Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virus And/or Spyware


  • This topic is locked This topic is locked
8 replies to this topic

#1 hshaebr

hshaebr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 28 March 2006 - 08:07 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:04:44 AM, on 03/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\winD2.tmp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\winC8.tmp.exe
C:\Documents and Settings\Owner_2\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp5F22.tmp
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: winkvs32 - C:\WINDOWS\SYSTEM32\winkvs32.dll
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:32 AM

Posted 28 March 2006 - 12:23 PM

Hello and welcome. :thumbsup:

You have couple infections there, and no anti-virus software it seems.

==

1) I can see you have placed HijackThis on your desktop. A bit of a warning now, there will be an folder for HJT backups created later automatically when/if we use it, so don't delete it.

2) Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

3) Post back with a fresh HijackThis log so we can get started on the actual cleaning process. :flowers:
Hi there, stranger!

#3 hshaebr

hshaebr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 29 March 2006 - 07:59 AM

Done.

Logfile of HijackThis v1.99.1
Scan saved at 6:57:35 AM, on 03/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Owner_2\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpAF02.tmp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: winkvs32 - winkvs32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:32 AM

Posted 29 March 2006 - 10:54 AM

Ok lets continue. :thumbsup:

Btw, if you have unchecked any boxes from MSCONFIG for any bad things or anything like that, I need you to recheck them, so we'll be able to delete all baddies.

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Run a scan with HijackThis and check the following objects for removal if present:

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpAF02.tmp
O20 - Winlogon Notify: winkvs32 - winkvs32.dll (file missing)


If you have ANY other windows open, close them. Hit FIX CHECKED and close HijackThis.

==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, navigate to and delete the following file (if present):

C:\WINDOWS\system32\nvctrl.exe

Empty your recycle bin.

==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#5 hshaebr

hshaebr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 02 April 2006 - 12:36 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:04:02 PM, 04/01/2006
+ Report-Checksum: 20D4C564

+ Scan result:

HKU\S-1-5-21-2855979608-1642445823-3390024518-1006\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
HKU\S-1-5-21-2855979608-1642445823-3390024518-1006_Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Adware.SpywareQuake : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner_2\Application Data\Mozilla\Firefox\Profiles\90ikua8o.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner_2\Application Data\Mіcrosoft.NET\wіnlogon.exe -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\Owner_2\Local Settings\Temp\isinst.exe -> Downloader.IstBar.ox : Cleaned with backup
C:\WINDOWS\system32\hp4C51.tmp -> Downloader.Zlob.jp : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 12:34:01 PM, on 04/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner_2\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:32 AM

Posted 03 April 2006 - 06:57 AM

How is the computer running at the moment? Can you please tell me any specific issues? :thumbsup:
Hi there, stranger!

#7 hshaebr

hshaebr
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 03 April 2006 - 06:25 PM

Pretty good now. Maybe a little slow when I'm running a lot of programs, but that might just be ewido.

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:32 AM

Posted 04 April 2006 - 12:40 AM

You can go ahead and uninstall Ewido. :thumbsup:

Glad I was able to help.

==

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:32 AM

Posted 04 April 2006 - 12:34 PM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users