I'm helping with cleaning out a computer running XP Home, and have run into serious trouble. What seemed from the beginning to be just a dialer turned out to be multiple viruses and trojans..
What I have done so far (not necessarily in the order I write them now, and some of them have been done more than once):
First used AVG antivirus
Then avast! antivirus
Disabled system restore
CleanUp!
Ad-aware SE , inkluding VX2 Cleaner V2.0 add-on
CWShredder
Spybot S&D (with the DSO Exploit Fix)
Stinger
drweb-cureit
avast! Virus Cleaner
The system seems fairly clean, but even tho I find no evidence that pokapoka70.exe is being run anymore it stills comes back into the registry (tho.. right now, after I ran HijackThis, it seems I could manually remove the entry and it stayed gone).
Other problems have occured however.. Windows doesn't boot completely, for example only a couple of icons in the Systray is loaded, some items are missing in the control panel, The Start menu->All programs can't be shown, I can't change the folder settings, etc etc.
And there's problem with connecting to the Internet. The computer normally connects with a dialup modem, but even tho the system says the modem is working and the diagnostic can talk with the modem, when trying to connect it doesn't seem to even try to get a line.
When connecting thru Ethernet cable I get a connection, ping and tracerout and such tools work as normal, but IE doesn't work. This unfortunally also means that I havn't been able to run Windows Update, which I'm sure is needed on the computer.
(I have run the WinsockXPFix but havn't tried to connect again)
So I hope there's any help or tips for me
Thanks in advance!
Here's my HijackThis log:
================
Logfile of HijackThis v1.99.1
Scan saved at 22:02:12, on 2005-09-28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Informationshanteraren - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c32.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe