Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with vrape / HijackThis


  • This topic is locked This topic is locked
2 replies to this topic

#1 smuger

smuger

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 31 August 2005 - 04:02 AM

Hi all,

Hope you can help, recently joined member in some sort of bother.

I look to be infected with vrape and or others, but for the life of me cannot remove.

I have used CWS Shredder + Adaware + Adware Away.

Originally I seemed to have the About:Blank hijacker that appeared to prevent web access. This has cleared up and I can now surf. But as you can see the log file shows a few bits that are not quite right... how wrong I am a bit scared to ask :thumbsup:

Many thanks for any help offered

Tom

Logfile of HijackThis v1.99.1
Scan saved at 22:52:39, on 27/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Marcus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [tcp checker] tcpcheck.exe
O4 - HKLM\..\Run: [The Intranet] intranet.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] TASKMAN4.EXE
O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [tcp checker] tcpcheck.exe
O4 - HKLM\..\RunServices: [The Intranet] intranet.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] TASKMAN4.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: http://*.windupdates.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3318AD0-42E0-41FA-B683-E8840E0AC14F}: NameServer = 195.92.195.95 195.92.195.94
O21 - SSODL: Network Load Monitor - {CC3E6789-0120-1A20-04B0-087AFF6D2EA4} - C:\WINDOWS\System32\uinc.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton Internet Security Service - Unknown - C:\Program Files\Norton Internet Security\NISSERV.EXE (file missing)
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

BC AdBot (Login to Remove)

 


#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 03 September 2005 - 06:06 PM

Hi, smuger.

Nothing bad is shown in your running processes. Indications of several different malware do appear in your log. Let's run a full clean up.

Before we start, does the norton internet security you have include an anti-virus? If it does, then AVG free or norton should be set not to run at startup. Two anti-virus programs running at the same time may clash and make your system unstable.

Your hosts file has redirects to a malware site.
Download the Hoster from here
Open Hoster and click 'Restore Original Hosts', then 'OK'.

Let's remove the trusted site in your log.
Download DelDomains.inf by right clicking the following link and choose save.
http://mvps.org/winhelp2002/DelDomains.inf
Right click the DelDomains.inf file and select "install" from the menu.

Please submit the following file at this online malware scanner by clicking the browse button at the top of the page and navigate to:
C:\drivers\deltreew.exe
Copy the results and post them in your next reply.

Run the Malicious Software Removal Tool on this page.

Please download, install, and update the free version of ewido security suite:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Reboot to normal mode.

Scan with hijackthis and post the log.
Please also post the results of the file scan and the report from ewido.
Posted Image

#3 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 24 September 2005 - 10:22 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users