Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - davean


  • This topic is locked This topic is locked
8 replies to this topic

#1 davean

davean

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 20 August 2005 - 02:51 PM

Hi: McAfee told me that the virus is StartPage - DU. Their help line told me to run Adaware, Spybot, and hsremove, and I also ran CWShredder. That removed a lot of stuff, but now I am still getting spybot alerts whenever I run Internet Explorer, and then the browser promptly closes out. Email works OK, but now I have no access to my browser. Here is my logfile. Thanks in advance for your help!
david.anderson@zurich.com


Logfile of HijackThis v1.99.1
Scan saved at 9:43:21 PM, on 8/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mfcok32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\David\My Documents\VirusDAT2\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\mfcok32.exe
C:\WINDOWS\ipfr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\David\My Documents\VirusDAT2\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {6DD01090-84AB-318F-9942-C3C8B055B9B5} - C:\WINDOWS\appqg32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [atlzp.exe] C:\WINDOWS\atlzp.exe
O4 - HKLM\..\Run: [ipfr.exe] C:\WINDOWS\ipfr.exe
O4 - HKLM\..\RunOnce: [mfcok32.exe] C:\WINDOWS\mfcok32.exe
O4 - HKLM\..\RunOnce: [sdkkx.exe] C:\WINDOWS\sdkkx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\David\My Documents\VirusDAT2\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:17 PM

Posted 22 August 2005 - 04:06 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

*Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Start hijackthis and click scan and put a checkmark next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6DD01090-84AB-318F-9942-C3C8B055B9B5} - C:\WINDOWS\appqg32.dll
O4 - HKLM\..\Run: [atlzp.exe] C:\WINDOWS\atlzp.exe
O4 - HKLM\..\Run: [ipfr.exe] C:\WINDOWS\ipfr.exe
O4 - HKLM\..\RunOnce: [mfcok32.exe] C:\WINDOWS\mfcok32.exe
O4 - HKLM\..\RunOnce: [sdkkx.exe] C:\WINDOWS\sdkkx.exe


*Close all open windows except hijackthis and click 'Fix Checked'.

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.

*Post a new hijackthis-log + log from ewido and log from aboutbuster which you'll find in the aboutbuster-folder
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 davean

davean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 25 August 2005 - 10:00 AM

Hi:

I followed your instructions but failed on a couple of things. I was not able to disable TeaTimer: Can I just remove the entire spybot folder and do it that way, or is there a simpler way? I didn't run bitdefender because my browser did not work (although I think it failed because of a previous corruption issue, not the virus). Also, there was an error that prevented me from generating an About Buster logfile (maybe because of TeaTimer). However, my browser page did come up with msn as the starter page, and it didn't close down, so that's a big improvement. I suspect if I try again tonight I will actually be able to browse.

Here are the hijack this and ewido log files you requested:


Logfile of HijackThis v1.99.1
Scan saved at 7:00:39 AM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Documents and Settings\David\My Documents\VirusDat3\security
suite\ewidoctrl.exe
C:\Documents and Settings\David\My Documents\VirusDat3\security
suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Documents and Settings\David\My Documents\VirusDAT2\Spybot - Search &
Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\David\My Documents\VirusDAT2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:8082
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = <local>
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
/checktask
O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink
TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program
Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\David\My
Documents\VirusDAT2\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink
TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program
Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality -
C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O17 -
HKLM\System\CCS\Services\Tcpip\..\{791C8012-0BCC-4E60-B197-4CE5262F7EAE}:
NameServer = 207.69.188.187 207.69.188.186
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd
- C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents
and Settings\David\My Documents\VirusDat3\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents
and Settings\David\My Documents\VirusDat3\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:6:53:37 AM, 8/25/2005
+ Report-Checksum:7EF26E71

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@ads15.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wfliemcpwdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wfloqlcpigo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wjk4gidpggo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wjk4wnaziap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wjkoqncpefo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wjnyekcpaao.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@e-2dj6wjnygkc5ibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Danny\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\danny@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\David\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\david@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\David\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\david@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@cz5.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfk4aic5adp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfk4koajgaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfl4ukcpmgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfliandzkbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wflishdjwao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wflismdpmbo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfloupc5wko.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wfmygidpieq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjk4eldzsdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjk4qmd5wdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjlogjcpmco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjnyohcjmdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjnyokdpclo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjnyoldzwdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@e-2dj6wjnyuicpogp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Olga\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\olga@sento.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Olga\Local Settings\Temporary Internet Files\Content.IE5\YDZSLCRQ\outxxx[1].jpg -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@cz5.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wfkiojc5sbp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wfl4qmdjwao.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wfmiqkczwdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wjkygkdpkcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wjlywkczggp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wjny-1sc5ah.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wjnygkc5ibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@e-2dj6wjnyokdpclo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Sara\Application Data\Earthlink\6.0\olguisima@earthlink.net\Cookies\sara@sento.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\KB840987.log:eidsck -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q329115.log:ukcfrj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q329834.log:mlnkll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q331953.log:gajynp -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q810577.log:kvenp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkkx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sierra.ini:cblitj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32:okaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\SYSTEM32\mslw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_DEFAULT.PIF:vfqws -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:17 PM

Posted 25 August 2005 - 10:19 AM

Hello,

Well, we really made improvement. Let's check and fix some leftovers first and afterwards let's restore your browser.
First of all, The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Open hijackthis and check and fix next items:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)


* Download: Hoster
Unzip hoster to an own folder.
Start Hoster.exe.
It could be possible that hoster will tell you that your Hosts file doesn't exist and if you want to create one. Click yes/ok.
If you don't get that prompt/question, click 'Restore Original Hosts' and click OK.

It could be possible that this hijacker deleted some files, so check if the following are still present:

Control.exe: Is in your C:\WINDOWS\system32. Download here when missing.

Shell.dll: C:\WINDOWS\SYSTEM32 Download here when missing

SDHelper.dll:
If you are using Spybot Search & Destroy, this hijacker can also delete SDHelper.dll.
Download SDHelper.dll.
Place the file in the Spybot Search & Destroy-folder. Most probably, this ist C:\Program Files\Spybot - Search & Destroy

This hijacker is also responsible for changing the ActiveX security settings to allow all.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Se 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Perform a full scan with an updated adaware Se and/or spybot S&d to get rid of the leftovers.

About teatimer... leave that for now, seems like it didn't interfere this time.

About aboutbuster... can you tell me what error you are exactly getting? So we can restore this also.

About your browser, what problem do you exactly have now? Do you get an error? Can you surf? The more info you can give on that, the better I can help you to restore your browser again. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 davean

davean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 25 August 2005 - 02:02 PM

The problem with my browser (before the virus) occurred after I came back from vacation and found many of the appliances in the house were damaged, apparently from lightning. Since then, the browser often will show the error "Page Not Found" when it opens, and I can't even get to the starter page. However, usually if I restart or try opening IE from another directory, it works fine. Do you know how to fix that?

Thanks.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:17 PM

Posted 25 August 2005 - 02:09 PM

Hi,

Can you test something for me please? So we can know if it's actually your internet explorer or your connection that is causing this.
Can you download and install firefox?

http://www.mozilla.org/products/firefox/

This is another browser instead of IE.. So try that one and let me know if you're still having the same problems with that browser. :thumbsup:

I don't really understand this part though..:

However, usually if I restart or try opening IE from another directory, it works fine.


I don't understand the part about: "From another directory". As I understand in here, you start IE from te icon on your desktop. What do you mean about the other directory? What directory do you mean?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 davean

davean
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 30 August 2005 - 05:16 PM

Hi: I am now using Firefox as my default browser and it works fine, so thanks for that.

I don't see any noticeable problem, but my wife says she still is getting pop-ups from spybot on something. I'll come back to you on that.

Do you still think it is worth checking out the problem with About Buster you mentioned Aug. 25?

Cheers.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:17 PM

Posted 30 August 2005 - 05:28 PM

Hi, normally we solved that infection you had earlier, so aboutbuster isn't really needed anymore.
Can you ask your wife what spybot exactly says? I think it's rather teatimer that is giving those popups.
To explain this... teatimer is a startpage guard.. and it remembers every setting for your startpage. The problem in here is, when you are already infected or were infected, and you fix that problem, teatimer sees this also as an attempt and blocks the changes everytime again... the changes you made to fix the problem.

That's why I also asked you to disable teatimer in the beginning. But once activated again, it starts with the alerts again.

So,to fix this, Download ResetTeaTimer.bat. Double click the file to remove all entries set by TeaTimer.

Reboot.

Let me know if that solved the problem. If not, post a new hijackthislog so I can see if there's still something hiding there. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:17 PM

Posted 09 September 2005 - 09:09 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users