Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cool Web Infection, Please Help


  • This topic is locked This topic is locked
15 replies to this topic

#1 bspinnaker

bspinnaker

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 23 January 2006 - 10:48 PM

Hello,

My laptop (i Series ThinkPad) was clean of malicious software until I clicked recently on a Web link I thought was perfectly safe. It ended up giving me various malware, including Cool Web. Spybot and Ad-Aware got rid of the other things, but Cool Web keeps coming back. CWS Shredder tells me it gets rid of this particular variant (Ixy?), but my computer continues to spawn IEXPLORER.EXE processes, and my laptop grinds to a halt. In fact, it becomes unusable so quickly after bootup that I cannot run several of the steps you recommend in the preparation for running HiJackThis.

I have run Spybot and Ad-Aware (both now find nothing). I have run CWS Shredder, which finds one variant only, but it keeps coming back.

As for the other steps, I have not been able to download HouseCall, Panda, Bit Defender, or Stinger. When I tried installing a firewall (Zone Alarm free version), Zone Labs couldn't start the installation, claiming a file was missing. One of the malware pieces I'd removed was something to do with a firewall, so I fear it may have prevented from installing Zone Alarm.

So I hope you can help me with my HiJackThis log. I ran it while in Safe Mode.

Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:26 PM, on 1/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20041\winlogon.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file
missing)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager
Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O20 - Winlogon Notify: ssldr - C:\windows\SYSTEM32\ssldr32.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 24 January 2006 - 07:35 PM

Hello bspinnaker,

Your IE badly needs updating. The version (6.00.2800.1106) is out of date and the newest Version is: 6.00.2900.2180!

Go to Microsoft's windows update site
and do all Critical Updates.

**********************************

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido anti-malware it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!".  Click OK.  We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Boot to the Safe Mode
    tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

**********************************

The last log you posted was in the Safe Mode, and I cannot see the running processes unless you run it in the Normal Mode.


Reboot to the Normal Mode, post the Ewido log, a fresh Hijackthis log and tell me how your comptuer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 25 January 2006 - 09:24 AM

Thanks very much for your help. I ran Ewido in Safe Mode as you said, then rebooted and ran HiJackThis. I did not remove all the programs that Ewido found (53!); I left about 17 of them, because I wasn't sure what they were. Upon reboot, Windows complained that it couldn't find a couple of the files that the registry had directed it to run, but the computer seems almost back to normal. Still, I suspect there are things still lurking. I have not yet updated Internet Explorer. Here are the logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:58:38 AM, 1/25/2006
+ Report-Checksum: BB6155E7

+ Scan result:

[188] C:\windows\system32\ssldr32.dll -> Proxy.Agent.hs : Ignored
C:\WINDOWS\SYSTEM32\kernels64.exe -> Downloader.Tibs.aw : Ignored
C:\WINDOWS\SYSTEM32\ssldr32.dll -> Proxy.Agent.hs : Ignored
C:\WINDOWS\SYSTEM32\ieschedule.exe -> Downloader.VB.sy : Ignored
C:\WINDOWS\SYSTEM32\win32.dll -> Logger.Delf.mq : Ignored
C:\WINDOWS\SYSTEM32\sys32.exe -> Logger.Delf.mq : Ignored
C:\WINDOWS\datasys\bin2.exe -> Downloader.PassAlert.n : Ignored
C:\WINDOWS\datasys\bin.exe -> Downloader.Tibs.aw : Ignored
C:\WINDOWS\inet20041\mm4.exe.bak -> Proxy.Delf.an : Ignored
C:\WINDOWS\inet20041\mm4.exe -> Proxy.Delf.an : Ignored
C:\WINDOWS\sysbinar\bin.exe -> Dropper.Agent.adk : Ignored
C:\WINDOWS\sysbinar\bin2.exe -> Downloader.PassAlert.d : Ignored
C:\WINDOWS\sysbinar\bin3.exe -> Downloader.Tibs.aw : Ignored
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\ijpobhgp.exe/bin2.exe -> Downloader.PassAlert.n : Ignored
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\ijpobhgp.exe/bin.exe -> Downloader.Tibs.aw : Ignored
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv1.exe/bin.exe -> Dropper.Agent.adk : Ignored
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv6.exe -> Downloader.Small.arj : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
C:\FOUND.000\FILE0000.CHK -> Trojan.VB.ahw : Cleaned with backup
C:\FOUND.000\FILE0003.CHK -> Trojan.VB.ahw : Cleaned with backup
C:\WINDOWS\SYSTEM32\w16.dll -> Trojan.HideProc.d : Cleaned with backup
C:\WINDOWS\datasys\bin3.exe -> Downloader.CWS.j : Cleaned with backup
C:\WINDOWS\inet20021\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\inet20041\services.exe -> Downloader.CWS.j : Cleaned with backup
C:\WINDOWS\inet20041\winlogon.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\inet20041\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20041\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20041\alg.exe -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\sysbinar\bin4.exe -> Downloader.CWS.j : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\ijpobhgp.exe/bin3.exe -> Downloader.CWS.j : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\doabjebl.exe -> Downloader.CWS.r : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\jjbkbakg.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv3.exe -> Downloader.CWS.r : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv4.exe -> Not-A-Virus.Hoax.Renos.ac : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\temp.fr8178 -> Spyware.Ihbo : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Cookies\laura macbeth@track-star.txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Cookies\laura macbeth@ads_enliven.txt -> Spyware.Cookie.Enliven : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Cookies\laura macbeth@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Cookies\laura macbeth@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Laura Macbeth\Application Data\Mozilla\Users50\default\5gmrh7l8.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.av : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 9:08:24 AM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\LSASS.EXE
D:\lotus\wordpro\ltsstart.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F3 - REG:win.ini: run=C:\WINDOWS\inet20041\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O20 - Winlogon Notify: ssldr - C:\windows\SYSTEM32\ssldr32.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 25 January 2006 - 01:41 PM

Hello bspinnaker,

I did not remove all the programs that Ewido found (53!); I left about 17 of them, because I wasn't sure what they were.


Boot to the Safe Mode, then run Ewido again and remove all 17 items, as they are all bad.

Upon reboot, Windows complained that it couldn't find a couple of the files that the registry had directed it to run, but the computer seems almost back to normal.


That is normal.

I have not yet updated Internet Explorer


We are just wasting our time deleting malware off your computer unless you update Internet Explorer.
IE has many holes in it and malware will sneak into your computer in minutes unless you update it.

After you have updated Internet Explorer, post the Ewido log and a fresh Hijackthis log.

Edited by SifuMike, 25 January 2006 - 01:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 25 January 2006 - 10:33 PM

Hi there. I ran Ewido again and removed the remainder of the infections. When I booted back up to normal mode, the computer seemed slow again. So slow, in fact, that it's not able to download the Microsoft updates. I've tried several times, and each time it tells me it has failed to download the updates. The computer is very low on disk space, so maybe that's the problem. I will try again to update Windows.

But here are both logs again:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:02 PM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\Explorer.EXE
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\NILaunch.exe
C:\windows\System32\LSASS.EXE
D:\lotus\wordpro\ltsstart.exe
C:\Palm\HOTSYNC.EXE
C:\windows\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F3 - REG:win.ini: run=C:\WINDOWS\inet20041\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138241566930
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:06:15 PM, 1/25/2006
+ Report-Checksum: DE2EC796

+ Scan result:

[188] C:\windows\system32\ssldr32.dll -> Proxy.Agent.hs : Cleaned with backup
C:\WINDOWS\SYSTEM32\kernels64.exe -> Downloader.Tibs.aw : Cleaned with backup
C:\WINDOWS\SYSTEM32\ssldr32.dll -> Proxy.Agent.hs : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieschedule.exe -> Downloader.VB.sy : Cleaned with backup
C:\WINDOWS\SYSTEM32\win32.dll -> Logger.Delf.mq : Cleaned with backup
C:\WINDOWS\SYSTEM32\sys32.exe -> Logger.Delf.mq : Cleaned with backup
C:\WINDOWS\datasys\bin2.exe -> Downloader.PassAlert.n : Cleaned with backup
C:\WINDOWS\datasys\bin.exe -> Downloader.Tibs.aw : Cleaned with backup
C:\WINDOWS\inet20041\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20041\mm4.exe -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\sysbinar\bin.exe -> Dropper.Agent.adk : Cleaned with backup
C:\WINDOWS\sysbinar\bin2.exe -> Downloader.PassAlert.d : Cleaned with backup
C:\WINDOWS\sysbinar\bin3.exe -> Downloader.Tibs.aw : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv1.exe/bin.exe -> Dropper.Agent.adk : Cleaned with backup
C:\Documents and Settings\Laura Macbeth\Local Settings\Temp\srv6.exe -> Downloader.Small.arj : Cleaned with backup


::Report End

#6 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 25 January 2006 - 10:52 PM

I did finally manage to download three Windows updates. Here's the new HJT log after doing this:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:24 PM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\Explorer.EXE
C:\windows\System32\wuauclt.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\LSASS.EXE
D:\lotus\wordpro\ltsstart.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F3 - REG:win.ini: run=C:\WINDOWS\inet20041\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138241566930
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 25 January 2006 - 11:06 PM

I did finally manage to download three Windows updates. Here's the new HJT log after doing this:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:24 PM, on 1/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


The header in the log is not showing the updates. :thumbsup:

Did you reboot after you did the updates? IE should be Version 6.00.2900.2180!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 25 January 2006 - 11:44 PM

Hello bspinnaker,

Are you using an anti-virus scanner on this computer? I do not see any in your log.

Only an anti-virus scanner can protect you against new viruses.
I recommend you download the free AVG antivirus
or AntiVir

*******************************************


You still have some trojans on you computer. Lets get rid of them. :thumbsup:


CCleaner Tutorial

Download CCleaner and install it. (default location is best).
Do not run it yet.

Killbox tutorial: http://forum.malwareremoval.com/viewtopic.php?t=320

Download KillBox to the desktop, that can be found here: http://www.downloads.subratam.org/KillBox.exe
Do not run it yet.

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F3 - REG:win.ini: run=C:\WINDOWS\inet20041\winlogon.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msoff.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file
missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)


*******************************************



Run Killbox program, in the field labeled "Full Path of File to Delete" enter (or copy and paste)

C:\WINDOWS\inet20041\winlogon.exe

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the No button


Repeat with these:

C:\windows\System32\msoff.exe
C:\windows\System32\polo.exe


For last file In the field labeled "Full Path of File to Delete" enter

C:\winstall.exe

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, this time press Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*******************************************

Run this pc through the
Trend Micro Housecall Online virus scanner

Post the log.

*******************************************

Let's empty the temp files:

Run CCleaner

1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
o Clean all entries in the "Internet Explorer" section except Cookies.
o Clean all the entries in the "Windows Explorer" section.
o Clean all entries in the "System" section.
o Clean all entries in the "Advanced" section.
o Clean any others that you choose.
In the Applications Tab:
o Clean all except cookies in the Firefox/Mozilla section if you use it.
o Clean all in the Opera section if you use it.
o Clean Sun Java in the Internet Section.
o Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Finally, reboot to the Normal Mode, post a new Hijackthis log, the HouseCall TrendMicro log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 26 January 2006 - 10:02 PM

Ok, I completed all the steps, except for running Housecall. Unfortunately, the laptop is very slow on the web. Everytime I go to a new web page, the hard drive grinds away for a number of seconds before displaying the new page (this is new behavior). I don't know if this is related to a very low disk space available on the C drive (about 70 MB) or a pending hard drive failure, or spyware. But this problem has also been affecting the downloading of Windows updates, too, it seems---some download OK, others fail.

In any case, I tried several times to run Housecall, but it did nothing when I asked it to scan.

Here's the latest HJT log:




Logfile of HijackThis v1.99.1
Scan saved at 9:53:50 PM, on 1/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
D:\lotus\wordpro\ltsstart.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138241566930
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 27 January 2006 - 12:32 AM

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. You will be infected in minutes withone one.

I recommend you download the free AVG antivirus
or AntiVir

Ok, I completed all the steps, except for running Housecall


Somtimes Housecall has problems so, run this pc through the
Panda Scan Online virus scanner
or
BitDefender Free Online Virus Scan

Post the log.

Until you update your Internet Explorer you will be wide open to malware. It should be Version 6.00.2900.2180!


I don't know if this is related to a very low disk space available on the C drive (about 70 MB) or a pending hard drive failure, or spyware. But this problem has also been affecting the downloading of Windows updates, too, it seems---some download OK, others fail.


It not malware, unless the virus scanners find something. You log is almost clean.


In normal mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

Then run CCleaner, post the virus scanner log, and a fresh Hijackthis log.

*****************************

If you have never done a disk defragmentation, or it has been a few months since the last time you did one , this step is one of the most important things that will give you more performance. As you use your computer, your drives become fragmented, by creating and deleting files. Just because a file is 10mb in size, doesn’t mean that it is sitting there on the drive (all 10mb) all in one spot on the drive. It fills in from the inside of the drive, outward, as the drive finds room. So your one file can be in pieces, in several spots on the hard drive. Don’t worry, your file allocation table keeps track of where the pieces are, however, it takes longer to access a file that is in pieces (fragmented), than a file that IS all in one spot on the hard drive. This is where defragmenting comes in. When you defragment your hard drive, this process copies all of the pieces to temporary spots on the hard drive, and then fills in all of the files (in their entirety) from the inside, out, so that no files are split into pieces. This dramatically speeds up the seek time, as well as speeds up the use of your files and programs.

NOTE: to efficiently defragment a hard drive, it likes to have 25% free space. It can still do the defragmentation with only 15% free space, but it takes quite a bit longer. If you can, delete any unnecessary files before degramenting your drives.

To defragment your hard drives (in any Windows operating system), double-click on My Computer. Right-click on the c-drive and click on Properties. Click on the Tools tab and choose the bottom button, to Defragment Now… Click on the appropriate drive, and then on Defragment. This can take some time. Depending on your processing power, the amount of RAM you have available, the size and speed of your drive, and a few other things, this process can take 20 minutes, or hours. It is best to let this one run over night, as well, but it is well worth it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 27 January 2006 - 06:37 PM

Completed the new steps except for running either Panda or Bitdefender. The disk space issue is preventing either from loading (I believe). And is still preventing me from updating IE. However, I did manage to download AVG and ran a full scan. It found two Trojan Horses (!). Both files were deleted. Here's the log (as well as a new HJT log):

<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
+ <rec time="2006/01/27 16:08:11" user="Laura Macbeth" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\FOUND.000\FILE0002.CHK</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Startpage.ZZ</attr>
</rec>
- <rec time="2006/01/27 16:08:12" user="Laura Macbeth" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\FOUND.000\FILE0005.CHK</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Startpage.ZZ</attr>
</rec>
- <rec time="2006/01/27 16:51:57" user="Laura Macbeth" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">2</attr>
</rec>
- <rec time="2006/01/27 16:51:58" user="Laura Macbeth" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\FOUND.000\FILE0002.CHK</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/01/27 16:51:58" user="Laura Macbeth" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\FOUND.000\FILE0005.CHK</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
</history>

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:39 PM, on 1/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
D:\AVG\avgamsvr.exe
D:\AVG\avgupsvc.exe
D:\AVG\avgemc.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\snmp.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
D:\AVG\avgcc.exe
D:\lotus\wordpro\ltsstart.exe
D:\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\AVG\avgcc.exe /STARTUP
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138241566930
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\AVG\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 27 January 2006 - 10:14 PM

Completed the new steps except for running either Panda or Bitdefender. The disk space issue is preventing either from loading (I believe). And is still preventing me from updating IE.


No, I do not think it has anything to do with disk space. Internet Explorer requires (for Windows XP)32 MB of RAM minimum Full install size: 12 MB.
You said you have 70MB free so you have plenty of space.

Is your Windows a legal version?

Please download and run MS Antispyware http://www.microsoft.com/athome/security/s...re/default.mspx
Let me know if it finds anything.


Did you run run the disk defragmentation? Running that will free up some space.

Please download, update and run the free A2 (A squared) anti-trojan

If malware is found, click the button "Remove Selected Malware".

Save the log file by clicking on "Save HTML-Report".

Let it delete whatever it finds.

Reboot and post a fresh Hijackthis log.

Edited by SifuMike, 27 January 2006 - 10:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 28 January 2006 - 10:05 PM

The Microsoft antispyware program found one Trojan, Krepper (or Kepper?). I deleted it.

A-squared found nothing.

IE still makes the hard drive grind away for several seconds before it displays a new web page. I'm down to only 30 MB of hard drive space on C:. It's only a two gig drive, and Windows XP takes up much of that. I can't figure out what else to delete, or move onto D:. Suggestions? I did run defrag, but it can't do much with only 3% of the drive available.

A question: When I run task manager, it shows four SVCHOST processes running (which seems unusual): two for SYSTEM, one for LOCAL SERVICE, and one for NETWORK SERVICE. Oddly, HJT shows only two of them running. Normal or a problem?

New HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 9:55:24 PM, on 1/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
D:\AVG\avgamsvr.exe
D:\AVG\avgupsvc.exe
D:\AVG\avgemc.exe
D:\ewido\ewido anti-malware\ewidoctrl.exe
C:\windows\System32\snmp.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
D:\AVG\avgcc.exe
D:\microsoft antispyware\gcasDtServ.exe
C:\windows\System32\wuauclt.exe
D:\lotus\wordpro\ltsstart.exe
D:\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "D:\microsoft antispyware\gcasServ.exe"
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINDOWS\SYSTEM32\monitorbk.exe
O4 - Global Startup: Lotus QuickStart.lnk = D:\lotus\wordpro\ltsstart.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138241566930
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\AVG\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido\ewido anti-malware\ewidoctrl.exe

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:50 PM

Posted 28 January 2006 - 10:35 PM

It's only a two gig drive, and Windows XP takes up much of that. I can't figure out what else to delete, or move onto D:. Suggestions? I did run defrag, but it can't do much with only 3% of the drive available.


Best thing to do is to buy a new hard drive, as they are not expensive.



A question: When I run task manager, it shows four SVCHOST processes running (which seems unusual): two for SYSTEM, one for LOCAL SERVICE, and one for NETWORK SERVICE. Oddly, HJT shows only two of them running. Normal or a problem?


That is normal.

Your log looks clean. :thumbsup:


Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.




Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bspinnaker

bspinnaker
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 29 January 2006 - 10:37 AM

Thanks very much for all your help. I'll be making a donation to the site.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users