Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severely infected....Pls help


  • This topic is locked This topic is locked
15 replies to this topic

#1 mas_pers

mas_pers

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 October 2004 - 01:12 PM

My pc is severely infected with cws. Ur timely help is highly appreciated. Thx in advance. My HJT LOG is as follows
Logfile of HijackThis v1.98.2
Scan saved at 10:48:04 AM, on 10/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BEC2786F-D90B-4595-BAED-D9406C919DBF} - C:\WINDOWS\System32\enjjo.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINDOWS\syskey.dll
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\System32\jfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [zzzCamInSuiteIII] E:\SETUP.EXE 24***
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winhost.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\sundar\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [HOTFOON2] C:\Program Files\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ntsysmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://child.ambalam.com/wfplayer/tdserver.cab
O18 - Filter: text/html - {85844932-7DC6-4F93-8000-9641F711893B} - C:\WINDOWS\System32\enjjo.dll
O18 - Filter: text/plain - {85844932-7DC6-4F93-8000-9641F711893B} - C:\WINDOWS\System32\enjjo.dll

BC AdBot (Login to Remove)

 


#2 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 10 October 2004 - 07:12 PM

Hi,

Have you run this log in Safe Mode? if so please run it again in Normal Mode to give me the full picture.

#3 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 October 2004 - 11:39 PM

yes , i run the HJT in safe mode as it is not running and closes immediately when run in normal mode. So there is no chance o f me running it in normal mode at all.

#4 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 October 2004 - 11:39 PM

yes , i run the HJT in safe mode as it is not running and closes immediately when run in normal mode. So there is no chance o f me running it in normal mode at all.

#5 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 10 October 2004 - 11:45 PM

Ok, we can live with that for the moment.

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#6 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 11 October 2004 - 12:15 PM

hi 12q,
i did as u said and am pasting the value found as below
C:\WINDOWS\System32\kbdcagg.dll.
Waiting for further instructions from u. thx again

#7 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 11 October 2004 - 12:24 PM

Thanks for that :thumbsup:

Next:

Step 1: Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows Create new folder on your hard drive called c:\regbackup.


Step 2: Run Registrar Lite again enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter. On the left side of the screen the Windows key should be selected and highlighted purple. With the Windows key highlighted click on the File menu, and the click on export and save them in the following formats: First save it with the name winkey.reg Make the save type regedit4 .reg type and then press the save button. Then click on file export again, and this time name it Winkey.hiv Change the type to regetd32/WinAPI *hiv *dat files and press the save button. When both files/backups are successfully saved, right-click on the highlighted Windows key and rename it to Windows 1.


Step 3: With Windows1 highlighted, look in the right section and double-click on AppInit and clear the data in the value field. That is the dll you saw previously and just posted. Rename Windows1 back to Windows and exit the program. Reboot your computer.


Step 4: When you are back at your desktop, navigate to the c:\regback folder. Double-click on the winkey.reg file. When it prompt if you would like to import/merge the data press the Yes button. Then run Registrar Lite again, go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key again as done above. While the Windows key is selected (highlighted purple/blue) in the left window, click on File and them Import. Browse to c:\regback and select the winkey.hiv file that we created earlier. When it asks if you would like to merge, say yes/ok.


Step 5: Then double-click on the appinit_dlls key again and clear the value again by double click on appinit_dlls and making sure there is nothing in the values field. Then delete the entire c:\regback folder.


Step 6: Now download and run CWShredder. You can download the program from the following locations: CWShredder Download Site After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer. A tutorial that goes over this process step by step can be found here: How to remove CoolWebSearch with CWShredder When that is completed, please download the latest version of Ad-Aware from the following location: Ad-aware Make sure you update the program before you scan with it. A tutorial on using ad-aware can be found below: AD-AWARE - Using Ad-aware to remove Spyware & Hijackers from Your Computer. When that is completed post a new hijackthis log

#8 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 12 October 2004 - 10:22 AM

Hi 12g,

I did as u said but on rebooting in normal mode i could not open any desktop icon (even though they were all visible). So i had to import files from C:regbackup in SAFE MODE only and after successful import deleted that folder and also made value zero in the appinit dlls. Now i have 2 problems-In normal mode, i am not able to enter into my system itself from desktop and second this cws problem. Kindly advise me as what to do.

My latest HJT is pasted below
Logfile of HijackThis v1.98.2
Scan saved at 10:03:23 PM, on 10/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\System32\jfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [zzzCamInSuiteIII] E:\SETUP.EXE 24***
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winhost.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [tpcupdater] C:\WINDOWS\updatetc.exe
O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "C:\PROGRA~1\GAMES\tbGame.dll" DllShowTB
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\sundar\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [HOTFOON2] C:\Program Files\hotfoon4.exe /h
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ntsysmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://child.ambalam.com/wfplayer/tdserver.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

#9 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 12 October 2004 - 11:03 AM

We are not yet out of the woods.

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SUNDAR~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\System32\jfi.dll

O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll

O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysmgr.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [zzzCamInSuiteIII] E:\SETUP.EXE 24***

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winhost.exe

O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe

O4 - HKLM\..\Run: [tpcupdater] C:\WINDOWS\updatetc.exe

O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "C:\PROGRA~1\GAMES\tbGame.dll" DllShowTB

O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysmgr.exe

O4 - HKCU\..\Run: [SpyKiller] C:\sundar\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [HOTFOON2] C:\Program Files\hotfoon4.exe /h

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O4 - Global Startup: ntsysmgr.exe

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\System32\jfi.dll
C:\Program Files\Games<<Folder
C:\PROGRA~1\GAMES<<Folder
E:\SETUP.EXE
C:\WINDOWS\winhost.exe
c:\windows\180ax.exe
C:\WINDOWS\updatetc.exe
C:\sundar\SpyKiller<<Folder
C:\Program Files\hotfoon4.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#10 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 12 October 2004 - 12:58 PM

Hi,
i did as u said and surprise surprise ...my system is doing well now in normal mode itself and cws also gone. I could delete only some of the files as i couldnt find the rest like E/setup.exe, update.exe. But one ad aware site is opening time and again on its own. I dont know why. Maybe something else is remaining. Pls guide and ty so much for ur help.My HJT LOG is as follows
Logfile of HijackThis v1.98.2
Scan saved at 8:53:55 PM, on 10/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\wnypkvyh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [wnypkvyh] C:\WINDOWS\wnypkvyh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://child.ambalam.com/wfplayer/tdserver.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

#11 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 12 October 2004 - 01:11 PM

Excellent, I see a huge improvement. Don't worry about the files you could not find, that is why I indicated that they may not show, they are taken care of during the fix.

Now, let's deal with this:

Go CTRL>SHIFT>ESC>"End Process" on

wnypkvyh.exe

Next:

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

O4 - HKLM\..\Run: [wnypkvyh] C:\WINDOWS\wnypkvyh.exe

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\wnypkvyh.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#12 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 13 October 2004 - 08:51 AM

Hi,
i couldnt find the wnypkvyh.exe file on pressing ctrl+shift+esc key in the end processes. One ad-w-a-r-e site keeps opening continuously at regular intervals . Can u tell any solution for that. My latest HJT is as follows. Thx in advance for all the help uve given me..

Logfile of HijackThis v1.98.2
Scan saved at 4:50:20 PM, on 10/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://child.ambalam.com/wfplayer/tdserver.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

#13 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 13 October 2004 - 10:19 AM

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan

Restart your computer in
Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,

C:\WINDOWS\System32\twink64.exe
C:\freescan\freescan.exe

Reboot in Normal Mode, then post a fresh logfile so that I can check to see if it is clean.

#14 12g

12g

  • Members
  • 450 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:23 AM

Posted 15 October 2004 - 12:01 AM

In addition to the advice already given, you have a VX2 variant. Please do this:

Download Ad-Aware SE Here
After installing AAW, and before running the program, you NEED to FIRST check for updates.

Reconfigure Ad-Aware SE for a custom scan:

Launch the program, and click on the Gear at the top of the start screen.

Under "General Settings" all available options should be selected.

Click the "Scanning" button.
Under "Drives, Folders and Files," select "Scan within Archives".
Click "Drives and folders to scan" and select your installed hard drives.
Under "Memory & Registry," select all options.

Click the "Advanced" button.
Under "Logfile detail level," select all options.

Click the "Defaults" button.
If you want to keep your current settings for your homepage and searchpage,
select "Read current settings from system." Otherwise, Ad-aware will reset them.

Click the "Tweak" button.
Under "Scanning Engine," select the following:
"Unload recognized processes during scanning."
Under "Cleaning Engine," select the following:
"Always try to unload modules before deletion."
"During removal unload Explorer and IE if necessary."
"Let Windows remove files in use after reboot."
Click on "Proceed" to save these Preferences.

Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next:

Download the VX2 Cleaner:

Direct Download

The VX2 Cleaner works with all editions of Ad-Aware SE.

How to use Lavasoft’s VX2 Cleaner plug-in

Close Ad-Aware SE and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

If your computer is infected

Select “Clean System”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

More information on VX2 can be found in the TAC database

When you've done all that, re-run Hijack This, and show me a fresh log.

#15 mas_pers

mas_pers
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 18 October 2004 - 01:28 PM

Hi 12 g,
I downloaded aaw se and after vx2 plug in , I scanned using custom scan and deleted all the virus. Now no virus is there as per aaw se scan. Also cws shredder scan shows no cws. My only problem now is that i am not able to open HJT in normal mode as it is closing immediately. So iam sending HJT LOG DONE IN SAFE MODE ...Any further advice is most appreciated. Thx in advance.

Logfile of HijackThis v1.98.2
Scan saved at 9:21:24 PM, on 10/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HOTFOON2] C:\Program Files\hotfoon4.exe /h
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ntsysmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://child.ambalam.com/wfplayer/tdserver.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users