[tunaman]

New here, please bear with me. Got this one on a pron site. Reformatted C:, reinstalled windows, had it again within 24 hrs. Executes/installs then deletes the files so it can't be detected. It appends web addresses when you click certain links.


I followed the steps in the sticky post at top of forum. I use Avast Home for Virus scanning. VTTimer is my video driver.




Logfile of HijackThis v1.99.1
Scan saved at 3:48:35 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126329835453
O17 - HKLM\System\CCS\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{B20B1921-30FF-4AC2-B4FC-403C0CC5DFDA}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[Advertisements]

Hi Tunaman,

We are very sorry for the delay.
If you still have problems please post a fresh hijackthis logfile since it is to long ago.

I'm Thunderball and will working on your log.
I will give a reply as soon as staff members have review my posts.

Kindly regards,
Thunderball.

[Thunderball]

Hi Tunaman,

We are very sorry for the delay.
If you still have problems please post a fresh hijackthis logfile since it is to long ago.

I'm Thunderball and will working on your log.
I will give a reply as soon as staff members have review my posts.

Kindly regards,
Thunderball.

[Thunderball]

Hi Tunaman,

You have a CoolWebSearch infection and WIN32.DNSCHANGER.S TROJAN.

Step 1:

Download CWShredder here to its own folder.
Update CWShredder
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Please print this out or save it to your harddisk because we are going to work in safe mode


Step 2:

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.


Now run CWShredder.
Click I Agree, then Fix and then Next, let it fix everything it asks about.


Start HijackThis, click on do a system scan only and checkmark the next items:

O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{B20B1921-30FF-4AC2-B4FC-403C0CC5DFDA}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{373D383D-B57D-4DC1-968E-1868E683F38A}: NameServer = 69.50.177.202,85.255.112.23

Close all Windows and browsers and click on Fix Checked.


Step 3:

Still in safe mode

Please delete this file using Windows Explorer (if present):
C:\WINDOWS\system32\yaemu.exe


Please reboot your pc into normal mode and post a fresh Hijackthis logfile.

Kindly regards,
Thunderball

[tunaman]

Thanks for helping, but I managed to find it a few days after I posted. I ran HJT in safe mode and it found more problems. I fixed items that I wasn't familiar with and I seem to be running fine now. HJT rocks...i'd have never figured this out with anything else. Thanks again.


New HJT log from safe mode:


Logfile of HijackThis v1.99.1
Scan saved at 7:28:17 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126329835453
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[Thunderball]

Hi Tunaman,

I'm glad to hear that your problems are solved.
Be very carefully with fixing items with Hijackthis because wrong use of this program can harm your computer.

In your logfile I can't see a firewall running, so if you do not use a firewall please install one because it is your first line defence against hackers.

Please post a fresh logfile of hijackthis in normal mode.


Kindly regards,
Thunderball.

[tunaman]

I have the Windows XP firewall running or so it says it is...and the router firewall, I think. I don't run any network between the PC's here besides internet sharing through the router. I don't like to use other firewalls because it causes major problems with a P2P file sharing program I use, DC++. In fact, I just figured out how to use DC++ with the XP firewall a little while ago...before that I had no firewalls at all and even had to disable the router firewall or I would only get very limited use in DC++. A normal mode HJT log is below...just ran it a few minutes ago.

I'm replacing this PC next week so I'm not too concerned about this. Don't want to start a debate, but can you recommend a 64-bit Windows OS? Either Windows XP Pro 64-bit or Windows Vista 64-bit Beta 1.




Logfile of HijackThis v1.99.1
Scan saved at 12:17:26 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\lxbscoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126329835453
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe

[Thunderball]

Hi Tunaman,

You're log looks clean to me

About a 64-bit Windows OS, theWindows Vista 64-bit Beta 1 is full of bugs so if you want to install a 64-bit Windows OS I recommend Windows XP Pro 64-bit.
However, it is only usefull if your chipset will support 64-bit and often you had to download special drivers for your graphic card.


Here are some prevention tips


Please visit Windows update and download all the critical updates for Windows, and the latest version of Internet Explorer.
Doing this can patch many of the security holes through which attackers can gain access to your computer.

Update Your Antivirus Software
It is very important that you update your Antivirus software at least once a week (Even more if you wish).
If you do not update your antivirus software then it will not able to catch any of the new variants that may come out.

Use a Firewall
I can not tell how important it is that you use a firewall on your system.
Without a firewall your computer is succeptible to being hacked and taken over.
Simply using a firewall in its default configuration can lower your risk greatly.
I recommend you one of these free firewalls:
Sygate Personal firewall
Kerio Personal Firewall 4
ZoneAlarm

To reduce re-infection potential for spyware or malware infections in the future, I recommend you to install these freeware products:
Spywareblaster
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

Spywareguard
SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IESpyad
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.


To scan your system regulary for spyware and malware:
AdAware SE 1.06
You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot Search & Destroy
Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.
A tutorial on using Spybot to remove spyware from your computer may be found here.

Keep Internet Explorer and XP up to date with with the latest patches from Microsoft.
To do this just start Internet Explorer and select Tools > Windows Update.

You may also want to read Tony Klein his How I got Infected in the First Place, to learn how to better secure your computer.


Kindly regards,
Thunderball.

[therock247uk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.