Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About:Blank / WorldAntiSpy


  • This topic is locked This topic is locked

#1
kiruji

kiruji

    New Member

  • Member
  • Pip
  • 5 posts
Hi,

My bosses laptop has been infected with some nasty malware... I've tried all my normal scans and I'm not able to shift it yet.

It's a real PITA! It started out with lots of popups advertising anti-spyware software. It also kept resetting the homepage to about:blank. It also installed a program called World Anti Spy which seems to start at random, pretend to scan the system, proclaim the laptop is infested with spyware and asks for money to get rid of it. :)

Anyway, I've searched and searched and followed the advice given to several similar problems on here in the past, but none have worked. I seem to get rid of everything until a reboot when most or all of it comes back.

When I log onto the net, Sophos goes crazy, popping up a virus detection every couple of minutes - but when I scan with Sophos even though it detects and removes the files they reappear with a different filename after a reboot.

I hope you can help me appear like the uber-IT manager, as the boss is getting a bit annoyed that I've confiscated his laptop for a day and keeps appearing at regular intervals to see how I'm doing! :)

Excellent site, btw - it's been REALLY useful to me :tazz:

Here's the HJT log from the laptop :

Logfile of HijackThis v1.99.1
Scan saved at 11:21:01, on 15/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\David\Desktop\Spyware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.192:9090;gopher=192.168.0.192:9090;http=192.168.0.192:9090;https=192.168.0.192:9090
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2E366BB1-818C-CAF9-EC1B-9788483C2FA9} - C:\WINDOWS\system32\ntvg32.dll
O2 - BHO: Class - {3F83AEC3-983B-9E28-2594-47C2D6EF242D} - C:\WINDOWS\msls32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\SYSTEM32\hpstatus.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = ADFIELD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

Look forward to solving this problem!
  • 0

Advertisements


#2
kiruji

kiruji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I know you're all busy, but I need to be able to tell the boss I'm doing something to fix his laptop! :tazz:
  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome kiruji to Geeks to Go!

Let me help you help your boss. :tazz:

Please update the free version of Ewido trojan scanner:
  • Run Ewido. Click OK.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {2E366BB1-818C-CAF9-EC1B-9788483C2FA9} - C:\WINDOWS\system32\ntvg32.dll

O2 - BHO: Class - {3F83AEC3-983B-9E28-2594-47C2D6EF242D} - C:\WINDOWS\msls32.dll

O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
***

Use Windows Explorer to remove these folders:
C:\Program Files\WorldAntiSpy
Close Windows Explorer when you are done.

***

Reboot back to normal mode.

***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and the Ewido log and paste them here along with a new HijackThis log.
  • 0

#4
kiruji

kiruji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the reply :tazz:

I followed your instructions to the letter.

When I rebooted back to normal mode and went online to run Activescan, Sophos went crazy over some DLLs again. Also, I couldn't run Activescan - I'd start the scan and it would hang before crashing IE out. It did that 3 times.

Here's the Ewido log :

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on: 	16:54:40, 15/09/2005
 + Report-Checksum: F900529

 + Scan result:

	HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{9A711817-CADB-FD03-EBB1-4E2FC70601C2} -> Spyware.CoolWebSearch : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
	C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP390\A0059559.dll -> Spyware.SearchPage : Cleaned with backup


::Report End

And here's the new HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 17:06:56, on 15/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\iezl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\hpstatus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ieva32.exe
C:\Program Files\WebEraser\weraser.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\SYSTEM32\HPBSPSVR.EXE
C:\WINDOWS\SYSTEM32\HPBJDSNT.EXE
C:\Documents and Settings\David\Desktop\Spyware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.192:9090;gopher=192.168.0.192:9090;http=192.168.0.192:9090;https=192.168.0.192:9090
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2824CF77-AF01-AB9B-0E03-B55D8EAF18D4} - C:\WINDOWS\d3hd32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\SYSTEM32\hpstatus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ieva32.exe] C:\WINDOWS\system32\ieva32.exe
O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = ADFIELD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iezl.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

I'm also getting an error on startup on this laptop - it says it can't find the right program to run ProxyService.jar - and an occasional error on shutdown - cannot end program Sample...

Could either of those be related?

Thanks for the help so far :)

Edited by kiruji, 15 September 2005 - 10:30 AM.

  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read through the instructions before you start (you may want to print this out or copy it into a word program).

Please download and install these programs - don't run them yet!!

Update Ewido to the latest definitions.

***

Please download and unzip
About:Buster to a folder.
About:Buster MUST be updated before you use it.
Check the About:Buster Tutorial for instructions.
Don't run it yet.

***

Download and unzip HSfix to your desktop.

The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

***

Download CW-Shredder at the link below:
http://www.trendmicr.../cwshredder.exe

***

Download and unzip cwsserviceremove to your desktop. Use either link below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
C:\WINDOWS\system32\iezl.exe
C:\WINDOWS\system32\ieva32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Double click on the cwsserviceremove and when asked to merge say yes.

***

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jqehw.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {2824CF77-AF01-AB9B-0E03-B55D8EAF18D4} - C:\WINDOWS\d3hd32.dll

O4 - HKLM\..\Run: [ieva32.exe] C:\WINDOWS\system32\ieva32.exe

O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\iezl.exe

Click on Fix Checked and exit HijackThis.

***

Double click on the HSfix and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Run About:Buster. This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Run Ewido Security Suite
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

***

Reboot into normal mode and open up Internet Explorer
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with the Ewido log, the About:Buster log and a fresh HijackThis log.
  • 0

#6
kiruji

kiruji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Right, done all that... When I rebooted the computer, WorldAntiSpy had reinstalled itself :tazz:

Also, ActiveScan just will not run for some reason - it crashes IE every time amidst a flurry of Sophos virus warnings about various DLLs.

Here are the logs :

About:Buster
AboutBuster 5.0 reference file 28
Scan started on [16/09/2005] at [09:28:30]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 09:28:39


Ewido
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:  	10:04:34, 16/09/2005
 + Report-Checksum:  3467223F

 + Scan result:

	HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
	C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP390\A0059633.dll -> Spyware.SearchPage : Cleaned with backup


::Report End


HJT
Logfile of HijackThis v1.99.1
Scan saved at 10:16:38, on 16/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\hpstatus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebEraser\weraser.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\SYSTEM32\HPBSPSVR.EXE
C:\WINDOWS\SYSTEM32\HPBJDSNT.EXE
C:\WINDOWS\system32\mssg32.exe
C:\WINDOWS\d3qw32.exe
C:\Documents and Settings\David\Desktop\Spyware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\addck.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.192:9090;gopher=192.168.0.192:9090;http=192.168.0.192:9090;https=192.168.0.192:9090
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3486A396-7595-B288-69FC-2B5649058C5B} - C:\WINDOWS\system32\javasi.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\SYSTEM32\hpstatus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3qw32.exe] C:\WINDOWS\d3qw32.exe
O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = ADFIELD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mssg32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

Thanks for all your help so far :)
  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
See if you can post me the log made by Sophos. I'd like to see what it finds where.

Let's do it again.

----

Download CleanUp!.
If that doesnt work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
C:\WINDOWS\system32\mssg32.exe
C:\WINDOWS\d3qw32.exe
C:\WINDOWS\system32\addck.dll
c:\documents and settings\All Users\start menu\programs\startup\WorldAntiSpy.lnk

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Double click on the cwsserviceremove and when asked to merge say yes.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\addck.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {3486A396-7595-B288-69FC-2B5649058C5B} - C:\WINDOWS\system32\javasi.dll

O4 - HKLM\..\Run: [d3qw32.exe] C:\WINDOWS\d3qw32.exe

O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mssg32.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Use Windows Explorer to remove this folder:
C:\Program Files\WorldAntiSpy\

***

Reboot back to normal mode.

***

Post back with a fresh HijackThis log. Let's see how we did.
  • 0

#8
kiruji

kiruji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the reply :)

I've followed all steps then ran a Sophos scan. Here's the log :

Sophos Anti-Virus
Version 3.97.0, Engine 2.30.13, Virus Data 3.97
Includes detection for 109224 viruses, trojans and worms
Copyright  1989-2005 Sophos Plc, www.sophos.com

Info:	InterCheck Client version : 2.22

Info:	'InterCheck Client' started at 9:41 on Monday, September 19, 2005

Error:	Could not find central installation setup program.
	The network location cannot be reached. For information about network troubleshooting, see Windows Help.


Info:	Immediate job started by david at 9:45 on Monday, September 19, 2005

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch1.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch1.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch2.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchHomeSearch2.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick1.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick1.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick2.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSearchKlick2.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SComDialers.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SComDialers.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SComDialers1.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SComDialers1.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker1.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker1.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker2.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TrekBlueErrorNuker2.zip\comment
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebDialer.zip\sbRecovery.ini
	The file is password protected.

Error:	Could not scan C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebDialer.zip\comment
	The file is password protected.

Error:	Could not scan C:\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf
	The file is password protected.

Virus fragment:	'W95/Whog-878b' detected in C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP390\A0059558.dll
	File deleted 

Virus:	'Troj/Ablank-V' detected in C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP392\A0059749.dll
	File deleted 

Virus:	'Troj/Ablank-V' detected in C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP392\A0059798.dll
	File deleted 

Error:	Could not open C:\hiberfil.sys

Info:	Immediate job completed at 10:38 on Monday, September 19, 2005
	35387 items scanned, 3 viruses detected, 26 errors

After the Sophos scan, I did another HJT scan. Here's the log :

Logfile of HijackThis v1.99.1
Scan saved at 10:40:42, on 19/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\hpb2ksrv.exe
C:\WINDOWS\System32\hpbhksrv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\hpstatus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebEraser\weraser.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\SYSTEM32\HPBSPSVR.EXE
C:\WINDOWS\SYSTEM32\HPBJDSNT.EXE
C:\Program Files\Sophos SWEEP for NT\wsweepnt.exe
C:\Documents and Settings\David\Desktop\Spyware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.0.192:9090;gopher=192.168.0.192:9090;http=192.168.0.192:9090;https=192.168.0.192:9090
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Status] C:\WINDOWS\SYSTEM32\hpstatus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = ADFIELD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADFIELD.LOCAL
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINDOWS\System32\hpbhksrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

I've restarted the machine again and everything appears to be ok. Opening IE doesn't start Sophos going wild and it's not changing the start page to about:blank.

If the logs above look good to you, am I safe to assume that it's beaten?

I can't thank you enough for your help! :tazz:

EDIT : Just after I posted this message, I looked at the laptop and there're a couple of icons there I've not noticed before. One is 'Download Movies' and the other 'Download Music'. Both are weblinks, neither are things that the boss would use.

Checking the properties shows that they link to

http://ptainfo.com/go/movies/

http://ptainfo.com/go/music/

I haven't looked at the links. Is this some more nastiness?

Edited by kiruji, 19 September 2005 - 04:00 AM.

  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You can remove those links. The logs look clean. You say the computer is running ok now.

Shall I post you some tips for the future and close this topic?


EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 07 October 2005 - 05:32 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP