 Unable to get rid of malware, Malware |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Mar 13 2005, 11:50 AM
Post
#16
|
|
 Cleaner on Duty  Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383  |
QUOTE even if I try to stop it running on startup with msconfig it still runs Stopping windows services with msconfig is not recommended. Also stopping a Windows service via TaskManager is almost impossible. If you have a printer don't touch spoolsv.exe in the system32 folder. The file is a Microsoft file and it is legitimate. Disable temporarily SpySweeper. It can interfere with the fix. The files are StopItBlockIt Spyware Remover software. A (brand new) rogue anti-spy program. http://www.spywarewarrior.com/rogue_anti-spyware.htm Try first to uninstall it from Add/Remove Programs. REBOOT into safemode and delete these files: SDMonitor.exe StopItBlockItLiveUpdate.exe SpywareDetector.dll ProcessMonitorDll.dll FileSignature.dll BlockCookiesSD.ini StopItBlockItCloseAll.exe StopItBlockItSystemTray.exe CookiesSD.ini ProcAccess.ini ProcessSpy.DB spyremoverlog.txt sysconfigSD.ini sysspyDelSD.ini sysspyInsSD.ini sysspyUpdSD.ini sysversionSD.ini wormcounts.ini Delete this folder if present: c:\Program Files\StopItBlockIt Spyware Remover\ Run HijackThis!, press Scan, and put a check mark next to all these: O4 - HKLM\..\Run: [MonitorSD] C:\WINDOWS\system32\SDMonitor.exe Close all other windows and browsers, and press the Fix Checked button. REBOOT normally and post a new hijackthis log. --------------------  Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
 |
 
|
|
Mar 16 2005, 09:35 AM
Post
#17
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
Thanks Daisuke,
Sorry about hte delay, I hadn't noticed the thread had gone onto another page. I have done exactly as you said. Here is the up to date log. Logfile of HijackThis v1.99.1 Scan saved at 14:28:07, on 16/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QUICKENW\QAGENT.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\All Downloads\Spyware\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by Paul Browne O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\Smc.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Thanks in advance. |
|
|
|
|
Mar 16 2005, 10:27 AM
Post
#18
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
Log looks clean...great job !
 Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: How did I get infected ? With steps so it does not happen again ! Glad I was able to help. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
 Mar 16 2005, 06:25 PM
Post
#19
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
Thanks for all your help. Things are definitely a lot better.
There are still some odd symptoms though which are probably the aftermath and can hopefully be solved relatively easily. I would like to see what you think before I do anything. I can select Start - Settings - Control Panel , but I can not double click on the icons. Nothing happens. There is also no right click menu. Also on the desktop I can not move the icons manually even with Auto arrange not selected. Are any of these things known to you? Have you got any suggestions as I definitely don't want to do anything drastic now I've got this far. Thanks for any advice and for all your great help. |
|
|
|
|
Mar 17 2005, 08:08 AM
Post
#20
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
Try this first:
Go to Start --> Run, and type cmd in the Open box, then click OK to open a command prompt. Type sfc /scannow, note the space after sfc. Insert you original Windows CD in the CD-ROM drive. This will restore your protected system files on your computer. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
Mar 19 2005, 09:10 AM
Post
#21
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
Hi Daisuke,
I ran sfc /scannow with the disc in. When I rebooted I found that I could not type in anything on the web. That meant I could not write to you or input anything. I could type in on word documents but nothing on line. I reinstalled windows 2000 Pro and SP4. This seems to have worked, but I still can not double click on control panel, I have to drag and drop the icon to the start menu. I can now move icons on the desktop though. Is there a command to run the control panel from the command line? |
|
|
|
|
Mar 20 2005, 12:25 PM
Post
#22
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
QUOTE but I still can not double click on control panel I have no idea what the problem is. I'm investigating this. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
Mar 21 2005, 11:40 AM
Post
#23
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
Please take a look if Remote Procedure Call (RPC) service is started.
Go to Start -> Run and type Services.msc, then press the OK button. Look for a service called Remote Procedure Call (RPC). Double click on that service and press the Start button if the service is stopped, and then set the Startup type to Automatic. Press OK, and close all the windows. Is the problem solved ? -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
Mar 21 2005, 11:53 AM
Post
#24
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
I have done as you asked. RPC was started and is set on automatic start. The problem has not changed. When I first boot and try to double click an icon I get a quick glimpse of the egg timer, and then it is gone. It is almost as though the control panel is a false one.
I can not move icons on the desktop even with auto arrange deselected. I can not double click files to run in explorer either. This is not stopping me using the computer, but it is seriously affecting its usability. |
|
|
|
|
Mar 21 2005, 04:09 PM
Post
#25
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
Did you try to create a new user ?
-------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
Mar 22 2005, 06:29 AM
Post
#26
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
Yes, I created a duplicate administrator account. Logged on with it and went to control panel. Control panel is displayed as a narrow left hand window with the icons. When the icons are double clicked they work!! I don't know why there is a right hand pane.
I also got a message about "Due to your active X settings some parts of this page may not display properly". Could it be Local settings for my Active X? It does prove that something on my account has been changed. I'd appreciate your views. Thanks. |
|
|
|
|
Mar 22 2005, 06:45 AM
Post
#27
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
QUOTE Could it be Local settings for my Active X? I think so. Delete the content of this folder: C:\WINDOWS\Downloaded Program Files <-- empty folder don't delete it. Check your Internet Explorer settings: A. Open Internet Explorer B. Click Tools -> Internet Options ... C. Click on the Advanced tab. D. At the bottom of the window click the Restore Defaults button. Click the Security tab - click the Internet icon - press Default Level button - click the Local icon - press Default Level button - click the Trusted icon - press Default Level button - Press the Sites button -> remove all the entries. - click the Restricted icon- press Default Level button Download eScan Save it on your desktop and run mwav.exe Check Drive Select All Local Drives and Scan All Files Click Scan and when it has finished, what was found will be displayed in the lower pane. Highlight it, press CTRL C and then paste it here. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
Mar 22 2005, 08:28 PM
Post
#28
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
I did as you said. I have posted the log on the malware site as I could not paste it in.
Thanks for your help. |
|
|
|
|
Mar 23 2005, 10:43 AM
Post
#29
|
|
|
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771 |
Hi Daisuke,
I did as you said. I then ran Mwav and here is the results pane:- Wed Mar 23 14:37:36 2005 => ***** Scanning complete. ***** Wed Mar 23 14:37:36 2005 => Total Files Scanned: 69587 Wed Mar 23 14:37:36 2005 => Total Virus(es) Found: 15 Wed Mar 23 14:37:36 2005 => Total Disinfected Files: 0 Wed Mar 23 14:37:36 2005 => Total Files Renamed: 0 Wed Mar 23 14:37:36 2005 => Total Deleted Files: 0 Wed Mar 23 14:37:36 2005 => Total Errors: 2 Wed Mar 23 14:37:36 2005 => Time Elapsed: 01:19:27 Wed Mar 23 14:37:36 2005 => Virus Database Date: 2005/03/22 Wed Mar 23 14:37:36 2005 => Virus Database Count: 122913 Wed Mar 23 14:37:36 2005 => Scan Completed. C:\WINDOWS\system32\ctbv2.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\NLNP!3.exe infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\NLNP13.dll infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\vf534.exe infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken. File C:\All Downloads\iMesh\iMeshV3.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken. File C:\All Downloads\Spyware\Removal Tools\L2mfix\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken. File C:\WINDOWS\SYSTEM32\ctbv2.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\NLNP!3.exe infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\NLNP13.dll infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\vf534.exe infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken. File D:\Paul Data\Programs\VNC\vnc-3.3.7-x86_win32.exe tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken. File C:\WINDOWS\SYSTEM32\ctbv2.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\NLNP!3.exe infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\NLNP13.dll infected by "not-a-virus:AdWare.IGetNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM32\vf534.exe infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken. I am still getting odd things happening with web pages that previously worked. I t must be the above stuff. Thanks for any advice. |
|
|
|
|
Mar 23 2005, 01:36 PM
Post
#30
|
|
|
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383 |
Download KillBox here: KillBox. Unzip it to your desktop.
Start Killbox and click on Tools --> Select Delete Temp Files. Click OK. Select the Delete on reboot option. Copy and paste the following file to the field labeled "Full path of file to delete" C:\WINDOWS\system32\ctbv2.dll Press the Delete button (the button that looks like a red circle with a white X in it). A first dialog box will ask if you want to delete the file on reboot, press the YES button. A second dialog box will ask you if you want to REBOOT now. Press the NO button. Repeat steps above for these files: C:\WINDOWS\system32\NLNP!3.exe C:\WINDOWS\system32\NLNP13.dll Copy and paste the following file to the field labeled "Full path of file to delete" C:\WINDOWS\system32\vf534.exe Press the Delete button (the button that looks like a red circle with a white X in it). A first dialog box will ask if you want to delete the file on reboot, press the YES button. A second dialog box will ask you if you want to REBOOT now. Press the YES button. Your computer will reboot. Run HijackThis, and post the log please. This post has been edited by Daisuke: Mar 23 2005, 01:37 PM -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ? |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 29th August 2008 - 09:20 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.