Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Win32.Small.dc, TR/Lefeat.1 (HELP)


  • Please log in to reply
8 replies to this topic

#1 mommommom

mommommom

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 January 2005 - 02:30 PM

Apparently I did this wrong so I am trying again !
Here is my log!

Logfile of HijackThis v1.99.0
Scan saved at 2:44:10 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atlkt32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://registernet.passport.net/reg.srf?xp...033&langid=1033
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FD93A6CA-5B7B-199D-F228-FCAC0ADAFD02} - C:\WINDOWS\mfcmu32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ntvp32.exe] C:\WINDOWS\ntvp32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\{0BB1DFCF-D2D2-447D-9FC8-342198F538B2}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
:thumbsup:

Edited by mommommom, 25 January 2005 - 02:46 PM.


BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 25 January 2005 - 07:03 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 25 January 2005 - 07:21 PM

Thanks for sending your HijackThis log, Mom...and greetings from the Pacific NW. We have cats too :thumbsup:

Your system has a nasty infection called CWS About:Blank

It will take several messages to fix and then repair the damage done by it to your system.

Here is the first set of instructions.


1 -- To start, follow this link for instructions to enable 'show all files' for your system.


2 -- This step checks for a service that is part of CWS About:Blank:
  • Download Service Filter
  • Extract it to it's own folder.
  • Click on ServiceFilter.vbs
  • A text file called POST_THIS will be created in the same folder
  • Please use 'Edit>Select All' then 'Edit>Copy' to obtain the contents
  • Please Paste them into this thread using 'Add Reply' at the end of the fix
3 -- Download the stand-alone version of CWShredder from CWShredder from Intermute. After you download the program, unzip it into a directory.
Do not run it yet.


4 -- Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip.

Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet


5 -- Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.


6 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\knvpg.dll/sp.html#10001

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32
\knvpg.dll/sp.html#10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32
\knvpg.dll/sp.html#10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\knvpg.dll/sp.html#
10001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\knvpg.dll/sp.html#
10001

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\knvpg.dll/sp.html#10001

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32
\knvpg.dll/sp.html#10001

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FD93A6CA-5B7B-199D-F228-FCAC0ADAFD02} - C:\WINDOWS\mfcmu32.dll (file missing)

O4 - HKLM\..\Run: [ntvp32.exe] C:\WINDOWS\ntvp32.exe

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


7 -- While still in safe mode, use Windows Explorer to delete the following lists of program files and folders, if they still exist.

C:\WINDOWS\mfcmu32.dll <-- this file

C:\WINDOWS\ntvp32.exe <-- this file


C:\WINDOWS\system32\knvpg.dll <-- this file

C:\WINDOWS\System32\tibs3.exe <-- this file

C:\WINDOWS\system32\atlkt32.exe <-- this file

Please let me know about any problems with the file/folder deletes.


8 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


9 -- This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Post the log file in your next reply


10 -- Next, copy/paste the contents of the Quote Box below to a Notepad file.
Name the file as fix.reg
Change the 'Save as Type' to All Files, and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.


11 -- Reboot your computer back to normal mode and Scan again with HijackThis to create a fresh logfile. We still have a few steps to complete but a log file at this time would be helpful.


12 -- Post the logs from ServiceFilter and About Buster and your HijackThis log here in this thread with any questions or problems that you have run into.

There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

After reviewing your logs, I'll follow up with the next set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 mommommom

mommommom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 January 2005 - 07:43 PM

1 DOWN

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
Jan 24, 2005 7:43:00 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AntiVirService
Display Name: AntiVir Service
Start Mode: Disabled
Start Name: LocalSystem
Description: Provides real-time antivirus security using H+BEDV's AntiVir ...
Service Type: Own Process
Path: "c:\program files\avpersonal\avguard.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Disabled
Start Name: LocalSystem
Description: Helpservice of AntiVir Personal ...
Service Type: Own Process
Path: "c:\program files\avpersonal\avwupsrv.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{2853a42b-093f-4023-aa5a-94efc149a6d2}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 81 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 2.179688 seconds.
:flowers: :thumbsup:

#5 mommommom

mommommom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 January 2005 - 08:29 PM

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\iis6.log:gickt


Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\iis6.log:gickt


Attempted Clean Of Temp folder.
Pages Reset... Done!




Logfile of HijackThis v1.99.0
Scan saved at 8:25:52 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.655\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\{0BB1DFCF-D2D2-447D-9FC8-342198F538B2}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Okay all the scanning and removing to this point is complete.
All logs posted.
No problems that I detected in removing anything up to this point.
Next.... :flowers: :thumbsup:

#6 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 25 January 2005 - 09:09 PM

Thanks.

The CWS infection appears to be knocked down. Nice work so far.


If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32

Step#1:

Now we need to see if we need to restore some deleted files:

Please check for the following files using the Windows Search Engine:

* control.exe
* rundll32.exe
* wmplayer.exe
* msconfig.exe
* notepad.exe
* shell.dll
* SDHelper.dll


If any are missing or not working properly then you can download new copies from Merijn's Files and following the instructions at that site to have them where they belong for your OS.


* Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

* This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one is Windows (WINNT) and one in Windows\System32. It does not delete the ones in Windows\System so it does not affect Win9x/ME. If you find it missing please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .

* The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and if not please check for the existence of this file by going to to Merijn's Files (control) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information. The control.exe is more often deleted in Win9x/ME.

* If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:

Run an online antivirus scan at:

Trend Micro Online AV

Reboot


Now there are a few more steps, but first...

You are running HijackThis from temp files, which is an unsafe location.

Please move your "HijackThis.exe" into a newly created folder (such as C:\HJT) to ensure that backup files are reliably saved. We're eventually going to clean out the tempfiles as part of the fix.

It may be easier to simply download the latest version of HijackThis(v1.99) and unzip it into C:\HJT.

Do not continue to run HijackThis from 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.655\HijackThis.exe'


Also, this line in your HijackThis log

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

which suggests there may be some programs disabled from startup.

Please use 'Start > Run' and type msconfig and select the 'Startup' tab and make sure that every item is checked. Then press 'OK'.

If you had to re-check any entries, then please reboot.

Then, create a fresh HijackThis log and send it to me. I'll follow up with the final set of instructions.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#7 mommommom

mommommom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 January 2005 - 09:43 PM

Logfile of HijackThis v1.99.0
Scan saved at 9:41:56 PM, on 1/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\{0BB1DFCF-D2D2-447D-9FC8-342198F538B2}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

:flowers: :thumbsup:

#8 mommommom

mommommom
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 January 2005 - 09:14 AM

RE :

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

That line is still there even after enabling all startup items, any reason for this ?

:thumbsup:

#9 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 26 January 2005 - 10:46 AM

Great...nice and clean HJT log :flowers:

RE :

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

That line is still there even after enabling all startup items, any reason for this ?

You have something turned on in Msconfig that is causing it to automatically start at every reboot. Are you getting a a message box from Msconfig furing the reboot process?

You are not running in Safe Mode are you??

Anyway...

Here's the wrap up...followed by some prevention steps for the future.

1 -- Please follow this tutorial and use Ad-Aware SE to Perform a full system scan and fix anything that is found.

2 -- Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

3 -- To prevent any remnants of the problems hiding out in your restore files, please disable Windows System Restore, then reboot, then re-enable Windows System Restore by following the instructions at: "How to turn off or turn on Windows XP System Restore"

Then, create a new Restore Point for your newly cleaned system.

4 -- Additionally, please check your ActiveX security settings in Internet Explorer. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in IE as recommended below.

In IE, click on "Tools" => "Internet Options" and under the "Security" tab, click on "Custom Level" and make sure that the following settings are correct:

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

5 -- And, be sure to check your Favorites list, as this infection is known to add in a bunch of pornography links which you will want to delete.

Finally, reboot to normal mode and please create one last HijackThis log, and post it in your reply to this message.


very important

NOW...The version of IE you are running is a BIG problem since it is not uptodate on patches. That means you are almost guaranteed to re-infect if you use the internet and do not update it.

So, please start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there to ensure you are uptodate on critical security patches.

AND...And, I don't see any Anti-Virus software, although you were running AVPersonal in earlier logs. Another cause of quaranteed reinfection.


SO...please allow me to suggest some general prevention steps to keep one's computer clean and secure. Each step protects a different aspect of your system, and no one step is a 'silver bullet' to take care of all threats. :thumbsup:

1 -- Use an AntiVirus Software, and be sure you update your anti-virus software at least once a week. There are several very good free programs available. Grinler offers an outstanding overview at Virus, Spyware, and Malware Protection and Removal Resources

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users