------------------------------------------------------------
SPSeHjFix Log:-


(8/31/05 11:28:11 PM) SPSeHjFix started v1.1.2
(8/31/05 11:28:11 PM) OS: WinXP (5.1.2600)
(8/31/05 11:28:11 PM) Language: english
(8/31/05 11:28:11 PM) Win-Path: C:\WINDOWS
(8/31/05 11:28:11 PM) System-Path: C:\WINDOWS\System32
(8/31/05 11:28:11 PM) Temp-Path: C:\DOCUME~1\JU-GUA~1\LOCALS~1\Temp\
(8/31/05 11:28:22 PM) Disinfection started
(8/31/05 11:28:22 PM) Bad-Dll(IEP): (not found)
(8/31/05 11:28:22 PM) Bad-Dll(IEP) in BHO: (not found)
(8/31/05 11:28:22 PM) UBF: 4 - UBB: 0 - UBR: 17
(8/31/05 11:28:22 PM) UBF: 4 - UBB: 0 - UBR: 17
(8/31/05 11:28:22 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(8/31/05 11:28:22 PM) Stealth-String not found
(8/31/05 11:28:22 PM) Not infected->END
---------------------------------------------------------------------------------------------

Hijackthis log:-

Logfile of HijackThis v1.99.1
Scan saved at 1:56:54 AM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\soff.pif
C:\WINDOWS\System32\runs.pif
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\JU-GUA~1\LOCALS~1\Temp\C.tmp" /m
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {76214031-5F02-4CCF-9F41-C1AA29F93440} (Main Class) - http://www.free-[ble..... ARCHIVES.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

---------------------------------------------------------------------------------------------

Once again, thanks for your help.

Jon
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download IEACCESS Remover. Save it in the folder you made earlier (c:\BFU).

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [NAVNet] "C:\DOCUME~1\JU-GUA~1\LOCALS~1\Temp\C.tmp" /m
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O16 - DPF: {76214031-5F02-4CCF-9F41-C1AA29F93440} (Main Class) - http://www.free-[bleep]-here.co.uk/CLICK%20YE...%20ARCHIVES.cab


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

3. Delete Rogue files

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\ieaccess.bfu
Press execute and let it do itís job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Open Internet Explorer.
Under Tools > Internet Options > on the General tab change your startpage to the one you want.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

C:\eied_s7.cab
C:\surfya.exe
C:\WINDOWS\clock.avi
C:\WINDOWS\control.ini
C:\WINDOWS\desktop.ini
C:\WINDOWS\DirectTVIcon.ico
C:\WINDOWS\ieeb32.exe
C:\WINDOWS\ipto.exe
C:\WINDOWS\LUINSTALL.LOG
C:\WINDOWS\LUINSTALL.LOG
C:\WINDOWS\Rhododendron.bmp
C:\WINDOWS\sysqr.exe
C:\WINDOWS\updaterInstall_109.exe
C:\WINDOWS\_tpiu000.exe
C:\WINDOWS\system32\javars.exe
C:\WINDOWS\System32\soff.pif
C:\WINDOWS\System32\runs.pif


Run CleanUp and delete all temp files including temporary internet files


Reboot the PC in Normal Mode and post a fresh HJT log. If everything is fine, then we can target smitfraud infection.
  • 0

#7
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi tampabelle,

Thanks for the swift reply. However, I will be going away from tomorrow until Sunday so can only do what you recommended on sunday. Hope you dont close the thread as I will be back on sunday and will post the logs as soon as I get the scans and fixings done. Thanks.

Jon
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Dont worry Jon, I will not close ethe topic.

We do understand that people have lives outside their computers !!!!

Post back the logs requested after completing the fix.
  • 0

#9
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi there,

Im back. The internet explorer browser is working normally again thanks. However, the norton antivirus message is still popping up and the PS guard icon is still there on my icontray. Also, you asked me to make a note of files that I did not see when I was deleting them. Deleted everything from my computer apart from C:\WINDOWS\System32\soff.pif and C:\WINDOWS\System32\runs.pif.

Here is the new HJT log. Thanks for help so far!

Logfile of HijackThis v1.99.1
Scan saved at 7:55:22 PM, on 9/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\System32\runs.pif
C:\WINDOWS\System32\soff.pif
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Jon
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items, then click FIX CHECKED:
===================================================
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif

===================================================

Close HiJackThis.

Delete the files -

C:\WINDOWS\System32\runs.pif
C:\WINDOWS\System32\soff.pif



Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
  • 0

Advertisements


#11
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hiya,

Good news, the PS Guard icon in my icontray and the norton antivirus messages are gone! Thanks.

Well, have done what you asked of me and here are the logs.

HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 7:54:57 PM, on 9/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp3\Studio.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--------------------------------------------------------------------------------------------

Panda ActiveScan:-


Incident Status Location

Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\JU-GUANG_2\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM32\SBUtils
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Spyware:spyware/new.net No disinfected Windows Registry
Dialer:Dialer.CMG No disinfected C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\backups\backup-20050904-192108-921.dll
--------------------------------------------------------------------------------------------

simtfiles.txt:-


smitRem log file
version 2.3

by noahdfear

The current date is: Tue 09/06/2005
The current time is: 10:24:40.95

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover
PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~

intell32.exe
oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :tazz: Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~

--------------------------------------------------------------------------------------------

Ewido log:-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:22:25 AM, 9/6/2005
+ Report-Checksum: F78E0C76

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{32FB9A97-C47A-795A-3B47-9A97C1448DFC} -> Spyware.CoolWebSearch : Cleaned with backup
[468] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[1484] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0031529.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033590.dll -> TrojanDownloader.Agent.ns : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP402\A0033710.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034686.exe:dqxncb -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034686.exe:spuvgo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034686.exe:zcgeh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034687.ini:wazpu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034687.ini:wazpux -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034689.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034705.exe:dqxncb -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034705.exe:spuvgo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034705.exe:zcgeh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034706.ini:wazpu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034706.ini:wazpux -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034732.exe:dqxncb -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034732.exe:spuvgo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP419\A0034732.exe:zcgeh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034733.exe:dqxncb -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034733.exe:spuvgo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034733.exe:zcgeh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034744.ini:pucqgp -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034747.prx:sjmlez -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034757.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034758.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP420\A0034759.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034809.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034810.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034812.exe:dqxncb -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034812.exe:spuvgo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034812.exe:zcgeh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034813.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034814.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034815.ini:pzcvvv -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034817.ini:wazpu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034817.ini:wazpux -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034818.ico:kqnwro -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP422\A0034819.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP423\A0034859.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\COM+.log:dzpksv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3km.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\d3sn32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\earnmoney.ico:takdpv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FaxSetup.log:nsqhob -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\imsins.log:tmpcn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iveln.dat:kvgghp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:limpov -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB887472.log:hhdff -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msgsocm.log:puyevx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msmqinst.log:xqdbts -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntda.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkqm.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32:qnaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\d3zo32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcco.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\system32\runs.pif -> Backdoor.Rbot.aap : Cleaned with backup
C:\WINDOWS\system32\soff.pif -> Backdoor.Rbot.yw : Cleaned with backup
C:\WINDOWS\syszk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winkj.dll -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End

--------------------------------------------------------------------------------------------

Thanks again. I know my computer is not exactly fixed yet but thanks so far for your help tampabelle! Love ya!!

Jon
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Let us clean up your PC a little bit.


Delete the following programs and the associated folders, which you downloaded during the cleaning up process -

smitrem.exe
smitrem folder

Also delete the following files and folders -

files
C:\WINDOWS\system32\OLEEXT.dll
C:\DOCUMENTS AND SETTINGS\JU-GUANG_2\FAVORITES\SITES ABOUT\Ab scissor.url

folders
C:\WINDOWS\SYSTEM32\SBUtils
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl



Uninstall Ewido as it is a trial product and the trial period will expire shortly. Conflicts can arise between multiple anti-virus programs and can severely hamper the performance of the PC.



Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


This will not delete the programs from your PC. This will only disable the programs from running at Start up and result in a faster PC. You can always run the programs manually by using the respective exe files or the shortcuts.

After this, please visit Windows security and critical updates and get all the updates and patches and install them on your PC.

Reboot the PC and post a fresh HJT log.
  • 0

#13
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hello there,

Rite, done what you've recommended and here is the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 11:33:37 PM, on 9/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thanks so far tampabelle.


Jon
  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Jon,

Did you have any issues with getting updates from Microsoft ???
  • 0

#15
stuck

stuck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi,

Nope...didnt have any problems downloading and installing them on my computer. Why? Does it somehow show on my log that I have not got it on my computer?

Jon
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP