Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected


  • This topic is locked This topic is locked
5 replies to this topic

#1 msudawg

msudawg

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 August 2005 - 09:04 AM

:thumbsup: I really need some help. I ran adaware and spybot. Here is my hijackthis logfile. Any help you could provide would be greatly appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:59 AM, on 8/14/2005
Platform: Windows XP (WinNT 5.01.2526)
MSIE: Internet Explorer v6.00 (6.00.2526.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\PSof1.exe
C:\windows\system32\iorpqo.exe
C:\WINDOWS\System32\jspuserv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\paranq.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iyugui.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\accwiz.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [iorpqo] c:\windows\system32\iorpqo.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefmm32.exe
O4 - HKLM\..\Run: [533W38R] jspuserv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\paranq.exe reg_run
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [K0s6RUdtg] iyugui.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104722831306
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 alsocom

alsocom

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 16 August 2005 - 03:19 AM

Hello msudawg and welcome to BleepingComputer. :thumbsup:

Please download the trial version of Ewido security suite.

Install and Update Ewido:
  • Download and install Ewido security suite.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch Ewido, there should be an icon on your desktop for it to double-click.
    • The program will prompt you to update, click the OK button.
    • The program will now go to the main screen.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed, close the program.
Download this tool : LQfix.zip
  • Unzip it to your Desktop.
  • Don't use it yet!
IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').


Doubleclick LQfix.bat that you saved on your desktop before.A dos window will open and close again, that is normal.
Scanning With Ewido:
  • Launch Ewido again.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • While the scan is in progress you will be prompted to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the boxes that say "Perform action on all infections"and "Create encrypted backup" then choose clean and click OK.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop.
  • Now close ewido security suite.
Reboot normally and run an Uninstall List with HijackThis.
  • Open Hijackthis and click None of the above, just start the program.
  • Click Config... < Misc Tools < Open Uninstall Manager.
  • Click Save list... and save the file as uninstall_list.txt to a location of your choice.
Scan with HijackThis. Post the new log as a reply to this thread. Include the Ewido report and the results of uninstall_list.txt.
Alan

#3 msudawg

msudawg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 20 August 2005 - 09:39 AM

:thumbsup: Ok, things seem somewhat better now. Thanks a million for your help so far. Here are the logs:

[SIZE=7]current hijack this logfile:[/SIZE]
Logfile of HijackThis v1.99.1
Scan saved at 9:27:36 AM, on 8/20/2005
Platform: Windows XP (WinNT 5.01.2526)
MSIE: Internet Explorer v6.00 (6.00.2526.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Josh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gkpx.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104722831306
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Here is the ewido report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:24:26 AM, 8/20/2005
+ Report-Checksum: 41BA4BB6

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\5wsc1KMfXbLI -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\5wsq1KMfXbLI -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\crsreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\Del91.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\ICD1.tmp\YSBactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\ptf_0029.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\temp.fr5053\VirtualBouncer.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\Documents and Settings\Josh\Local Settings\Temp\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Cas\Client\casclient.exe -> Spyware.CASClient : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\loader.exe -> TrojanDownloader.Small.xa : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BA1EXMM9\silent_setup[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CI97G746\proxy_inst[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\iorpqo.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\iyugui.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\system32\jspuserv.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\WINDOWS\system32\nss42.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\terkmyeu.exe -> Spyware.BookedSpace : Cleaned with backup

::Report End


And the hijackthis unistalllist:

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Dell AIO Printer A960
Dell Picture Studio - Dell Image Expert
ewido security suite
Forerunner Logbook
HijackThis 1.99.1
iPod for Windows 2005-01-11
iTunes
Java 2 Runtime Environment, SE v1.4.2_04
LiveUpdate 1.7 (Symantec Corporation)
Madden NFL TM 2002
Microsoft Combat Flight Simulator
Microsoft Office XP Professional with FrontPage
MX-700 Editor
NASCAR® Racing 2002 Season
Norton AntiVirus Corporate Edition
Paint Shop Pro 7
PCFriendly
Print to Fax
QPST
QuickTime
RealPlayer
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
TaxCut 2004
TurboTax Basic 2003
WingMan Software
ZoneAlarm

#4 msudawg

msudawg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 20 August 2005 - 10:39 AM

Well... I still get "Error Loading C:windows\cfgmgr52.DLL" when booting the computer. And I also noticed that abetterinternet is listed with programs listed in zonealarm. So I suppose I am not totally in the clear yet.

#5 alsocom

alsocom

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 21 August 2005 - 01:16 AM

Step 1
Open HijackThis, run a scan, then check the following:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gkpx.exe reg_run
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll


With all other programs and browsers closed, click fix checked.


Step 2
Please set your computer to show all files.
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.
You will need to reverse this process when all steps are done.


Step 3
Please delete the following files/folders:

C:\WINDOWS\System32\exp.exe << File Only
C:\WINDOWS\System32\wintask.exe << File Only
C:\WINDOWS\System32\s4gkpx.exe << File Only
C:\WINDOWS\cfgmgr52.dll << File Only

C:\Program Files\VBouncer << Whole Folder
C:\Program Files\Cas << Whole Folder


If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.


Step 4
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\Every username\Local Settings\Temp\
Also delete your Temporary Internet Files (Start > Control Panel > Internet Options > Delete Files), be sure to also select delete all offline content.
Empty the Recycle Bin.


Step 5
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!


Step 6
Scan with HijackThis and post the new log as a reply to this thread. Include the WinPFind log and the TrackQoo log.
Please let us know of any complications you had and how the computer is behaving.
Alan

#6 alsocom

alsocom

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 22 September 2005 - 12:12 AM

Closed due to Inactivity.

If you need this topic reopened, please request this by sending a PM to a member of the HJT team with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Alan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users