Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help newbie with virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Kamy

Kamy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 28 November 2004 - 06:53 PM

I'm about to throw my computer out the window but thought I might post here to see if anyone could help me out. I'm posting my hijack this log because I'm not sure exactly which one is a virus. If anyone can help me I would greatly appreciate it.

Logfile of HijackThis v1.98.2
Scan saved at 5:22:32 PM, on 11/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\DOCUME~1\KIM\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\FSKYUK~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O20 - AppInit_DLLs: O20 - AppInit_DLLs: oe3ssbeo17c9m6.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll


Thanks!
Kamy

BC AdBot (Login to Remove)

 


m

#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:29 PM

Posted 29 November 2004 - 09:15 PM

Hi, Kamy, or was that long legged blonde? I'll check your log, and reply with recommendations. It will likely be another 24 hours, because I have experts double check it before I commit to your fix. OK? This one is ever bit as bad as your poem (says it is), but we have several tricks up our sleeve. :thumbsup:

Edited by phawgg, 29 November 2004 - 09:18 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 Kamy

Kamy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 30 November 2004 - 07:38 AM

Phawgg,
Thanks so much for your help. You give me hope that I don't have to throw my computer out the window. :flowers: Sleeting here this morning in Texas. Brrrrrr

Have a good one!

Kamy aka long legged blonde. :thumbsup:

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:29 PM

Posted 30 November 2004 - 11:55 PM

There will quite a few steps to get rid of this, Kamy. Take your time reading through it, and checkin' out the links. It's likely to do it, though.

Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Sceenshots are included to help you.

Regarding the HijackThis: In your log, C:\DOCUME~1\KIM\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe
should look like this: C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE or C:\HJT\HIJACKTHIS.EXE. In either of these ways the program will save backups automatically to it's permanent folder and we may need them. Also, you'll see that in the last steps of the fix procedure we will delete all temporary files, and that would include your HJT if it remains where it is now. Please make a new folder and either move the existing file to it, or simply download the HijackThis once again , having a new folder ready to extract the .zip folder's file(s) into.

start-->My Computer-->C:\ local disk-->File-->Folder-->New-->name it HJT.
Download HijackThis 1.98.2 from here once again. Next, click or double click the .zip folder. Extract all files-->ExtractionWizard opens-->next-->browse-->My Computer-->(C:)-->HJT-->OK-->next-->finish.

Copy/Paste the contents of the CODE Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.
REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]

You will need a couple tools on your desktop. Unlike HJT, you may run them from the desktop. All are .zip files, examples of zip files after extraction to the desktop Please use these links to download them: do not run any of them out of sequence, please
  • Killbox Just save save to desktop for now.
  • System Security Suite Go ahead and install this program, look it over, read about it, but don't run it quite yet.
You will also need to install Ad-Aware SE Personal 1.05 onto your PC, unless you already have this version. You should uninstall an older version before installing this. Run Ad-Aware and immediately check for updates. Exit after updating. We will run it again later.
More information can be found here: Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer

We've found Grisoft AVG anti-virus program works with this infection. avg70free_ 289a392.exe. Download the 9.9MB program ( that's about 40 minutes on dialup) to your desktop. Registration is free, installation is to your program files and it will also uninstall normally. Conflicts running it long-term with Norton & possibly also features of PestPatrol may exist so exit all other anti-virus programs if you have them installed. Run AVG, opening to the "control center" and updating it first. When finished updating, make all boxes blue. (full install). Choose "test center" next. Click the top icon. Scan may take another 20 minutes or more. You will see test results, and as I do not have the infection, I can only suggest you follow the prompts given to deal with your results at this time. Exit the program.

Extract Killbox, open folder & choose extract to your desktop. "Finish". Open the folder and then double-click on Killbox.exe to start the program.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe

Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe
still there, by running Killbox once again.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\documents and settings\all users\start menu\programs\startup\winlogin.exe

Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\documents and settings\all users\start menu\programs\startup\winlogin.exe
still there, by running Killbox once again.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\system32\oe3ssbeo17c9m6.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll


Then press the button that looks like a red circle with a white X in it.
When it asks, Reboot now, press the YES button.

Your computer will reboot.
Check if the C:\WINDOWS\system32\oe3ssbeo17c9m6.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
still there, by running Killbox once again.

Next Start-->Add or Remove Programs-->Uninstall (if found) any instances of Viewpoint or Wild Tangent. Reasons exist for removal, but if you need them, keep them. They could be installed again if you do remove them at this time, however. Simply do not delete them when they are mentioned below, if you decide to keep them.

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter. Stay in safemode, until told to reboot, please. Do not open Internet Explorer or reboot because the fix will fail and CW_NS3 will mutate. It will be more difficult to remove it.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.
Run Hijackthis: click Scan, and put a checkmark next to each of the following objects. (some may no longer appear, due to previous steps)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\FSKYUK~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -
spyware information about these particular O16 activeX entries
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O20 - AppInit_DLLs: O20 - AppInit_DLLs: oe3ssbeo17c9m6.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe (I suspect this one. I found nothing on it when searching. If you are aware of a good reason for it being there, don't delete it. It may be something new that you know about)
When you're decided the files marked for deletion are correct, click the FIX button and exit HJT.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them).
Do not delete main folders like C:\WINDOWS or C:\Program Files.
Navigate to the folder locations or use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders".

Delete
C:\documents and settings\all users\start menu\programs\startup\winlogin.exe<--this file only. ( this is not winlogon.exe! )
C:\WINDOWS\system32\foebv2cnw6kxj7thd.exe<--this file only
C:\WINDOWS\system32\FSKYUK~1.DLL<--this file only
C:\PROGRA~1\COMMON~1\tsa<--this folder & all files in it (if you didn't install it)
C:\Program Files\WildTangent<--this folder & all files in it
C:\Program Files\Viewpoint<--this folder & all files in it

Then Run Ad-Aware prepare for system scan using "full scan" and not including the "negligible risk items". Run the scan to completion. The "Finish" button will change screen to "scanning results". The scan summary tab is where to tick the boxes to delete what was found.

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Reboot your computer to go back to normal mode.

Run HijackThis again and post the new log as a reply to this post.

(Include comments regarding any problems you might have had, and let us know if its working better.)
You may choose to move the utilities on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean. You might consider continuing to use AVG, but only run one anti-virus program with resident protection at a time, please.

Thanks, phawgg

Edited by phawgg, 30 November 2004 - 11:56 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:29 PM

Posted 31 December 2004 - 07:19 PM

Closed. Lack of responses.
If you originated this thread, and need it re-opened:
You may also contact a HJT Team Member, and reference the link location address. Thanks. :thumbsup:

If referring to this thread for any other reason, you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users