Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring infection problem and more


  • Please log in to reply
1 reply to this topic

#1 dgoodrum

dgoodrum

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 31 July 2005 - 10:42 AM

I have been having some serious problems with being re-infected with viruses and could really use some help. Below is a list of files that have been infected and the actual virus that is attacking.

00000962.exe W32.Toxbot
aaa.exe W32.Toxbot
keyboard.exe W32.Spybot.Worm
mapi.exe W32.Toxbot
mouse.exe W32.Spybot.Worm
nvidea.exe W32.Randex
phqqhum.exe W32.Randex
TFTP16660 W32.Spybot.Worm
TFTP612 W32.Spybot.Worm
TFTP20544 W32.Spybot.Worm
Time.exe W32.Toxbot
ypages.exe W32.Spybot.Worm

Of these the W32.Spybot.Worm seems to com back over and over again. These files install themselves as system files that are difficult to get rid of. What I have done to get them out in the first place was to edit them out of the registry, restart the computer and then delete the files. Probably not a good thing to be doing. At any rate I keep getting infected again in a very short time, usually with the Spybot. Below is a copy of the hijactthis log file.

Some things that may be of note is that at one time PCcillin and AOL were both installed on this machine and were supposedly removed. The machine is a PCG-PRX500K Sony Vaio laptop running Win2000 SP2. I had tried to install SP4 to other machines that caused complete system failure so have not tried to update this machine.

Other problems that are happening: Norton Anti-virus protection does not start when the machine starts even though it used to and is set so that it should. I use Outlook Express as a mail handler and now every time I start the program of my falcon-enterprises email accounts Servers have been changed. The POP3 reads localhost and the account name has /mail.falcon-enterprises.com suffixed to it.
mail.falcon-enterprises.com is what the POP3 field should read.

Thank you in advance for all of your help.

Dennis Kurt Goodrum

(moderator edit: moved to HJT Forum for team resolution. jgweed)


Logfile of HijackThis v1.99.1
Scan saved at 11:02:59 AM, on 7/31/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\dxdmain.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\ICONSPY.EXE
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINNT\System32\WScript.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\mmsvc32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\WinSyswal32.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\ISP50\Bin\Bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\Spyware\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O1 - Hosts: 85.192.32.112 lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 online.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.com
O1 - Hosts: 85.192.32.112 personal.barclays.co.uk
O1 - Hosts: 85.192.32.112 barclays.co.uk
O1 - Hosts: 85.192.32.112 ibank.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.nwolb.com
O1 - Hosts: 85.192.32.112 nwolb.com
O1 - Hosts: 85.192.32.112 hsbc.co.uk
O1 - Hosts: 85.192.32.112 www.hsbc.co.uk
O1 - Hosts: 85.192.32.112 abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.co.uk
O1 - Hosts: 85.192.32.112 abbey.co.uk
O1 - Hosts: 85.192.32.112 cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.co.uk
O1 - Hosts: 85.192.32.112 cahoot.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.com
O1 - Hosts: 85.192.32.112 co-operativebank.com
O1 - Hosts: 85.192.32.112 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 www.smile.co.uk
O1 - Hosts: 85.192.32.112 smile.co.uk
O1 - Hosts: 85.192.32.112 www.cajamar.es
O1 - Hosts: 85.192.32.112 cajamar.es
O1 - Hosts: 85.192.32.112 www.cajamar.com
O1 - Hosts: 85.192.32.112 www.unicaja.es
O1 - Hosts: 85.192.32.112 unicaja.es
O1 - Hosts: 85.192.32.112 www.unicaja.com
O1 - Hosts: 85.192.32.112 unicaja.com
O1 - Hosts: 85.192.32.112 www.caixagalicia.es
O1 - Hosts: 85.192.32.112 caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixagalicia.com
O1 - Hosts: 85.192.32.112 caixagalicia.com
O1 - Hosts: 85.192.32.112 activa.caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.es
O1 - Hosts: 85.192.32.112 caixapenedes.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.com
O1 - Hosts: 85.192.32.112 caixapenedes.com
O1 - Hosts: 85.192.32.112 bancae.caixapenedes.com
O1 - Hosts: 85.192.32.112 www.caixasabadell.es
O1 - Hosts: 85.192.32.112 caixasabadell.es
O1 - Hosts: 85.192.32.112 www.caixasabadell.net
O1 - Hosts: 85.192.32.112 caixasabadell.net
O1 - Hosts: 85.192.32.112 www.cajamadrid.es
O1 - Hosts: 85.192.32.112 cajamadrid.es
O1 - Hosts: 85.192.32.112 www.cajamadrid.com
O1 - Hosts: 85.192.32.112 cajamadrid.com
O1 - Hosts: 85.192.32.112 oi.cajamadrid.es
O1 - Hosts: 85.192.32.112 www.ccm.es
O1 - Hosts: 85.192.32.112 ccm.es
O1 - Hosts: 85.192.32.112 www.haspa.de
O1 - Hosts: 85.192.32.112 haspa.de
O1 - Hosts: 85.192.32.112 ssl2.haspa.de
O1 - Hosts: 85.192.32.112 www.dresdner-bank.de
O1 - Hosts: 85.192.32.112 dresdner-bank.de
O1 - Hosts: 85.192.32.112 www.dresdner-privat.de
O1 - Hosts: 85.192.32.112 postbank.de
O1 - Hosts: 85.192.32.112 www.postbank.de
O1 - Hosts: 85.192.32.112 banking.postbank.de
O1 - Hosts: 85.192.32.112 www.sparda-b.de
O1 - Hosts: 85.192.32.112 sparda-b.de
O1 - Hosts: 85.192.32.112 www.bankingonline.de
O1 - Hosts: 85.192.32.112 www.raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 www.vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 www.bnhof.de
O1 - Hosts: 85.192.32.112 bnhof.de
O1 - Hosts: 85.192.32.112 www.deutsche-bank.de
O1 - Hosts: 85.192.32.112 deutsche-bank.de
O1 - Hosts: 85.192.32.112 meine.deutsche-bank.de
O1 - Hosts: 85.192.32.112 www.citibank.de
O1 - Hosts: 85.192.32.112 citibank.de
O1 - Hosts: 85.192.32.112 cipehb13.cdg.citibank.de
O1 - Hosts: 85.192.32.112 www.dkb.de
O1 - Hosts: 85.192.32.112 dkb.de
O1 - Hosts: 85.192.32.112 www.sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 www.berliner-bank.de
O1 - Hosts: 85.192.32.112 berliner-bank.de
O1 - Hosts: 85.192.32.112 www.berliner-sparkasse.de
O1 - Hosts: 85.192.32.112 berliner-sparkasse.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
O4 - HKLM\..\Run: [[Win Xp] Personal Firewall] WinSyswal32.exe
O4 - HKLM\..\RunServices: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\RunServices: [[Win Xp] Personal Firewall] WinSyswal32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [WindowsRegKey update] kupjdltmvl.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKCU\..\Run: [time] time.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [[Win Xp] Personal Firewall] WinSyswal32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccomm...oad/sonyctl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7989BD63-AF84-4E7B-BF0B-4F372CFB3BB5}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows NT/2000 (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\VPN\cvpnd.exe (file missing)
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINNT\System32\dhcpclient.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINNT\System32\dxdmain.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINNT\System32\time.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by jgweed, 31 July 2005 - 11:48 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:03 AM

Posted 01 August 2005 - 10:48 PM

Hello dgoodrum and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Download Hoster.zip and unzip it to your desktop.

Now we need to remove some services.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"DHCP Client")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 5000
objService.ChangeStartMode("Disabled")
wscript.Sleep 2000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Restart remsvc.vbs for each of the following services and type the name shown into the editbox before clicking the Ok button:dxdmain
Netlib

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
O4 - HKLM\..\Run: [[Win Xp] Personal Firewall] WinSyswal32.exe
O4 - HKLM\..\RunServices: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM\..\RunServices: [[Win Xp] Personal Firewall] WinSyswal32.exe
O4 - HKCU\..\Run: [WindowsRegKey update] kupjdltmvl.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKCU\..\Run: [time] time.exe
O4 - HKCU\..\Run: [[Win Xp] Personal Firewall] WinSyswal32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\System32\dhcpclient.exe
C:\WINNT\System32\dxdmain.exe
C:\WINNT\System32\time.exe
C:\WINNT\System32\mmsvc32.exe
C:\WINNT\System32\WinSyswal32.exe

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.phqghum.exe
kupjdltmvl.exe
msconfg.exe

Step #5

Start Hoster and click on the Restore Original Hosts button. Now, close Hoster.

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users