Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack Logs & Ors. [RESOLVED]


  • This topic is locked This topic is locked

#1
Berocca

Berocca

    Member

  • Member
  • PipPip
  • 71 posts
Dropper Inor, Trojan Horse Dialler 8AA

Background
I am endeavouring to help an elderley friend of limited means whose previously owned computer is riddled with numerous infections.

Thanks to the information contained on your wonderful site, and the volunteers' posts, I have managed to bring his computer back to working order after spending the past 4 days on the job.

I am now asking if someone can kindly check what I have done, and give advice/instructions to help me navigate the last few hurdles.

Any help offered would be appreciated.

Remaining Concerns

1. Hijack This Log
Help needed in identifying the hijacker lines and advice as to their removal. I notice a few are showing 81.222.131.49 which was previously one of the sites hijacking his internet connection. The interenet home page is working again but there are a number of addresses that refuse to be removed, but no longer seem to be reestablishing thenselves. I would be more comfortable to see them removed.

2. Spybot
Advice required on what action to take with this response received:

Warning: “There were problems in the include file C:\Program Files\Spybot_Search_Destroy\Includes\Hijackers.sbi - See Include error log for details.

3. Ewido Security Suite

What needs to be done with the items in quarantine. Should I click on the key “Remove Finally” to remove the infected files shown in quarantine? My concern for immediate action is because of the 14 day trial only.

4. AVG Scan Result
There are still two infections shown which AVG indicates are not “healable” namely:

(a) C:\Documents and Settings\All Users\Start\Menu\Prog…
Virus found Dropper.Inor - Infected
(b) C:\FOUND.018\FILE0001.CHK
Virus Found Dropper Inor - Infected

Additionally the Vault shows six Trojans Horses which are also apparently not “healable”. What action needs to be taken there?

Action Taken By Me So Far

I have followed all your instructions (in particular those of dittos) after registering.
This includes:

1. System Restore: Disabled it
2. Hidden Files – Enabled viewing of hidden files and file extensions
3. Temporary files - Cleaned by running the Disc cleaning utility
4. Ad-Aware SE - Downloaded it and the updates and run it twice
5. CWShredder – Download it and updates and run it twice
6. Spybot S & D - Downloaded it and updates and run it twice
7. Ewido Security Suite – Downloaded it and updates and run twice
8. A Squared 2 – Download it and updates and run twice
9. AVG – Downloaded it and updates and run twice
10. Trojan Hunter – Downloaded it and updates and run twice
11. Windows Updates – Downloaded SP2 and updates and rebooted 3 times
12. Hijack This – Downloaded it and updates and run twice.

Below are the relevant logs:

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 6:27:37 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {EEBA788A-C268-492A-B7FE-42C2B6C553D4} - (no file)
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Windows Update.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe


SPYBOT LOG

C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_DATA>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>
C:\Program Files\Spybot - Search & Destroy\Includes\Hijackers.sbi | CoolWWWSearch.Feat2DLL | <$FILE_LIBRARY>


EWIDO SECURITY SUITE LOG

Below are copies of the first log report. The second asked for the removal of the file C:\info6_s.cab/information.exe. It was removed but I cannot locate the log.:

---------------------------------------------------------
ewido security suite - Scan report (first}
---------------------------------------------------------

+ Created on: 10:32:36 AM, 8/10/2005
+ Report-Checksum: 82A0B56F
+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\TypeLib\\ -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C}\TypeLib\\ -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273}\TypeLib\\ -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D6188A7D-376C-4970-91AD-675BFCF3762E}\TypeLib\\ -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/tl7000.dll\\.Owner -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/tl7000.dll\\{0191ABF4-9421-435E-9FFD-CD827A2A82D8} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tl7000.dll\\.Owner -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/tl7000.dll\\{0191ABF4-9421-435E-9FFD-CD827A2A82D8} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced -> Spyware.Downloadware : Cleaned with backup
HKU\S-1-5-21-343818398-1993962763-842925246-1003\Software\2nd -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-343818398-1993962763-842925246-1003\Software\2nd\Client -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-343818398-1993962763-842925246-1003\Software\SCom -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-343818398-1993962763-842925246-1003\Software\Support Software -> Spyware.NetworkEssentials : Cleaned with backup
[1488] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[1908] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[1976] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[1796] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[408] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[540] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[1176] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[1372] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[2060] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[2080] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[716] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
[2788] C:\WINDOWS\js128k.dll -> Trojan.Agent.fc : Error during cleaning
[4068] C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Error during cleaning
C:\WINDOWS\system32\SWRT01.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\tool.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\WINDOWS\tool1.exe -> Trojan.LowZones.y : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TV1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\AUTOS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADBN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EDU1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DEBT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DATE3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DENT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEAL2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CASH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FOPP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\OPPR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MORT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MOVS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\NEWS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SHOP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WOMEN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EXPE1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\JOBS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DRUG3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\PENIS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HGH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOMES2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\GIFT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INSUR3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DEEPS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\VENUE1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\JOBS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEAL3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EXPE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOMES3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTONE1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FMND1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INSUR4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADBN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEAL5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TRVL5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOGAR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEBE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MORT3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\AUTOS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WOMEN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.k : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__js128k.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\sasetup.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\frennk.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\assest.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\KB290333.dll -> Trojan.Agent.fc : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Tools\tools.exe -> Spyware.MediaBack : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Tools\tools.dll -> Spyware.MediaBack : Cleaned with backup
C:\Documents and Settings\PC300GL\Cookies\pc300gl@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\Messenger\ycomp.dll -> Spyware.Yahoo : Cleaned with backup
C:\Program Files\scbar\v9\scbar.exe -> Spyware.WindowEnhancer : Cleaned with backup
C:\Program Files\Support Software\SS2.DLL -> Spyware.MediaPops : Cleaned with backup
C:\info6_s.cab/Information.exe -> Dialer.Generic : Error during cleaning
C:\FOUND.015\FILE0000.CHK -> Spyware.ClearSearch : Cleaned with backup
C:\FOUND.015\FILE0004.CHK -> Spyware.ClearSearch : Cleaned with backup
C:\w.exe -> TrojanDownloader.Small.aod : Cleaned with backup
C:\slinstaller.exe -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\124492.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Cleaned with backup
C:\temporary\install53.exe -> Trojan.SecondThought.g : Cleaned with backup


::Report End
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Try not to post all the logs you have there...we usually just want the HijackThis log at first...

Yes, set Ewido to remove all that it finds there.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EEBA788A-C268-492A-B7FE-42C2B6C553D4} - (no file)
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - Global Startup: Windows Update.hta
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\installer\
Windows Update.hta


Restart and run a new HijackThis scan. Save the log file and post it here.

See if Spybot still has that problem. If so, uninstall it and restart your computer. Delete any folders that may still be left behind by Spybot, included the folder at c:\documents and settings\all users\application data\spybot\ Then reinstall Spybot and check for updates. Try running it now.

See if AVG still finds anything unhealable.
  • 0

#3
Berocca

Berocca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Thank you Greyknight17 very much for your prompt reply.

These are my comments in response.

c:\installer\i
I have carried out all your instructions fully except for the deletion of the file or folder named c:\installer\i. This was because I was not sure if this referred to a file by this specific name or the folder. All I could find was the file id53.exe in the folder installer. I will await your further advice on this before deleting it.

Spybot
You were correct. I uninstalled Spybot and reinstalled it, and then ran the scan again. No problems were then detected. It seems that the problem might have been that I failed to install the updates or DSO Exploit Fix properly in the first instance.

Ewido
As instructed I deleted all infections that appeared following the scan.

AVG
The new scan showed one infection only. It was as follows:

C:\FOUND.018\FILE0001.CHK - Virus Dropper.Inor - Infection
It was shown as "healable" but on trying to carry out the "heal" action many times the result still comes back as "Action to Heal Failed". I have moved it to the Vault.

I now have 6 files in the vault shown as; 5 Trojan Horses and 1 Dropper.

The "Files by Virus Name" summary shows them as:

(a) MS-DOS viruses;
(b) Trojan Horses; and
© Backdoor and Trojan Horses

This seems to have created 32 Folders on the C drive named FOUND.000 and FOUND.001 and so on to FOUND.03I. The contents of these folders show files named FILE0000.CHK, FILE0001.CHK, FILE0002.CHK and so on with the description "Recovered File Fragments". I have not deleted them. Is any further action required?

Trojan Hunter
I have since carried out a scan by Trojan Hunter and the only infection detected was as follows.

C:\rundl32.exe Yes that is with one l only. It is not rundll32.exe

The description indicates:

"Possible trojan file - possible trojan downloader"

No action has been taken to delete the file as yet. I will await your advices.


Hijack This Log
The new log obtained after running AdAware SE, Spybot, Ewido, Trojan Hunter and AVG is now shown below.

Logfile of HijackThis v1.99.1
Scan saved at 7:28:53 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe


Regards
Berocca
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Berocca, I made a mistake there. Please re-read my previous reply on what files and folders to delete (there is one folder and one file that I edited/added).

OK, for TrojanHunter, yes delete that rundl32.exe file.

I was thinking the same thing about C:\FOUND.018\FILE0001.CHK I'm pretty sure these are related to scandisk files I think. Ask the guys/gals in the Windows Forum and see what they have to say about all those FOUND.001 files and others. Tell them if it's ok to delete this one:

C:\FOUND.018\FILE0001.CHK

If it's ok, then post back saying so. I will give instructions to delete it if you can't delete it.

As far as your log goes:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
Berocca

Berocca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Many many thanks Greyknight17.

You guys are just so invaluable in what you do to help us out.

Ok I will go ahead and ask the guys in the Windows forum and then post the comments back here.

Regards
Berocca
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem Berocca, glad we could help :tazz:

OK, post back what happened...hopefully this won't take too long.
  • 0

#7
Berocca

Berocca

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Greyknight17,

Re your earlier instructions:

"I was thinking the same thing about C:\FOUND.018\FILE0001.CHK I'm pretty sure these are related to scandisk files I think. Ask the guys/gals in the Windows Forum and see what they have to say about all those FOUND.001 files and others. Tell them if it's ok to delete this one:

C:\FOUND.018\FILE0001.CHK

If it's ok, then post back saying so. I will give instructions to delete it if you can't delete it.



This is the reply from pip22 in the Windows Forum:

"All filenames ending in *.CHK can be safely deleted as they are indeed lost file fragments found by Scandisk error-checking. They will be completely useless."


OK I will go ahead and delete the files. I presume I would do this from Scan Disk or alternatively from the files listed on the C disk in Windows Explorer.

When the board went down for maintenance yesterday, I decided to return my friend's computer in the meantime since he badly wanted it back ASAP. I will call around to his house by next week and delete the files ending with CHK. If I have any problems I will post again.

I have taken the advice from your website and installed the programs suggested to further protect his PC. All seemed to be working Ok last night when I tested it at his place.

Thanks again for all your time and effort in assisting my friend and I through this problem. It has been invaluable and a very interesting learning experience. You and your associates on this board are brilliant.

Edited by Berocca, 12 October 2005 - 09:45 PM.

  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, delete them directly from the computer's c: drive.

No problem, glad we could help.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP