Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Clean Infections From System.


  • Please log in to reply
1 reply to this topic

#1 level 42

level 42

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 September 2007 - 12:16 PM

Still,, after, been reading numerous posts and remedies recommended to help me rid my system of ad and malware.

Still, learning more than I ever wanted to know about computers and software.
Yet I'm still in the dark about how to clean out the malware !$@% that's in here.

Running dual-boot Win 98SE/XP Pro SP1

Here's what I've done:

Have updated and run following latest version programs; both from desktop and in safe mode to clean the system:
Spybot S&D, SuperAntiSpyware, Uniblue SpyEraser, AVG AV v7.5, combo fix, NoAdware 5.0, WinTasks 2.4, HiJackThis 1.99, A-Squared free, XP AntiSpy, gmer, catchme.exe.

Latest SpyEraser scan shows some new and several same problems are still in the system or have come back somehow.
Uniblue SpyEraser scan results 9-23-07

Adware BHO.1 (1 infection)
hkey_users\defaults\software\microsoft\internet explorer|main\check_associations\

Trojan-spy.BZub.hv (1 infection)
hkey_local_machine\software\microsoft\windows\currentversion\control panel\load\\

Adware.Chiem.b (5 infections)
hkey_current_user\software\microsoft\windows\currentversion\internet settings\p3p\history\linksynergy.com\\

hkey_current_user\software\microsoft\windows\currentversion\internet settings\p3p\history\fastclick.net\\

hkey_current_user\software\microsoft\windows\currentversion\internet settings\p3p\history\commission-junction.com\\

hkey_current_user\software\microsoft\windows\currentversion\internet settings\p3p\history\bfast.com\\

hkey_current_user\software\microsoft\windows\currentversion\internet settings\p3p\history\fastclick.com\\


Logfile of HijackThis v2.0.2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:24 AM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\SYS_TOOLS\a-squared Free\a2service.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\locator.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\TELMEX\Prodigy Infinitum\app\TangoService.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\PROGRA~1\TELMEX\PRODIG~1\app\TangoManager.exe
D:\Program Files\D-Tools\daemon.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Eraser\eraser.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\GhostSurf 2005\Proxy.exe
D:\Program Files\GhostSurf 2005\Scheduler daemon.exe
D:\Program Files\GhostSurf 2005\TracksCleaner.exe
D:\Program Files\BitTornado\btdownloadgui.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\HiJackThis2.0.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TangoManager] D:\PROGRA~1\TELMEX\PRODIG~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [VOBRegCheck] D:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "D:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [DXDllRegExe] D:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MS lsass6 Startup] lsass1356.exe
O4 - HKCU\..\Run: [Eraser] D:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MS lsass6 Startup] lsass1356.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS lsass6 Startup] lsass1356.exe (User 'Default user')
O4 - Startup: Scheduler.lnk.disabled
O4 - Startup: Scheduler.lnk = D:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Startup: TracksCleaner.lnk = D:\Program Files\GhostSurf 2005\TracksCleaner.exe
O4 - Global Startup: GhostSurf proxy.lnk = D:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125536020390
O17 - HKLM\System\CCS\Services\Tcpip\..\{D35BFB02-47FC-46E2-8F18-BC8EA59AD15B}: NameServer = 127.0.0.1 127.0.0.1
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\SYS_TOOLS\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - D:\Program Files\TELMEX\Prodigy Infinitum\app\TangoService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8240 bytes


Would someone offer guidance and suggestions for me to get this right and how to preempt future infections as best as possible?

Thanks for your kind help, Otto

BC AdBot (Login to Remove)

 


m

#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:02:37 AM

Posted 02 October 2007 - 01:21 PM

Hello level 42 and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users