Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help in Tennessee


  • This topic is locked This topic is locked
2 replies to this topic

#1 delberthall

delberthall

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 01 November 2004 - 08:28 PM

I am at my wits end. My daughter's computer is infested by a trojan and I have tried everything to kill it. Here is my Hijackthis log. Please help.

-DH


Logfile of HijackThis v1.98.2
Scan saved at 7:36:51 PM, on 11/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\temp\C09.exe
C:\documents and settings\default\local settings\temp\us4.exe
C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Home Publishing\Mhprmind.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spykiller.com/index.asp?Ref=3251
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Default\Local Settings\Temp\Gelwx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [37BW44G54#94KD] C:\WINDOWS\System32\Jel387h.exe
O4 - HKLM\..\Run: [C09.exe] C:\windows\temp\C09.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [us4.exe] C:\documents and settings\default\local settings\temp\us4.exe
O4 - HKLM\..\Run: [zLeymlvbm.exe] C:\documents and settings\default\local settings\temp\zLeymlvbm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [dssenh690n.exe] "C:\WINDOWS\System32\dssenh690n.exe"
O4 - HKCU\..\Run: [es642t.exe] "C:\WINDOWS\System32\es642t.exe"
O4 - HKCU\..\Run: [iedkcs32552m.exe] "C:\WINDOWS\System32\iedkcs32552m.exe"
O4 - HKCU\..\Run: [ipxrip315s.exe] "C:\WINDOWS\System32\ipxrip315s.exe"
O4 - HKCU\..\Run: [IS3Http891f.exe] "C:\WINDOWS\System32\IS3Http891f.exe"
O4 - HKCU\..\Run: [mqad434b.exe] "C:\WINDOWS\System32\mqad434b.exe"
O4 - HKCU\..\Run: [ole32500k.exe] "C:\WINDOWS\System32\ole32500k.exe"
O4 - HKCU\..\Run: [wshisn992f.exe] "C:\WINDOWS\System32\wshisn992f.exe"
O4 - HKCU\..\Run: [wzcsapi1039i.exe] "C:\WINDOWS\System32\wzcsapi1039i.exe"
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {0194C46F-636C-41DD-A79E-28BCED0C0A75} - (no file) (HKCU)
O9 - Extra button: (no name) - {0A64C684-C5C3-4855-8646-65E319B7BF8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {0DD7921C-48B7-49C3-8F0B-8F596E335433} - (no file) (HKCU)
O9 - Extra button: (no name) - {1527ED51-7285-42BE-8D91-A8A0996521F1} - (no file) (HKCU)
O9 - Extra button: (no name) - {16DDD7FB-C3A5-4101-BD17-F39C8D963601} - (no file) (HKCU)
O9 - Extra button: (no name) - {1A085C22-1CAE-407A-8B8A-8E5D109AC8ED} - (no file) (HKCU)
O9 - Extra button: (no name) - {1FE354D2-634D-4D10-937C-303549234EDB} - (no file) (HKCU)
O9 - Extra button: (no name) - {21F24F60-8062-4377-B3EA-32C9F3945DF6} - (no file) (HKCU)
O9 - Extra button: (no name) - {2F2AAE8F-0744-4010-9307-D5C49605F41A} - (no file) (HKCU)
O9 - Extra button: (no name) - {3352C2F1-51C5-4024-BF1B-6A4BDC3399F2} - (no file) (HKCU)
O9 - Extra button: (no name) - {37BD63BB-EFD8-4454-B249-8E7A203C2692} - (no file) (HKCU)
O9 - Extra button: (no name) - {491EC5EF-D7E8-4B81-8683-D5A25701B56B} - (no file) (HKCU)
O9 - Extra button: (no name) - {4ECD1010-3C91-4BFE-A0B0-5870F4963E63} - (no file) (HKCU)
O9 - Extra button: (no name) - {50217EC4-962C-4D21-82F1-66D236172C2F} - (no file) (HKCU)
O9 - Extra button: (no name) - {55A68D09-3F1B-4A01-B5A1-9D1136044688} - (no file) (HKCU)
O9 - Extra button: (no name) - {5BE436F6-5B25-4B90-A212-7312DDCA2F7A} - (no file) (HKCU)
O9 - Extra button: (no name) - {5D53012C-FFB9-4F87-9288-C21C77D0F93D} - (no file) (HKCU)
O9 - Extra button: (no name) - {5E7E918B-61CE-49CB-A7A7-46F83F9A5AA7} - (no file) (HKCU)
O9 - Extra button: (no name) - {630B1E9D-2F3C-40EF-B97F-8F6B83641C1B} - (no file) (HKCU)
O9 - Extra button: (no name) - {67041BE7-49A4-40EE-9DEC-06F597DC0E8D} - (no file) (HKCU)
O9 - Extra button: (no name) - {6C44176B-9B6D-4E9A-9B86-B9413FF38071} - (no file) (HKCU)
O9 - Extra button: (no name) - {7795A196-97BB-49F4-A4DB-32747EDFD2D7} - (no file) (HKCU)
O9 - Extra button: (no name) - {809D6B1D-B226-4F7B-86C3-BAA9570A011B} - (no file) (HKCU)
O9 - Extra button: (no name) - {8EE417F0-6DA9-4880-B197-AB8C51EB3FA0} - (no file) (HKCU)
O9 - Extra button: (no name) - {95E43AE4-2697-46D6-A283-ED6C6A626B5C} - (no file) (HKCU)
O9 - Extra button: (no name) - {A1CCD52A-C585-40E4-9413-E7D1659EF7E8} - (no file) (HKCU)
O9 - Extra button: (no name) - {AD235260-EF4D-4A5A-8776-2AEE50E0C60C} - (no file) (HKCU)
O9 - Extra button: Dell Home - {AEF52560-AC7C-11D3-A7BE-008850C10000} - http://www.dell.com/ (file missing) (HKCU)
O9 - Extra button: (no name) - {C0E82CF3-9858-40D7-B371-B5F5CC29B0F6} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7185A8D-31F6-4925-A44A-3CDE54347163} - (no file) (HKCU)
O9 - Extra button: (no name) - {C769BFBB-417F-4C00-877F-FA4F6ED7A69D} - (no file) (HKCU)
O9 - Extra button: (no name) - {C7DC7040-BA0F-4E0F-BA73-4AD518597B8B} - (no file) (HKCU)
O9 - Extra button: (no name) - {D5FF5192-5228-4B08-AF48-8FCC5F5F779C} - (no file) (HKCU)
O9 - Extra button: (no name) - {E1428B4E-8DBD-4197-B052-FA6F9868E8C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {E3D4AE11-D60D-44B3-B222-75F53A418347} - (no file) (HKCU)
O9 - Extra button: (no name) - {EA0A6462-F173-43A8-BC9E-B0DB9E19FB51} - (no file) (HKCU)
O9 - Extra button: (no name) - {F7F5F7BE-7A3E-4DDB-85DD-9ED7C633A927} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\rmoc3260276f.dll

BC AdBot (Login to Remove)

 


#2 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 01 November 2004 - 09:29 PM

Hi, delberthall.

We have several issues we need to address here. Because you are very much behind on your windows updates, the first thing I want you to do is run windows update. http://windowsupdate.microsoft.com/

Install all the security patches for your system. You may need to run it several times, with reboots in between to get all the updates for your system.

Next, I need you to download several programs to clean your machine

Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

Run Ad-Aware, after download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* . Close the program.

Download and run this Peper trojan uninstaller, making sure you're online while running it!: http://downloads.subratam.org/PeperFix.exe

Next download this uninstaller and run it. http://downloads.subratam.org/Newuninst.exe

Download the following tool and install it in its own folder:
http://tools.zerosrealm.com/VX2Finder.exe

You may want to print out the remainder of these instructions because you need to sign off and stay off the internet until this entire procedure is complete.

Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files but one that will be deleted on reboot
Allow program to reboot

Once Restarted:
a. Press 'Guardian.reg'
b. Press 'User Agent'
c. Press 'Restore Policy'


Open Adaware again. Go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file

Then click *proceed* to save settings.

Click on *Tweak* next. And checkmark to make this green also:

Automatically try to unregister objects prior to deletion

Click on *proceed*

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

After the scan is complete, click the "Next" button. Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed). A quick way is to Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

Close Ad-Aware, and reboot into safe mode by tapping f8 frequently during bootup to go into safe mode. Run Newuninst.exe and adaware again to fully remove the remanents

reboot normally and Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Also, scan again with HiJackThis and post a new log in this thread please.

Edited by ColdinCbus, 01 November 2004 - 09:34 PM.


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:14 AM

Posted 02 November 2004 - 05:29 PM

This post is a duplicate and is being closed. delberthall please stick to one thread from now on and follow ddeerrff's instructions only to avoid any more confusion. We need to know what you have done when you make you next reply and any future cleanup steps will be forthcoming.

Your active thread is here:
http://www.bleepingcomputer.com/forums/ind...t=0&#entry29003

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users