Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis Log....Full of Spyware...Help me please. (and tha


  • Please log in to reply
1 reply to this topic

#1 takei

takei

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 05 August 2005 - 08:14 AM

Gurus, Please heed my prayers and help me answer the pressing issues.

I have run AdAware Professional and Symantec AV softwares and still have much malware. Please Read the hiJack This Log and let me know what to do.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:28 AM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EzButton\CplBCL50.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\cldfxnh.exe
C:\WINDOWS\System32\PSof1.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINDOWS\System32\94s8m8fk.exe
C:\WINDOWS\kqggdll.EXE
C:\WINDOWS\kqggenc.EXE
C:\WINDOWS\System32\kaujju.exe
C:\WINDOWS\System32\gpr2gt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CameraUser\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.howardcomputers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [kbwnbdi] C:\WINDOWS\System32\cldfxnh.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [94s8m8fk] C:\WINDOWS\System32\94s8m8fk.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\TEMP\sysnet.exe
O4 - HKLM\..\Run: [kqggdll] C:\WINDOWS\kqggdll.EXE
O4 - HKLM\..\Run: [kqggenc] C:\WINDOWS\kqggenc.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kaujju.exe reg_run
O4 - HKLM\..\Run: [us4X33V] gpr2gt.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: VPN Client.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.howardcomputers.com
O16 - DPF: Secure Global Desktop Client, 3.4 - https://tara2p01.srpsis.ms.gov/tarantella/java/ttaC-du.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120243951609
O17 - HKLM\System\CCS\Services\Tcpip\..\{369727A3-8B24-46CD-90D3-FEF68A0E341A}: NameServer = 10.30.101.5,10.18.101.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{369727A3-8B24-46CD-90D3-FEF68A0E341A}: NameServer = 10.30.101.5,10.18.101.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{369727A3-8B24-46CD-90D3-FEF68A0E341A}: NameServer = 10.30.101.5,10.18.101.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\kqggsvc.exe

Thank you in Advance.

Takei

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:36 PM

Posted 05 August 2005 - 04:30 PM

Hello takei and welcome to the BC malware forum. It looks like we have a few different infections in this log so let's start with the 'Nail' infection. Please print these directions and then proceed with the following steps in order.

Step #1

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Download nailfix.zip and unzip it to its own folder.

Step #2

Now we need to remove a service.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"Windows VisFx Components")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 5000
objService.ChangeStartMode("Disabled")
wscript.Sleep 2000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Navigate to the folder you unzipped nailfix.zip into and double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step #5

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Step #6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [kbwnbdi] C:\WINDOWS\System32\cldfxnh.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [94s8m8fk] C:\WINDOWS\System32\94s8m8fk.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\TEMP\sysnet.exe
O4 - HKLM\..\Run: [kqggdll] C:\WINDOWS\kqggdll.EXE
O4 - HKLM\..\Run: [kqggenc] C:\WINDOWS\kqggenc.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kaujju.exe reg_run
O4 - HKLM\..\Run: [us4X33V] gpr2gt.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #7

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\kqggsvc.exe
C:\WINDOWS\kqggdll.EXE
C:\WINDOWS\kqggenc.EXE
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\etb\ <--folder
C:\WINDOWS\TEMP\sysnet.exe
C:\WINDOWS\System32\cldfxnh.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\94s8m8fk.exe
C:\WINDOWS\System32\kaujju.exe
C:\WINDOWS\System32\gpr2gt.exe
C:\Program Files\SurfSideKick 3\ <--folder
C:\PROGRAM FILES\VBouncer\ <--folder
C:\Program Files\CashBack\ <--folder
C:\Program Files\Cas\ <--folder

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users