Avast WEBforum
Other => Viruses and worms => Topic started by: Fishbomb on March 31, 2005, 08:50:19 AM
-
First of all, hi there everyone! I'm new to this forum. I had downloaded Avast just a week before this problem happened and I'm still on the test week before paying the registration fee. I used to just rely on firewalls and online virus scanners before, but I finally decided on this system just because my friends really like it.
So bear in mind that I am not at all familiar with the avast process of doing things.
Anyway, two days ago I changed internet providers. And stupid as I am, this must have meant that my firewalls were down, because I contracted a virus almost immediately. This is nothing new to me, I've had viruses before, and have always managed to root them out, but this time I am stumped.
I am writing this from the computer at work, because I can't use my infected computer at home, so everything I write is from either memory or from my set of itty bitty notes. So forgive any confusion.
---
I use windows XP-pro
What happened was: On a small fansite for comic books, I must have contracted a virus. I did not accept anything, or click any links (I'm not stupid) but appearantly it snuck in anyway.
It took over my computer. First it changed the wallpaper to one that advertised something called 'smart security' because obviously my computer was infected by trojans and viruses. All my shortcuts were erased and replaced with shortcuts to sites like 'home pharmacy' 'online poker' 'home mortages' and so on. It changed around everything so that it suited itself, task bars, shortcuts and so on. Other things I found was 'allcybersearch' and a program called 124489 which was the first thing that I noted, with a picture of a cute blode as an icon.
I also think it tried to hijack my modem, but since I am not using a modem that did not work.
What it does, is that every three to five minutes, my computer restarts itself. If I try to delete the temporary internet files where the virus lie, the computer restarts itself. If I try to shut down any suspicious system processes, they restart themselves, and then finally the computer restarts itself. If I try to open internet explorer, the computer restarts itself. I can not right click anymore, that has been disabled. Needless to change, i can not make any changes to wallpapers, users, links and so on...
When I run Avast (home user), it first located memory resident trojans (a LOAD of them, but the first one I remember was JS:TrojDnldr-1), mostly in the temporary internet files folder. So it did a boot scan. I was stupid enough to press 'remove' because I didn't know that you were not supposed to do that (I do now after having read this site). Hopefully not much have been damaged since they were temporary files... or the programs that the virus had added.
This did not help.
Yes, when I start Avast, the memory scans clean. But the computer is still obviously infected, because it still restarts after 3-5 minutes, so I have no time to run a through scan. Sometimes it catches a trojan, at other times not. It really haven't much time to do anything, since I have rather many files.
.
So here is my problem. I can't do much on my PC at home since I can't go online with it. My first problem is to find out what makes it restart itself all the time. I had that trouble about half a year ago with the sasser virus (or something like it), but I managed to work that out by going online and see how I should solve it, and worked real fast in the few minutes that I had. It worked out fine. Now I do not have that option.
So please, post what information you need here and I will take notes and go home tonight and try to find them. I have heard people refer to a hijackthis-Log, can anyone please explain what this is, and how it is obtained?
I used to be competent with computers, but that was back when there still was DOS at the heart of everything... I know very little of how windows XP work. Is there some sort of 'simple' failsafe mode when you start up the comptuer? If so, how do you get into in? Maybe that can help.
I miss DOS. I miss autoexec.bat and config.sys. Things felt simpler then *grins*.
I am going to continue searching this board (and the net) for information. Please, if anyone have any suggestions, I will be forever grateful.
-
Update: Well, found
http://www.blackviper.com
Hopefully it will help me some with the shutdown *grins*
Unfortunately it will not help with the fact that as soon as I try to go on the net, it shuts down. No way for me to download patches then...
-
So please, post what information you need here and I will take notes and go home tonight and try to find them. I have heard people refer to a hijackthis-Log, can anyone please explain what this is, and how it is obtained?
Your system has definitely been hijacked.
Download Hijackthis from: http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Press “Do a system scan and save a logfile”
Copy/paste it here.
If I try to shut down any suspicious system processes, they restart themselves, and then finally the computer restarts itself.
You can use ProcX for that (http://www.ghostsecurity.com/index.php?page=procx). But please post the hijackthis log first.
-
Thank you, will download it to a disk and take it home.
Meanwhile: More information! I am not the only one.
Check out this link:
http://insight.zdnet.co.uk/internet/security/0,39020457,2125434,00.htm
Read the replies and complaints underneath it, this is EXACTLY what has happened to me. I will try to use some of that advice to remove it.
-
Hi,
Just came across your posting.
If you go to the viruses and worms board, the first posting is called advice & tools for virus, malware and spyware removal. It's worth a read.
So is http://www.wilderssecurity.com/showthread.php?t=50662: this posting has a very clear step-through guide.
avast! should be part of your clean up procedure of course!
The anti-spyware programs mentioned (Spybot Search & Destroy and Ad-Aware) are also excellent for infections like this. They take care of most things automatically; HijackThis is useful for manual removal of anything remaining, but be careful how you use it.
You can get into safe mode in Windows by tapping F8 while booting.
Good luck
-
Yep, been reading up like mad on this and printed out a lot at work. Now I am actually able to at least get on the net in safe mode!!
But I am encountering some problems along the way, so first here is my Hijackthingy. Despair at my system *blushes a bit embarrassed* It was fine two days ago! Really!
---
Logfile of HijackThis v1.99.1
Scan saved at 22:26:05, on 2005-03-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\Rar$EX02.328\HijackThis.exe
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\Program\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\Program\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2fucked.biz
O1 - Hosts: 127.0.0.3 sp2fucked.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
-
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22D1C479-8553-4C97-A52F-E488E41179AE} - C:\WINDOWS\System32\dkfc.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {5327ABC3-425C-4983-2104-6B03F0B0CEBC} - C:\WINDOWS\System32\yum.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\Program\DELADE~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program\Toolbar\toolbar.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\Program\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program\DELADE~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6BA5ABB1-98C3-4C28-B071-0B83967B72E6}\SVCHOST.EXE
O4 - HKLM\..\Run: [TBPS] C:\Program\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Oip] C:\WINDOWS\System32\Sbr.exe
O4 - HKLM\..\Run: [Svd] C:\WINDOWS\System32\Fau.exe
O4 - HKLM\..\Run: [Ost] C:\WINDOWS\System32\Crk.exe
O4 - HKLM\..\Run: [Jjj] C:\WINDOWS\System32\Rrj.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\System32\Rol.exe
O4 - HKLM\..\Run: [Tpp] C:\WINDOWS\System32\Cmt.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Bar.exe
O4 - HKLM\..\Run: [Ojv] C:\WINDOWS\Lgm.exe
O4 - HKLM\..\Run: [Hag] C:\WINDOWS\Hmk.exe
O4 - HKLM\..\Run: [Iuv] C:\WINDOWS\Tic.exe
O4 - HKLM\..\Run: [Kfj] C:\WINDOWS\System32\Rjn.exe
O4 - HKLM\..\Run: [Ckf] C:\WINDOWS\System32\Aue.exe
O4 - HKLM\..\Run: [Hgf] C:\WINDOWS\System32\Tnc.exe
O4 - HKLM\..\Run: [Vfk] C:\WINDOWS\System32\Nlt.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\System32\Qlt.exe
O4 - HKLM\..\Run: [Lgj] C:\WINDOWS\System32\Maa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Qqu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINDOWS\System32\Hku.exe
O4 - HKLM\..\Run: [Hsl] C:\WINDOWS\Quc.exe
O4 - HKLM\..\Run: [Ijg] C:\WINDOWS\Afu.exe
O4 - HKLM\..\Run: [Hvd] C:\WINDOWS\System32\Lcu.exe
O4 - HKLM\..\Run: [Kdi] C:\WINDOWS\Hlm.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mbp] C:\WINDOWS\Nns.exe
O4 - HKLM\..\Run: [Anf] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Uea] C:\WINDOWS\System32\Nap.exe
O4 - HKLM\..\Run: [Jgm] C:\WINDOWS\Vfg.exe
O4 - HKLM\..\Run: [Bjo] C:\WINDOWS\System32\Kdo.exe
O4 - HKLM\..\Run: [Lrj] C:\WINDOWS\System32\Vbb.exe
O4 - HKLM\..\Run: [Jjl] C:\WINDOWS\System32\Fbd.exe
O4 - HKLM\..\Run: [Mac] C:\WINDOWS\System32\Kcv.exe
O4 - HKLM\..\Run: [Uci] C:\WINDOWS\System32\Dec.exe
O4 - HKLM\..\Run: [Ssg] C:\WINDOWS\Vui.exe
O4 - HKLM\..\Run: [Kdo] C:\WINDOWS\System32\Ldj.exe
O4 - HKLM\..\Run: [Eoc] C:\WINDOWS\System32\Esv.exe
O4 - HKLM\..\Run: [Evl] C:\WINDOWS\Olk.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [Dcs] C:\WINDOWS\Tof.exe
O4 - HKLM\..\Run: [Fcc] C:\WINDOWS\System32\Jca.exe
O4 - HKLM\..\Run: [Oom] C:\WINDOWS\Hbf.exe
O4 - HKLM\..\Run: [Kqs] C:\WINDOWS\Inf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/se/win/QuickTimeInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.aftonbladet.se/it/special/command/cod/cabs/cssweb.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\Program\Toolbar\toolbar.dll
O18 - Filter: text/html - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O18 - Filter: text/plain - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
-
Phew, took three tries to actually post it all!
Now for the strange problems that I encounter:
For removing the SmartSecurity thingy that locks up everything, I got the following advice from the site I liked to above. I was supposed to go into the screen properties, go to the webtab section and disable the one called 'security'
However, I had no active things in the webtab. Moreso, I am unable to change any settings for my wallpaper. My right click function is disabled, and that part of the customization menu is just locked.
I caught 54 different files with trojans I think when I ran the Avast at startup (booting). They were Win32:Exdl[Adw], Win32:Trojan-gen{ve}, and Win32:Trojan-gen{other}. I was not able to repair any file and moved them to the chest.
Now however I can not look inside the chest. I get the RPC com failed message.
Also: I can not start the Win XP firewall. Every time I try to enable it, I get the error message that it can not activate shared (struggles for english words since I am swedish)... something. It is error 1060 and it tells me that the service is not installed. But this worked 3 days or so ago, when I had a firewall...
I can not get any logfiles from either Avast or Spybot, just error messages.
When I do a normal scan with Avast I get a whole load of files that avast say that it can not scan because they are password protected. And it is the very same files that I suspect is hiding stuff, since I recognized a few of the names. Hello, sextracker anyone?
...
Right now what worries me the most is where I should start.
Should I start by downloading updated security patches on an infected system?
How can I get a working firewall so I at least does not pick up any more viruses?
Where should I start since the normal ways seems to have been sabotaged for me...
I do not dare to leave the secure mode for now. The PC crashes otherwise, and I am quite confident that I haven't got half the stuff yet.
Please advice, I'll keep reading and trying things, but unfortunately so many of them does not seem to work on this SmartSecurity thing. The only advice I had found so far is in the thread above.
Please, if anyone have more information about that I would be overjoyed. Trojans are one thing, but that hijacking commercial program taking over everything is just plain insulting.
Thanks for the help.
-
Dealing with the hijackthis log contents first, you have a lot of problems.
The items on hosts (01 items) are these entries that you created if so leave them.
Once you have fixed those mentioned, do another scan and post the log file contents again.
Extract of Eddy's log file analyser:
CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :
--------------------------------------------------------------------------------
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
--------------------------------------------------------------------------------
GENERAL INFORMATION :
--------------------------------------------------------------------------------
All items in the original HijackThis log file which are not shown here need further investigation.
Tutorial on the hijackthislog : http://members.home.nl/edeijl/
Use www.google.com to find out more on items not listed here or if you have doubts.
In addition to this application, you can also analyze the original HijackThis log online at: http://hijackthis.de
--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
homeoldsp = about:blank
r1 - hklm\software\microsoft\internet explorer\main
homeoldsp = about:blank
r1 - hkcu\software\microsoft\internet connection wizard
r0 - hkcu\software\microsoft\internet explorer\toolbar
r3 - default urlsearchhook is missing
o1 - hosts: 127.0.0.3 n-glx.s-redirect.com
o1 - hosts: 127.0.0.3 x.full-tgp.net
o1 - hosts: 127.0.0.3 counter.sexmaniack.com
o1 - hosts: 127.0.0.3 autoescrowpay.com
o1 - hosts: 127.0.0.3 www.autoescrowpay.com
o1 - hosts: 127.0.0.3 www.awmdabest.com
o1 - hosts: 127.0.0.3 www.sexfiles.nu
o1 - hosts: 127.0.0.3 awmdabest.com
o1 - hosts: 127.0.0.3 sexfiles.nu
o1 - hosts: 127.0.0.3 allforadult.com
o1 - hosts: 127.0.0.3 www.allforadult.com
o1 - hosts: 127.0.0.3 www.iframe.biz
o1 - hosts: 127.0.0.3 iframe.biz
o1 - hosts: 127.0.0.3 www.newiframe.biz
o1 - hosts: 127.0.0.3 newiframe.biz
o1 - hosts: 127.0.0.3 www.vesbiz.biz
o1 - hosts: 127.0.0.3 vesbiz.biz
o1 - hosts: 127.0.0.3 www.pizdato.biz
o1 - hosts: 127.0.0.3 pizdato.biz
o1 - hosts: 127.0.0.3 www.aaasexypics.com
o1 - hosts: 127.0.0.3 aaasexypics.com
o1 - hosts: 127.0.0.3 www.virgin-tgp.net
o1 - hosts: 127.0.0.3 virgin-tgp.net
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o4 - hklm\..\runservices: [microsoft update] lsac.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: yahoo! chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030523/qtinstall.info.apple.com/drakken/se/win/quicktimeinstaller.exe
o16 - dpf: {79849612-a98f-45b8-95e9-4d13c7b6b35c} (loader2 control) - http://iframedollars.biz/tb/loader2.ocx
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} (mediaticketsinstaller control) - http://www.mt-download.com/mediaticketsinstaller.cab?refid=2732
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} (yaddbook class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {c81b5180-afd1-41a3-97e1-99e8d254db98} (css web installer class) - http://www.aftonbladet.se/it/special/command/cod/cabs/cssweb.cab
-
You might find this interesting: this person seems to have been in the same situation as you, ie wallpaper hijacked by a "security" advertisement and invasion of Trojans.
(http://www.pcflank.com/img/art46pics/nasty.gif)
http://www.pcflank.com/art46_1.htm
-
Logfile of HijackThis v1.99.1
Scan saved at 19:01:27, on 2005-04-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Bra att ha\hijackthis\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22D1C479-8553-4C97-A52F-E488E41179AE} - C:\WINDOWS\System32\dkfc.dll
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll
O2 - BHO: (no name) - {5327ABC3-425C-4983-2104-6B03F0B0CEBC} - C:\WINDOWS\System32\yum.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\Program\DELADE~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program\Toolbar\toolbar.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\Program\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\Program\DELADE~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\ÄGAREN\LOKALA~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6BA5ABB1-98C3-4C28-B071-0B83967B72E6}\SVCHOST.EXE
O4 - HKLM\..\Run: [TBPS] C:\Program\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Oip] C:\WINDOWS\System32\Sbr.exe
O4 - HKLM\..\Run: [Svd] C:\WINDOWS\System32\Fau.exe
O4 - HKLM\..\Run: [Ost] C:\WINDOWS\System32\Crk.exe
O4 - HKLM\..\Run: [Jjj] C:\WINDOWS\System32\Rrj.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\System32\Rol.exe
O4 - HKLM\..\Run: [Tpp] C:\WINDOWS\System32\Cmt.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Bar.exe
O4 - HKLM\..\Run: [Ojv] C:\WINDOWS\Lgm.exe
O4 - HKLM\..\Run: [Hag] C:\WINDOWS\Hmk.exe
O4 - HKLM\..\Run: [Iuv] C:\WINDOWS\Tic.exe
O4 - HKLM\..\Run: [Kfj] C:\WINDOWS\System32\Rjn.exe
O4 - HKLM\..\Run: [Ckf] C:\WINDOWS\System32\Aue.exe
O4 - HKLM\..\Run: [Hgf] C:\WINDOWS\System32\Tnc.exe
O4 - HKLM\..\Run: [Vfk] C:\WINDOWS\System32\Nlt.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\System32\Qlt.exe
O4 - HKLM\..\Run: [Lgj] C:\WINDOWS\System32\Maa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Qqu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINDOWS\System32\Hku.exe
O4 - HKLM\..\Run: [Hsl] C:\WINDOWS\Quc.exe
O4 - HKLM\..\Run: [Ijg] C:\WINDOWS\Afu.exe
O4 - HKLM\..\Run: [Hvd] C:\WINDOWS\System32\Lcu.exe
O4 - HKLM\..\Run: [Kdi] C:\WINDOWS\Hlm.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mbp] C:\WINDOWS\Nns.exe
O4 - HKLM\..\Run: [Anf] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Uea] C:\WINDOWS\System32\Nap.exe
O4 - HKLM\..\Run: [Jgm] C:\WINDOWS\Vfg.exe
O4 - HKLM\..\Run: [Bjo] C:\WINDOWS\System32\Kdo.exe
O4 - HKLM\..\Run: [Lrj] C:\WINDOWS\System32\Vbb.exe
O4 - HKLM\..\Run: [Jjl] C:\WINDOWS\System32\Fbd.exe
O4 - HKLM\..\Run: [Mac] C:\WINDOWS\System32\Kcv.exe
O4 - HKLM\..\Run: [Uci] C:\WINDOWS\System32\Dec.exe
O4 - HKLM\..\Run: [Ssg] C:\WINDOWS\Vui.exe
O4 - HKLM\..\Run: [Kdo] C:\WINDOWS\System32\Ldj.exe
O4 - HKLM\..\Run: [Eoc] C:\WINDOWS\System32\Esv.exe
O4 - HKLM\..\Run: [Evl] C:\WINDOWS\Olk.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [Dcs] C:\WINDOWS\Tof.exe
O4 - HKLM\..\Run: [Fcc] C:\WINDOWS\System32\Jca.exe
O4 - HKLM\..\Run: [Oom] C:\WINDOWS\Hbf.exe
O4 - HKLM\..\Run: [Kqs] C:\WINDOWS\Inf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\Program\Toolbar\toolbar.dll
O18 - Filter: text/html - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O18 - Filter: text/plain - {C77494C1-E574-4AF0-8A77-EDD4F56DA050} - C:\WINDOWS\System32\dkfc.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
-
Well, I read through the Merijin.org guide to Hijack this, and the tips here, and removed some stuff.
However there are still a few issues where I am concerned:
I have a LOT of strange programs in O4. Most of these I am certain is spy related, but I am still not sure which ones I can remove. Any tips?
O15. Trusted IP range? I removed this, because honestly I don't want to trust anything anymore, but it comes back any time. Any tips? Should I be concerned?
O20. Is mine bad? It said to exercise caution with it...
...
I'll go and read up some more now, but PLEASE!! I can still not install amy XP firewall (it refuses me).
Does anyone have a tip on something to do, or a nice free 3rd party firewall I can download in the meantime? I want to surf the net from this infected and unprotected wreck as little as I can.
I am so grateful for this site and you guys...
-
Hi,
honestly, you'd be better of if you'd FLATTEN the system and reinstall it PROPERLY (see "VirusRemoval" below as how to do it)
-> you have loads of evil stuff in the startup, most of which are probably worms with BACKDOOR functionality: somebody might have full control over your PC, know all your passwords etc etc..
=> you'll never know if you've removed everything
but, if you want to try anyway:
0) reread the BACKDOOR-section of the link "VirusRemoval" below in my sig
if you still want to try:
1) disable system restore
2) reboot to safeMode (F8-Boot)
3) rescan with hijackthis, and fix everything that's marked red or yellow in this analysis (EXCEPT the avast-stuff):
http://hijackthis.de/logfiles/4c0397ab137ed0e373606129306ff83f.html
4) reboot to safeMode
5) install SPYBOT & AD-AWARE & scan & fix with them several times
6) reboot to safe Mode and do a full/complete/archive Scan with avast; if finds are not repairable, move them to chest
7) reboot to SafeMode and come back with a fresh HJT-Log
8) in the meantime, get the complete package of WIN-XP-SP2 (280MB) on CD (from microsoft-security site, from a CD of a PC-magazine, from a reliable friend with broadband; plus a free firewall, e.g. Kerio, sygate, outpost or ZoneAlarm
;)
-
P.S.:
O20 - ..drct16.dll ...
=> EVIL !!
Google is your friend:
http://www.google.de/search?hl=de&q=drct16.dll&meta=
;)
-
As whocares says, your system is virtually out of your control and since you don't have a firewall you have nothing to stop outbound connection to the internet and download more and more of this spyware/malware/adware.
As you are seeing every time you post a log file the contents might change but the problem is getting worse. Almost all of the 04 entries with a few exceptions
See this on-line analysis, ignore all 023 entries for avast, this is a known problem with HJT 1.99.1 - http://hijackthis.de/logfiles/c5c5c587a5cb9431166d661d387add36.html
A fresh start may be your only real way to regain control.
-
http://forums.maddoktor2.com/index.php?showtopic=2659
THIS is exactly what I have!!!
There is a fix for it in this thread, but damn... *shakes head*. It seems to be some sort of new ubervirus...
The thing is, I do not want to wipe the computer clean. Why? Because then they win.
And if there's anything I hate, it is giving up.
However, I need to go and find the XP-pro install disc again which I lent to a friend because his system had froxen up a month or so ago... *laughs* The only time you notice they are gone is when you really need them.
I will keep you updated
--------------------------
Copy of the fix by BGN.
Any comments? Does this sound like a good idea?
Like I said in my first post (I think). I miss DOS. Oh how I miss it.
----
Hi!
I Think I was one of the first to catch this buggar and kill it manually .
You can call it the HAXDOOR-BGN from now on
Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.
From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):
mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)
Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!
Removing the virus/trojan manually is totally your own responsibility and as such also the possible risk of damaging your installed software/hardware.
What I did was:
1) Remove the registry entry (with regedit) with this key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Notify\drct16.
2) Reboot your PC from the Windows XP install CD-ROM in repair mode.
- rebooting into failsafe mode will still keep the files "open" and you will be unable to move the files into quarantine.
3) With the DOS like command interpreter change directory to the windows system folder (CD C:\WINDOWS\SYSTEM32)
4) Create a directory called quarantine (MD quarantine)
5) Copy all the above mentioned files into quarantine (COPY <filename> quarantine)
6) Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)
7) Eject Windows CD-ROM, type EXIT and press [enter] to boot from harddisk
Your system should now be clean (from this trojan that is!)
If you have'nt taken following precautions do it now:
1) Install a firewall
2) Install an antivirus product with the newest virusdefinitions
3) Install Windows XP servicepack 2
4) Install one or more antispyware programs (Ad-aware, Hijack-This . . .)
-
THIS is exactly what I have!!!
This is tiny part of your PC's problems.. but if you want to live with a compromised system: your choice ;)
You might want to come back after you've applied the above removal procedures/fixes, and post a new log..
ESCAN might also help you to check afterwards.. (see link "VirusRemoval")
;)
-
Well, thank you all for your kind help!
Now... I really hope that this Hijackthis log looks better. I've looked and looked but for me it seems pretty okay.
Any comments? I am currently downloading updates and anti virus protection, so all those systems are not up and running yet...
---
Logfile of HijackThis v1.99.1
Scan saved at 14:41:29, on 2005-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Bra att ha\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112452962546
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
-
Hi Fishbomb,
There is no malware in your log :), however this is safe to remove as it slows down System start up:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
I am currently downloading updates and anti virus protection, so all those systems are not up and running yet...
Are you also downloading a firewall?, as you don't appear to have one, two good/free suggestions for firewalls are,
Sygate: http://smb.sygate.com/products/spf_standard.htm
OR
Zonealarm: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe
Only use one though, its a bad idea to use more then one firewall at the same time as it can cause conflicts.
--lee
-
There is no malware in your log
correct, but you wouldn't necessarily see it there..
-> This system is still compromised = not secure, but Who Cares ;)
-
*grins*
Well, I'm using the win XP firewall... would that confligt if I downloaded another one?
I've been thinking about doing that. *ponders*
The new Hijackthis file:
Logfile of HijackThis v1.99.1
Scan saved at 19:09:02, on 2005-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\mozilla.org\Mozilla\mozilla.exe
C:\Bra att ha\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112452962546
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
...
Removed the blasted quicktime thingy, it always sneaks in there. *grins* Updated pretty muche verything, reinstalled Avast, got myself Hitman Pro as well. Updated all fixes and service packs... Changing passwords everywhere as well.
*grins* Yeah, I am probably compromised. But there's nothing of value for anyone on my PC, so I just hope that I will be moderately secure now.
And at least I'll have enough time to download all my stuff so I won't be so exposed if this ever happens again.
Thanks for the support here anyways, would have gone nuts without it!
-
The windows XP SP2 firewall doesn't provide outbound protection, so you need to cover that to stop malware phonong home with your accounts, usernames, passwords and downloading more of the same, etc.
If the Security Center detects a firewall that is up to date then it usually switches off the windowd firewall. So it shouldn't be a problem.
-
---
I use windows XP-pro
What happened was: On a small fansite for comic books, I must have contracted a virus. I did not accept anything, or click any links (I'm not stupid) but appearantly it snuck in anyway.
It took over my computer. First it changed the wallpaper to one that advertised something called 'smart security' because obviously my computer was infected by trojans and viruses. All my shortcuts were erased and replaced with shortcuts to sites like 'home pharmacy' 'online poker' 'home mortages' and so on. It changed around everything so that it suited itself, task bars, shortcuts and so on. Other things I found was 'allcybersearch' and a program called 124489 which was the first thing that I noted, with a picture of a cute blode as an icon.
I also think it tried to hijack my modem, but since I am not using a modem that did not work.
That sounds like something you usually only get if going to a porn web site!!! Usually, "fan" web sites are neatly written.
I only gotten stuff like that, chiefly the modem hijacking when I went to a web site that's part of a porn ring.