Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requesting a HijackThis analysis


  • This topic is locked This topic is locked
12 replies to this topic

#1 popman99

popman99

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 03 October 2005 - 05:28 PM

been working on this all day. Been following the instructions from the forum.
Ran CleanUp, ewido, HijackThis and have this HJKT log left.

Any suggestions? Thank you guys. Cheers, popman99

Logfile of HijackThis v1.99.1
Scan saved at 6:27:45 PM, on 10/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\atlxa32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cryh32.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {63DFBE3B-D797-50E4-BE10-0AD1C6D7B7AD} - C:\WINDOWS\appxr32.dll
O2 - BHO: Class - {AC6B148F-A257-661C-97AA-52101F451319} - C:\WINDOWS\javakl.dll (file missing)
O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\nthy32.dll (file missing)
O2 - BHO: Class - {E2B4FCC5-E7C0-FD6E-9969-152F9F01DBD7} - C:\WINDOWS\mfczq.dll (file missing)
O4 - HKLM\..\Run: [ZAWYGHLI] c:\windows\system32\zawyghli.exe /install
O4 - HKLM\..\Run: [CSFEUJNV] c:\windows\system32\csfeujnv.exe /install
O4 - HKLM\..\Run: [FEJXOSVY] c:\windows\system32\fejxosvy.exe /install
O4 - HKLM\..\Run: [OTNFSHYM] c:\windows\system32\otnfshym.exe /install
O4 - HKLM\..\Run: [PWVQYMVG] c:\windows\system32\pwvqymvg.exe /install
O4 - HKLM\..\Run: [IMOGXUUR] c:\windows\system32\imogxuur.exe /install
O4 - HKLM\..\Run: [IMQLGKGC] c:\windows\system32\imqlgkgc.exe /install
O4 - HKLM\..\Run: [PGXLVBVG] c:\windows\system32\pgxlvbvg.exe /install
O4 - HKLM\..\Run: [KGTFMYHI] c:\windows\system32\kgtfmyhi.exe /install
O4 - HKLM\..\Run: [UHLFSABB] c:\windows\system32\uhlfsabb.exe /install
O4 - HKLM\..\Run: [ERSFOAVG] c:\windows\system32\ersfoavg.exe /install
O4 - HKLM\..\Run: [GANUGLVI] c:\windows\system32\ganuglvi.exe /install
O4 - HKLM\..\Run: [atlxa32.exe] C:\WINDOWS\atlxa32.exe
O4 - HKLM\..\Run: [sysvg.exe] C:\WINDOWS\system32\sysvg.exe
O4 - HKLM\..\RunOnce: [cryh32.exe] C:\WINDOWS\system32\cryh32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...Bridge-c139.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\iesa.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 04 October 2005 - 07:07 AM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://windowsupdate.microsoft.com and update to Service Pack 1. When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.
You don't have even an antivirus and firewall installed. :-(

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* I see you already downloaded CleanUp and Ewido. We're going to use it afterwards in safe mode.
In Ewido, Update the definitions to the newest files. Do NOT run a scan yet.

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

First, we will make your hidden files and folders visible.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide file extensions for known file types.
* Click Yes to confirm.
* Click OK.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hrlez.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {63DFBE3B-D797-50E4-BE10-0AD1C6D7B7AD} - C:\WINDOWS\appxr32.dll
O2 - BHO: Class - {AC6B148F-A257-661C-97AA-52101F451319} - C:\WINDOWS\javakl.dll (file missing)
O2 - BHO: Class - {D9E15E07-121D-BD83-5D75-2ABC929E744A} - C:\WINDOWS\nthy32.dll (file missing)
O2 - BHO: Class - {E2B4FCC5-E7C0-FD6E-9969-152F9F01DBD7} - C:\WINDOWS\mfczq.dll (file missing)
O4 - HKLM\..\Run: [ZAWYGHLI] c:\windows\system32\zawyghli.exe /install
O4 - HKLM\..\Run: [CSFEUJNV] c:\windows\system32\csfeujnv.exe /install
O4 - HKLM\..\Run: [FEJXOSVY] c:\windows\system32\fejxosvy.exe /install
O4 - HKLM\..\Run: [OTNFSHYM] c:\windows\system32\otnfshym.exe /install
O4 - HKLM\..\Run: [PWVQYMVG] c:\windows\system32\pwvqymvg.exe /install
O4 - HKLM\..\Run: [IMOGXUUR] c:\windows\system32\imogxuur.exe /install
O4 - HKLM\..\Run: [IMQLGKGC] c:\windows\system32\imqlgkgc.exe /install
O4 - HKLM\..\Run: [PGXLVBVG] c:\windows\system32\pgxlvbvg.exe /install
O4 - HKLM\..\Run: [KGTFMYHI] c:\windows\system32\kgtfmyhi.exe /install
O4 - HKLM\..\Run: [UHLFSABB] c:\windows\system32\uhlfsabb.exe /install
O4 - HKLM\..\Run: [ERSFOAVG] c:\windows\system32\ersfoavg.exe /install
O4 - HKLM\..\Run: [GANUGLVI] c:\windows\system32\ganuglvi.exe /install
O4 - HKLM\..\Run: [atlxa32.exe] C:\WINDOWS\atlxa32.exe
O4 - HKLM\..\Run: [sysvg.exe] C:\WINDOWS\system32\sysvg.exe
O4 - HKLM\..\RunOnce: [cryh32.exe] C:\WINDOWS\system32\cryh32.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...Bridge-c139.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\iesa.exe" /s (file missing)


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\atlxa32.exe
C:\WINDOWS\system32\cryh32.exe
C:\WINDOWS\appxr32.dll
c:\windows\system32\zawyghli.exe
c:\windows\system32\csfeujnv.exe
c:\windows\system32\fejxosvy.exe
c:\windows\system32\otnfshym.exe
c:\windows\system32\pwvqymvg.exe
c:\windows\system32\imogxuur.exe
c:\windows\system32\imqlgkgc.exe
c:\windows\system32\pgxlvbvg.exe
c:\windows\system32\kgtfmyhi.exe
c:\windows\system32\uhlfsabb.exe
c:\windows\system32\ersfoavg.exe
c:\windows\system32\ganuglvi.exe
C:\WINDOWS\system32\sysvg.exe
C:\WINDOWS\iesa.exe

* Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Network Security Service (NSS)
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe modeRun CleanUp! It will ask you afterwards to log out. Please do this.
Then log in again, still in safe mode.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Install an antivirus and firewall:

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls

* Update your antivirus and let it perform a full scan and let it delete everything it is finding.

* Reboot!

* Post a new hijackthis-log + log from ewido.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 04 October 2005 - 10:51 PM

Thank you miekiemoes!

Your step by step solution has been a big help to me. While, this has taken the whole day to do, it really has been worth it! Not only have I moved closer to permanently fixing this spyware/virus problem, I have regained an appreciation for the importance of remaining diligent with computer security.

I just want to say thank you again for your help.

Below, as you requested, I have the hijackthis log and the ewido log.

I am working with Microsoft to get the Service Pack1 and 2. I was getting all of the other updates from them and then it just stopped, and clearly, I let it go too long.

Can you tell from the logs if the machine is now clean? If it is, have the knowledge that you have helped someone who appreciates it. If I still need to do something, please let me know. I think I am starting to get the hang of this.

Once again, thank you.


Logfile of HijackThis v1.99.1
Scan saved at 11:49:39 PM, on 10/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winuk32.exe
C:\WINDOWS\system32\addeb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BD77D9A-0FBD-7D9B-A984-E95897A73BF1} - C:\WINDOWS\system32\ntkn32.dll
O2 - BHO: Class - {8391BB4C-902C-341B-1536-94FBF69BF523} - C:\WINDOWS\addaz.dll
O4 - HKLM\..\Run: [addeb.exe] C:\WINDOWS\system32\addeb.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [winuk32.exe] C:\WINDOWS\system32\winuk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\cryh32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


---------------------------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:36:45 PM, 10/4/2005
+ Report-Checksum: 2C410355

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{52B4CF45-26F1-4D6B-6CF6-3866CC4868F3} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{5F574346-A206-D78A-7149-4C709D5204A4} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B4CF45-26F1-4D6B-6CF6-3866CC4868F3} -> Spyware.CoolWebSearch : Cleaned without backup
C:\WINDOWS\hskrw.dll -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\KB873376.log:hzmzek -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\Rhododendron.bmp:ncyolt -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\smraj.dll -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\system32\hrlez.dll -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:maakwz -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:mabzor -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\_detmp.1:melxsv -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:mgvbgs -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:miqigq -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:mkpccf -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:muppkc -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\_detmp.1:nagmmy -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:ndyuzv -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:nfbwxk -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:nfqndd -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:njhmfi -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:nsdnji -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\_detmp.1:nuwkmg -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:nvjtdb -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:oagloe -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:oaslxv -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:ocdatg -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:ojtmso -> Trojan.Agent.bi : Cleaned without backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 05 October 2005 - 02:24 AM

Hello,

It's not clean yet... It seems like the service changed, so we have to give this another round.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dmkxf.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BD77D9A-0FBD-7D9B-A984-E95897A73BF1} - C:\WINDOWS\system32\ntkn32.dll
O2 - BHO: Class - {8391BB4C-902C-341B-1536-94FBF69BF523} - C:\WINDOWS\addaz.dll
O4 - HKLM\..\Run: [addeb.exe] C:\WINDOWS\system32\addeb.exe
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\cryh32.exe" /s (file missing)


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\system32\winuk32.exe
C:\WINDOWS\system32\addeb.exe
C:\WINDOWS\system32\ntkn32.dll
C:\WINDOWS\addaz.dll
C:\WINDOWS\system32\cryh32.exe


* Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Workstation NetLogon Service
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Post a new hijackthis-log + log from ewido.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 05 October 2005 - 11:43 AM

Day three.

Hello again,

I am still infected. I just went to post this hijackthis log and ewido log and got a popup "Only the Best" ad.

I must have a difficult virus to remove. I hope it can be fixed.

I followed your instructions to the letter. The scans and the steps went much faster this time around.

The only difference/question I have was in your instruction for services.msc
The name of the service you said to disable was "Workstation NetLogon Service".
On my WindowsXP program the service I disabled was called "NetLogon Service".

Is this where the problem lies?

Or when I run CleanUp, do I do a Full System Clean? I have left the Favorites on my machine. Could the virus be hiding in there?

Should we turn off System Restore?

As you requested, please look at the Hijackthis log and ewido log below.

What are the new instructions?

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 12:41:37 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\msid32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\ieja32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {263DC7E4-C933-07B2-1669-CC7321210F19} - C:\WINDOWS\system32\sdkcx.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [msid32.exe] C:\WINDOWS\msid32.exe
O4 - HKLM\..\RunOnce: [ieja32.exe] C:\WINDOWS\ieja32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winuk32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:11:00 PM, 10/5/2005
+ Report-Checksum: 176D10F

+ Scan result:

C:\WINDOWS\_detmp.1:okefry -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\_detmp.1:omdpcs -> Spyware.SearchPage : Cleaned without backup
C:\WINDOWS\_detmp.1:onqcax -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:ookmsv -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:oxewxl -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_detmp.1:oxunut -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_detmp.1:oyehlj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:oypyee -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:pbalup -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:pbcmnj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:pfbagz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_detmp.1:phbsa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_detmp.1:pjfnrd -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 05 October 2005 - 12:01 PM

Hi,


On my WindowsXP program the service I disabled was called "NetLogon Service".


You were supposed to disable 'Windows Netlogon Service' and nothing else. So please make that change back undone! That's why it is important you follow exactly what I am asking.

It seems like the bad service has changed again. So as long the service is still enabled, we can't fix this.
I'll let you search afterwards for all the services this hijacker is using.

So, let's perform this again.

Boot again in Safe mode!!! (I really hope you perform this in safe mode -- you'll see safe mode in the corners when in safe mode -- otherwise this won't work)

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kvydq.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {263DC7E4-C933-07B2-1669-CC7321210F19} - C:\WINDOWS\system32\sdkcx.dll
O4 - HKLM\..\Run: [msid32.exe] C:\WINDOWS\msid32.exe
O4 - HKLM\..\RunOnce: [ieja32.exe] C:\WINDOWS\ieja32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winuk32.exe" /s (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\msid32.exe
C:\WINDOWS\ieja32.exe
C:\WINDOWS\system32\sdkcx.dll
C:\WINDOWS\system32\winuk32.exe

* Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Remote Procedure Call (RPC) Helper
(please make sure you choose the one with Helper in it.. because there's also a legit service called Remote Procedure Call (RPC) Locator and Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one. )
Doubleclick the Remote Procedure Call (RPC) Helper . In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

If you can't find that Remote Procedure Call (RPC) Helper,

Search for next in the list:
(click stop and set startuptype to disabled)

Network Security Service (NSS) or
Workstation NetLogon Service


I also can't stress enough it has to have exactly the same name as above!!
Because there are legit services that almost look the same.

Reboot back to normal mode and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 05 October 2005 - 01:42 PM

Hello,

I followed your instructions again. So far no popup ad.

Are we clean?

Here is the new hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 2:38:24 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Class - {38B1F6CB-D979-4ED0-D754-0FE61CA0FD1A} - C:\WINDOWS\system32\mfckh32.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 05 October 2005 - 01:46 PM

I forgot to mention that I cannot get check to see if I have any new email in my Outlook Express.

I get the following error message:

The server responded with an error. Account: 'mail.295.ca', Server: 'mail.295.ca', Protocol: POP3, Server Response: '-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

Did I accidently make this error occur while I was getting rid of the virus?

#9 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 05 October 2005 - 01:52 PM

He's BACK!!

While I was on the internet my internet explorer web page was shut down. I then did another hijackthis scan and log and found the same virus as before.

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:37 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\netle.exe
C:\WINDOWS\system32\winmn32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {38B1F6CB-D979-4ED0-D754-0FE61CA0FD1A} - C:\WINDOWS\system32\mfckh32.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [winmn32.exe] C:\WINDOWS\system32\winmn32.exe
O4 - HKLM\..\RunOnce: [netle.exe] C:\WINDOWS\netle.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winuk32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 05 October 2005 - 02:03 PM

Okay, please download firefox:
http://www.mozilla.org/products/firefox/

Use this browser instead and don't use Internet Explorer anymore as long as you are still infected, because there was still a O2-entry present in your previous log that caused the reinfection.

Boot again in safe mode and check and fix next entries in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\irjuw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {38B1F6CB-D979-4ED0-D754-0FE61CA0FD1A} - C:\WINDOWS\system32\mfckh32.dll
O4 - HKLM\..\Run: [winmn32.exe] C:\WINDOWS\system32\winmn32.exe
O4 - HKLM\..\RunOnce: [netle.exe] C:\WINDOWS\netle.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winuk32.exe" /s (file missing)

Perform that step with services.msc again

* Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Remote Procedure Call (RPC) Helper
(please make sure you choose the one with Helper in it.. because there's also a legit service called Remote Procedure Call (RPC) Locator and Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one. )
Doubleclick the Remote Procedure Call (RPC) Helper . In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

If you can't find that Remote Procedure Call (RPC) Helper,

Search for next in the list:
(click stop and set startuptype to disabled)

Network Security Service (NSS) or
Workstation NetLogon Service


I also can't stress enough it has to have exactly the same name as above!!
Because there are legit services that almost look the same.


Delete next files:

C:\WINDOWS\netle.exe
C:\WINDOWS\system32\winmn32.exe
C:\WINDOWS\system32\mfckh32.dll

Still in safe mode, scan with ewido again. Also perform a full scan with AVG (in safe mode)

Reboot back to normal mode and post a new hijackthislog (with firefox using as browser not Internet Explorer!)

Your mail error is probably because you fixed this entry in hijackthis before without me asking you this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233

Please don't, because this is from your ISP. Good it sets it back automatically after reboot.

Edited by miekiemoes, 05 October 2005 - 02:04 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 popman99

popman99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 05 October 2005 - 09:13 PM

Hello again,

Well here we are. I just finished. I'm using Firefox right now and no popups so far.

Here is the highjackthis log and ewido log.

By the way, my Outlook Express is still not working. Any thoughts? Should I call my ISP?

Are we clean? My fingers are crossed this time!

Best regards.


Logfile of HijackThis v1.99.1
Scan saved at 10:03:04 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HiJack This\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-----------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:35:18 PM, 10/5/2005
+ Report-Checksum: 8F849A64

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Schein\Application Data\Mozilla\Firefox\Profiles\0kth1zc3.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Schein\Cookies\schein@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\irjuw.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_detmp.1:pmgpqc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:qdtvpl -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_detmp.1:qgyzvv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_detmp.1:qmdpvy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_detmp.1:qmrlvn -> Trojan.Agent.bi : Cleaned with backup


::Report End

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 05 October 2005 - 11:58 PM

Hi,

I see a clean log, but I wonder where this one is in your log:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F0AA517A-F3FE-4FBE-AE13-72A84FD0571A}: NameServer = 66.38.192.231 66.38.192.233

This is from your ISP I suppose:

GT Group Telecom Services Corp.
1066 West Hastings Street, Suite 1500
Vancouver, BC
CA

Why did you fix it in hijackthis?

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
(These instruction's are basicly for home users.)

* Download: Hoster
Unzip hoster to an own folder.
Start Hoster.exe.
It could be possible that hoster will tell you that your Hosts file doesn't exist and if you want to create one. Click yes/ok.
If you don't get that prompt/question, click 'Restore Original Hosts' and click OK.

It could be possible that this hijacker deleted some files, so check if the following are still present:

Control.exe: Is in your C:\WINDOWS\system32. Download here when missing.

Shell.dll: C:\WINDOWS\SYSTEM32 Download here when missing

SDHelper.dll:
If you are using Spybot Search & Destroy, this hijacker can also delete SDHelper.dll.
Download SDHelper.dll.
Place the file in the Spybot Search & Destroy-folder. Most probably, this ist C:\Program Files\Spybot - Search & Destroy

This hijacker is also responsible for changing the ActiveX security settings to allow all.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Se 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Perform a full scan with an updated adaware Se and/or spybot S&d to get rid of the leftovers.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:29 PM

Posted 17 October 2005 - 04:06 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users