Avast WEBforum
Other => Viruses and worms => Topic started by: pandammonia on November 05, 2006, 01:47:00 PM
-
I appreciate any help i can get with this one....
Was at my little brothers house today getting some files off his comp. He's on xp sp2 with all current updates and using firefox browser. When i opened up 'My Computer' there were about a dozen bizarre files just sitting there, not even a second later his AVG anti-virus kicked in, finding all these trojans (silly me forgot to grab names) located in different places, some in system restore, i moved all to 'vault'. Also a google window opens up , blank, and wont close unless you go through 'alt+ctrl+del'. He said he got it through one of the msn viruses, a link appeared in a message from one of his contacts and silly boy clicked on it. I plan on working through all this for him to get his system back up properly. However, i would rather install AVAST instead of AVG, preferably before doing anything else, as it's what i'm used to. So my 1st question throughout this no doubt ordeal is... Can i uninstall AVG anti-virus, while there are files in the vault, and just install AVAST? Should i just remove all files from vault 1st and just get rid of avg and let avast take care of it once i put that on?
Any help is greatly appreciated...
-
Can i uninstall AVG anti-virus, while there are files in the vault, and just install AVAST?
Well, you'll lose the files in Vault.
Plug an USB drive, right click the files in Vault and choose 'Restore File(s) as', moving them to the USB drive.
Hey, take care, they're infected. But just in case they were false positives or necessary files to boot.
Then, uninstall AVG, boot, install avast, boot.
Should i just remove all files from vault 1st and just get rid of avg and let avast take care of it once i put that on?
Only if you don't want to get rid from that files either...
-
Cheers. ;D I have tried asking on the AVG forum but they aren't as prompt as u guys, (or as friendly ;) ) and like i said, i'm familiar with avast and prefer it myself. But in this instance because they're mainly tojans and such should i just work with AVG until they're gone and then put avast on? Also am i right in thinking that mt first steps are:to run CCleaner, AdAware, Spybot, then Ewido, then anti-virus, reboot, run all again. Then once clean run in safe mode to be sure? I've heard this msn virus can be a doozy to remove though, will i need to do more?
-
Cheers. ;D I have tried asking on the AVG forum but they aren't as prompt as u guys, (or as friendly Wink ) and like i said, i'm familiar with avast and prefer it myself.
You have now found another decision in your choice of AV, support and as You have found AVG is lacking in that department.
You will be fine with avast and no single security program is going to cut it nowadays, so you need anti-adware/spyware defence also to provide a multi application defence, ones that don't conflict is important and you seem to have that covered.
Running Ewido from safe mode is usually very effective at removal of malware that would otherwise be difficult to deal with. I'm not sure it is a good idea to stick with AVG until you deal with these trojans, 1) we don't use AVG so couldn't offer any productive help, 2) avast offers a boot-time function that isn't available to AVG. So I would suggest you follow Tech advice of backup the files in the vault. Note the original location of the files in the Vault so you can restore them if they later prove to be OK. Take care.
-
Cheers. ;D I have tried asking on the AVG forum but they aren't as prompt as u guys
For sure, AVG forum is far behind avast one. I can say by experience here and there.
But in this instance because they're mainly tojans and such should i just work with AVG until they're gone and then put avast on?
Better. Do a full AVG scanning, send the infected files to vault.
Uninstall AVG and install avast, running a boot time scanning after that.
Also am i right in thinking that mt first steps are:to run CCleaner, AdAware, Spybot, then Ewido, then anti-virus, reboot, run all again.
Ok.
Then once clean run in safe mode to be sure? I've heard this msn virus can be a doozy to remove though, will i need to do more?
Better an avast boot time scanning.
-
Thanks again Tech and DavidR. Hope to fix this thing in the next few days. Have been investigating other peoples problems with this one and it seems Hijack This comes in quite handy. I've been studying up alot on how to use it and what everything means and such but i do realise it's still quite in depth and can cause some damage if used incorrectly, are you guys able to help with that if it has to go that far?
-
Possibly although I am running one at the moment, However you could mosey over to http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html to get started
-
Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction) or HiJackThis Tutorial 3 (http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm)
There are a number of people that can help with hijackthis log analysis, there are also on-line analysis sites that give reasonable advice, but nothing is ever 100%. They give indications of Nasty, Possibly Nasty, Unknown, etc, these are the ones that need further investigation (google search on file name, etc.) before committing to a fix.
On-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php) OR HiJackThis Log file - On-line Analysis 2 (http://hjt.iamnotageek.com/) The first of these also has a means of uploading the suspect files for AV scanning.
But you can also seek advice here there are other places that specialise in this advice (as essexboy mentions).
-
Cheers! A most helpful site. Will check out the others too. Will keep u posted on progress!
Thanks heaps guys. Honestly can't praise you enough for your help !
-
Hey guys! Hows it going? Got some updates on this for you...
Upon further inspection of his computer, i ran AVG anti-virus and it detected over 110 worms and trojans, in all manner of place scattered about his pc. Not having the time or the patience to sit and write details of each i just moved them all to chest. I then went to 'restore files as' to try and copy them in case something goes wrong, but i couldn't send them to D: drive to burn, so left in the chest. That was a week ago, and he said everything is running ok, so should i clean all files or just delete? I don't want to remove avg and install avast until system is clean.
Also there were several dodgy as processes running that i shut down prior to scanning.As i said, there were soo man6y trojans n stuff i didnt grab all names n stuff, but a few of the infected files look like such; c:\kybrdff_e54.exe ( as well as 50.exe, 47.exe, 41.exe, 40.exe ); c:\dfndrff_e54.exe ( and 51.exe, 50.exe, 47.exe, 44.exe, 43.exe) ; c:\\mte3nd160d6xgnew.exe; plus some in sys restore. Whenever you open 'My Computer' a blank google window pops up and the only way to close it is to go through alt+ctrl+del.
I then ran ccleaner, adaware, spybot s&d, and am yet to run ewido/avg, (after turning off system restore). One of these (cant remember which) detected smitfraud-c , amitfraud-c.Toolbar888, and coolwwwsearch among others.
As you can see his system is severely infected. He's had problems like this before and mum won't pay to get it fixed anymore, so i'm his only hope. And as i'm just starting out in this sort of stuff, you guys are my only hope!
So my main question here is, what to do now? Clean or delete files in avg chest? Should i just run hijackthis now, or are there any other steps i should follow first?
Is this even going to be possible to fix?
Eagerly awaiting your reply AND thanking you in advance.
Cheers.
(oh btw- i 4get what kind of puter he has, i know it's an acer, running winXP sp2, pretty sure he uses firefox/mozilla browser)
-
:) Hi Pandammonia :
Your brother's computer should have the guidance of "Malware Experts" that are usually
found on antiSPYWARE Support forums. They are volunteers who are very experienced
in dealing with an "infected" computer. I recommend the one at www.landzdown.com
because they are little known, resulting in fast turnaround times.
IF you have NOT already put the "HijackThis" program on your brother's computer,
download HijackThis (© Merijn) from: www.thespykiller.co.uk/files/HJTsetup.exe .
Note: This is a complete installer that installs HijackThis to your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut. If HijackThis is used from a temp folder, it is in danger of being accidentally deleted by clean up tools.
At the download prompt, choose "Save". After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it to complete the installation.
-
It doesn`t matter how much energy you put in with AVG , you are still going to get some left on the system when its finished that Avast! will detect.
As soon as Avast! is installed you will be prompted to run a boot scan and this is where you will find and deal with the leftovers. Try to move as much to chest as you can but some may be delete only.
try to stay off the net until the system is clean and has a firewall and AV installed so have those programs loaded onto disks or flashdrive for easy access.
good luck and by all means post HJT log if you need any help :)
-
spiritsongz-
Yeah i know. Total of 133 items in his vault. Will check out landzdown, cheers. One question for u though... i have read on other forums that if HJT is installed in C:\ some trojans/viruses can hide from it, also if you label it HiJackThis this can happen?
Clossau- hey fellow aussie.! I know, AVG anti-virus blows big time. As i said earlier i want it off so i can work with avast!.
Got him to run ewido again- kept detecting same file,(c:\windows\system32\dxdlib303562752.dll) no matter how many times it was cleaned and sent to vault.Also "project1" has shown up under running programs, and whenever he logs on, a firefox window pops-up saying 'powerzip self extractor is extracting files. Please wait...'.
I have searched google and numerous forums for answers but am now so oerwhelmed with conflicting information i'm getting addled, befuddled, bemused, confused, cranky,and irritable.His system is a mess!
Would i be right in this method;
Restore all files from AVG vault to disk/flash.
Uninstall AVG, install AVAST!
Boot time scan.
Turn off system restore.
Run CCleaner.
Run in safe mode- adaware, spybot s&d, AVG anti-spyware (ewido).
Run HJT (should this be done in safe mode?)
Post log!
-
Hi Pandammonia,
I'm a little surprised that AVG is suddenly finding all this stuff: did he disable the anti-virus, I wonder, or did some malware disable it for him?
If you want to use the tools at hand to clean the system, make sure you run scans in safe mode where possible:
http://www.pchell.com/support/safemode.shtml
Run a scan in safe mode with AVG and AVG anti-spyware and Spybot, and also Ad-Aware and a-Squared free if you don't have these already.
AVG have a rootkit scanner, which I'd recommend you run before all these scans:
http://www.freewarefiles.com/downloads_counter.php?programid=22524
If your brother is relying on the Windows firewall, the malware has probably brought it down: I'd recommend downloading a good third-party firewall like Zone Alarm of Kerio and installing that.
If you update all your programs, go off line and chugg through all the scans, install the firewall, come back on line and post a HijackThis! log, we can clean up anything remaining and you can uninstall AVG and install avast! if you want to.
As your brother has had similar problems in the past, it may be a good idea to make yourself the computer administrator and give him a limited user account with locked-down security. At the very least, you need to educate him about how he is getting infected. New viruses appear on MSN/Yahoo messenger hourly, and nothing is guaranteed to catch all of them, so if he doesn't learn some caution, he's going to undo all your good work in about five minutes once you let him loose again.
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html
http://www.castlecops.com/article-6112-nested-0-0.html
http://www.castlecops.com/postlite7736-.html
-
Frank- Thanks for prompt reply.( Thats why i use avast forums rather than others, so quick on the ball).
I'm not too sure as to why AVG didn't catch it as it came in. It is possible he disabled it manually, he does stupid stuff like that. He just doesn't read things properly before he clicks.
Is a-squared the old name for AVG anti-spyware/ewido?
Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?
Your advice re the administrator thing is something i didnt know. Will do that one once were clean.
-
Frank- Thanks for prompt reply.( Thats why i use avast forums rather than others, so quick on the ball).
Well... it will be better using both the antivirus and the forum of avast ;)
I'm not too sure as to why AVG didn't catch it as it came in. It is possible he disabled it manually, he does stupid stuff like that. He just doesn't read things properly before he clicks.
So... ;D ;D ;D
Is a-squared the old name for AVG anti-spyware/ewido?
No. They're different products. Ewido was bought by Grisoft (AVG), not a-squared.
Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?
It won't hurt...
-
Thanks again tech!
I know i cant wait to put avast on it. As frank said too though, i'd rather do that once it's all clean just so nothing interferes. Will be doing all this tomorrow, so will post back HJT log when done these steps. Cheers.
-
I think you need to do the HijackThis! scan in normal mode, otherwise it won't show any malware processes that are running in normal mode but not in safe mode.
It can be more effective at removing malware entries in safe mode, but a log file needs to be done in normal mode.
In a user account, your brother won't be able to disable security programs or open executable files.
He may not be too happy if he can't install new programs, but this may be a better alternative to having the computer overwhelmed by malware again. You need to talk to him about this- maybe talk over the reasons why he's getting infected and make him promise to change his ways.
-
Frank- Cheers again! I know im probably repeating myself but is this course of action correct:
Download and update necessary programs- adawre,spybot,avg,a-squared + firewall.
Turn off sytem restore
Run avg rootkit scanner.(btw what does this do?)
Run programs in safe mode.
install firewall
post hjt log
When i post hjt should i post other scan results too?
I read on someone else who had similar problems that msn messenger is now stuffed and must be re-installed. Should i uninstall it prior to the above process(if correct). Also should i try and stop processes and tasks of strange looking things before doing this scan, (checking them with processlibrary 1st of course)
Sorry if im repeating myself and bugging u.
-
No worries!
A rootkit scanner checks for malware (viruses, Trojans, spyware etc) that uses sophisticated techniques to hide from anti-virus and anti-spyware programs. If you find a process, dll, service etc that is detected as malware but cannot be removed, it may well be because a rootkit is hiding a Trojan or some spyware that is spawning that process, dll or service.
Another good rootkit detector I should recommend is BlackLight fron F-Secure:
http://www.f-secure.com/blacklight/
Run it just to check nothing else nasty is hiding on the computer.
I would recommend leaving System Restore on: any malware in there is inactive, and if you do delete something that causes system problems, at least you can use System Restore. Of course, if you do a system restore, you also restore any viruses that were backed up, so you have to start cleaning again...
The order to proceed is otherwise spot on.
Yes, please post any scan results. We are obviously going to look for infections reported but not cleaned, in which case we will maybe recommend some special tools.
I reckon if MSN Messenger is infected, one of the programs you use will either clean it or break it. I don't really think it matters if you reinstall before or after cleaning, but it may well be a wise precaution as you have been informed.
I would suggest not trying to kill strange processes. You will probably find that some are protected anyway- when you try to kill them, something else starts them up again straight away. Other processes may be hidden inside legitimate processes, so you won't even notice them.
Some anti-malware programs are good at killing malware processes- AVG Anti-Spyware for example will search all processes in memory and kill any bad ones. Other programs will prompt you to reboot and delete files during reboot before they are loaded into memory.
If anything survives all the scans you are doing, it should show up in the HijackThis! scan, in which case we might ask you to manually stop,delete or fix something, but for the moment, let the scanners do their work.
Don't hesitate to ask if you have any more questions.
Good luck with the scans.
-
:) Hi "Pan" :
HijackThis scans should ONLY be run in "normal" mode UNLESS it will NOT "run";
as Frank shared, that program run in "Safe" mode will reveal little useful info .
-
HijackThis scans should ONLY be run in "normal" mode UNLESS it will NOT "run"; as Frank shared, that program run in "Safe" mode will reveal little useful info .
So... sorry for my first post...
Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?
It won't hurt...
Living and learning...
By the way, why won't it reveal useful info when run in Safe Mode?
-
Because that stuff might not be running in safe mode, so all those 04 run entries might be missing as might some of the 16 and 023 entries.
You can usually tell if it has been run in safe mode, it is very short.
-
You guys rock my world! ;D
Cheers spirit.
Frank- thanks heaps.
I'll run all that stuff today n let u know the results asap. thanks again guys.
(Btw- Bette Midlers- "You are the wind beneath my wings" popped into my head just now, id sing it to ya if i could :D :D :D)
-
Ok guys. Heres the contents of my hjt log. I tried to run all other scans in safe mode first, adaware and spybot both ran fine and deleted several things. But avg kept freezing during remove process and a-squared wouldn't even scan 1/4 of the way before freezing.
Did HJT in normal mode after rebooting, here tis.
Logfile of HijackThis v1.99.1
Scan saved at 9:52:03 PM, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = kooee.com.au:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F82D1478-AE36-4DE0-B73C-A38F936797B9} - C:\Program Files\MSN\mefosy.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154473913093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34141AD9-4712-4869-ADB5-C19088CEA211}: NameServer = 203.12.160.35
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\s8880ilue8q80.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
help!!! lol. cheerz guys.
-
You seem to be using an old version of Internet Explorer but your OS seems to be up to date.
Are you using any software firewall?
I can't find any harmfull items... but I'm not an experto on hjt :-[
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
But you don't have even avast installed... why don't you try to get help on AVG forums? ::)
-
I know. As i have stated earlier, we are trying to work through this first so i can put avast on. (I have it on my pc). I don't use AVG forums cause i hate their product and i posted there about 4 days ago n still no reply.
-
You don't seem to be using a firewall. If you don't have a firewall up, the computer will get reinfected very easily. Any Trojan downloaders on your computer can download and install malware, and hackers can connect to your computer and install stuff at will.
From your log file, I notice several entries for SurfSideKick/DxcDirect (Deluxe Communications). The removal procedure for this first requires you to attempt to uninsall the program. I would like you to try steps 4 and 5 of this guide, and then post a new log so that we can advise you of any remaining entries to remove.
http://www.pchell.com/support/surfsidekick.shtml
You can run HijackThis! again and tick these entries, then have HijackThis! fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// searchbar[dot]findthewebsiteyouneed[dot]com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// searchbar[dot]findthewebsiteyouneed[dot]com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar[dot]findthewebsiteyouneed[dot]com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www[dot]findthewebsiteyouneed[dot]com
O2 - BHO: (no name) - {F82D1478-AE36-4DE0-B73C-A38F936797B9} - C:\Program Files\MSN\mefosy.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\s8880ilue8q80.dll (file missing)
There is one entry I am very suspicious about:
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
Could you try to find the file windows_e58.exe? You may need to enable 'view hidden files':
http://www.bleepingcomputer.com/tutorials/tutorial62.html
If you can find the file, please submit it to VirusTotal for analysis. This should tell us if it is malware:
http://www.virustotal.com/en/indexf.html
Use the 'choose' then 'send' buttons.
EDIT: broke hyperlinks in HijackThis! enties.
-
Frank- I downloaded kerio firewall, am yet to install though.
The deluxe comms thing showed up in AVG anti-spy scan and this is where it got stuck and froze when trying to delete. (As i said a-squared wouldnt even complete scan.). I will do steps four and five as you asked- after this, should i follow the other instructions?
Oh btw, after i ran HJT n posted log, i realized i didnt do the geeks2go thing about alcan removal using BFU, so i went back and did this and it seemed to get rid of quite a few things.
Will be back out there again tomorrow, so will do as you requested and post new log.
Thanks again! ;D
-
It's not a good idea to connect to the internet without a firewall, especially if you have a Trojan downloader- it may simply download again most of the malware you've spent so much time trying to remove!
By all means follow the other instructions if you feel confident doing this- look for any of the entries mentioned and fix them using HijackThis! When you post a new log we can check for any more.
-
As Frank said it isn't a good idea to connect to the internet without a firewall, I will take it a little further, it is like playing Russian roulette with an automatic, without protection the time to getting infected is counted in minutes not hours. A firewall is an absolutely essential part of your system security, without it you will fight an uphill and probably a loosing battle to get your system clean.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential. Install the firewall now.
-
C:\\windows_e58.exe
Latest version of the Alcan worm. Removal tool and instructions can be found here http://www.geekstogo.com/forum/How_to_stop_and_undo_the_effects_of_the_Alcra_aka_Alcan_Worm-t98929.html it sometimes adds the pe386 rootkit
-
OK. I thought it was something nasty! The alcanshorty.BFU script has a line to delete the file:
FileDelete c:\windows_e58.exe
This HijackThis! entry can be fixed:
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
-
Hi Pandammonia if you wish I can clean you up, but there is a proviso. If I do help you, you must follow my instructions only and (sorry guys 8)) ignore all other posts. If you are happy with that then post another HJT and we will get started. 8)
-
essexboy,
With respect, this forum doesn't work like that. Everybody is free to chime in with advice.
>:(
-
If you want to help exclusively, then I suggest you do it at geekstogo as people here who have freely given their help and time unconditionally especially Frank would be rightly annoyed to think there help isn't wanted (sorry essexboy 8) ), but that is the way this forum works 8)
-
Besides that I have already spent considerable time this morning looking at pandammonia's log and giving advice:
http://forum.avast.com/index.php?topic=24695.msg204450#msg204450
It seems to me she needs to try to uninstall SurfSideKick/DxcDirect from Add/Remove and we can't really give her any more advice until she comes back and tells us what happened and posts a new log.
If you have a problem with the advice I have given, you are free to post any criticisms and altenative advice.
-
No criticism intended just trying to help but sometimes conflicting advice can be confusing
-
Hi essexboy and FwF,
Don't want to come into this, but can't you two see here why the PM functionality of this board is so severely missed? You would not have these situations. I'd always like to check on the right path to solve this in a PM whenever their is a slight difference of opinion, better for us, better for them. This the way I have learned a lot. Alas the PM's have been taken away. Shame that always the good have to suffer with the bad,
polonus
-
No criticism intended just trying to help but sometimes conflicting advice can be confusing
If you feel that way, there are other forums where you can offer help, as David said.
On this forum people wanting help will probably get advice from a number of people. The flip side of that is that everybody learns from the experience, including those trying to help. The advantages are that somebody will probably turn up with an answer, and what works will be passed to a large number of people who can then use the same advice to help themselves or others with a similar problem.
-
I retract my offer
Apologies to all concerned
-
@essexboy
Accepted.
I'm sure everybody here appreciates the advice you have given and looks forward to further contributions- I've seen at least one thread recently where we'd've been stuck without your help.
@pandammonia
I found another removal guide here specifically for DeluxeCommunications. (Exactly the same company as SurfSideKick, just rebranded.)
The instructions are the same but with some illustrations which might help and a registry fix file which you should run if you find you have DeluxeCommunications.
http://www.bleepingcomputer.com/forums/topic66364.html
-
Umm, sorry! Didnt mean to cause tension. ???
I have put Kerio firewall on but now i cant download the FixDxc.Reg from bleeping computer for some reason? Will do the other stuff now, and post new HJT. (Should i b connected to net when running HJT?)
-
Frank- Also just tried to do steps 4 & 5 as you suggested but its not in my program list and when i do the run option it tells me that it cant find them, make sure drive is connected properly, or they've been moved.
-
You don't need to be connected while running HijackThis!
It looks like you'll have to remove SurfSideKick/DxcDirect with HijackThis!
When you post the log I'll check it again and let you know which entries to fix.
-
Ok. The link you provided for FixDxc.reg took me to a white page with writing on it, (lotsa HKLM stuff). Did a HJT and fixed anything referring to dxc, i got an error message while trying to fix one of the 020- AppInit DLLs. And yeah kerio is a bit strange to me, is it possible installing while infected has done something wrong?
Anyway, here's HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 8:25:52 PM, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = kooee.com.au:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154473913093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34141AD9-4712-4869-ADB5-C19088CEA211}: NameServer = 203.12.160.35
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
-
Umm, sorry! Didnt mean to cause tension. ???
I have put Kerio firewall on but now i cant download the FixDxc.Reg from bleeping computer for some reason? Will do the other stuff now, and post new HJT. (Should i b connected to net when running HJT?)
No tension just clarrification :D
-
Frank- Finally got the FixDxc.reg thing to work and it seems to have gotten rid of that! ;D ;D.
Heres a new HJT log. Also, have noticed in MyComputer alot of strange files laying around in blue as opposed to black txt, why is this?
-
Heres a new HJT log.
Where's the new log? ???
-
Lol. Ooops! My bad!
Its here...
Logfile of HijackThis v1.99.1
Scan saved at 9:06:51 PM, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = kooee.com.au:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154473913093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34141AD9-4712-4869-ADB5-C19088CEA211}: NameServer = 203.12.160.35
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
-
Yep, looks like DxcDirect has gone!
I suggest you try a scan with AVG Anti-Spyware again. Hopefully it should complete the scan now.
Could you possibly post a screen shot of the strange blue files?
If you now want to uninstall AVG and install avast!, I'd recommend a registry scan with the trial version of TuneUp utilities after uninstalling AVG and before installing avast!
http://www.tune-up.com/
Here's a simple guide to using Kerio in advanced mode:
http://www.geocities.com/dontsurfinthenude/kerio_setup.htm
You need to update Sun Java and check in Add/Remove programs and remove all older versions because they can be a security risk.
http://www.java.com/en/download/index.jsp
-
I've just noticed you also seem to have CA AntiVirus installed as well as AVG. Two AV's on the same system is not a good idea: they will fight over files like two dogs over a bone and this can lead to system instability.
-
Heres screenshot 1.
<img src="http://img139.imageshack.us/img139/656/screenshot1kk6.jpg">
Updated Java, am going to do the av switch now. My brother doesnt know anything about this CA anti virus, and i have never seen anything to do with it on here either. Will remove it too!?!
-
Cant find CA antivirus but found VET antivirus! Heres another screenshot too.
(http://img155.imageshack.us/img155/8404/20061119221341xh3.jpg) (http://imageshack.us)
-
I noticed too, his hjt logs show nothing about firefox, as this is the only browser he uses, is this ok?
-
VET seems to be the name for CA down under:
http://www.vet.com.au/html/software/index.html
Maybe it's something which came with the computer and expired, or something a previous user installed? Anyway, it needs to be uninstalled.
The mysterious blue files are system or program files which are normally hidden to prevent the user deleting anything critical. I think I asked you to enable 'view hidden files' in order to look for a malware file, which often hide themselves like this. Hidden files are normally legitimate though- the ones in your screen shots are all normal. You can hide them again by opening an explorer window (eg My Documents), going to:
Tools>Folder Options>View and clicking the 'Do not show hidden files and folders' button.
HijackThis! a lot of sections dedicated to IE because it gets hijacked a lot:
R0, R1, R2, R3, O2, O3, O5, O6, O8, O9, O11, O12, O13, O15, O16 are all for IE.
Firefox may show up in N1-N4.
As HijackThis! shows applications which run at startup, you won't see Firefox as a program unless it's running while you do the scan.
-
Actually there is a hidden file in C: that looks suspicious:
installer5.exe
Before you hide them again, I would send this to VirusTotal: if it's detected as malware, make sure you delete it!
-
SWeet! Thanks soo much frank. And everybody else, essexboy ur advice re alcan wrm worked a treat too. Will check out this installer5.exe as u said. Will remove CA/ VET as well, and put avast on, (downloaded n ready to install ;D). Will also run other scans again to be sure, but you think he's clean?
Also, when re-booting, i have to manually start his Kerio, is this normal? Am only using basic mode, and cant find the button to change to advanced.
Once again, thanks soooo much! ;D
-
I had to ditch Kerio for the same reason: it worked fine for a year then one day just wouldn't start on its own. I had the paid version and Sunbelt support couldn't help me. You might be better off switching to Zone Alarm, which is what I did.
If you still want to find advanced mode, I describe how to activate it here:
http://forum.avast.com/index.php?topic=11943.msg100976#msg100976
-
Cool. Will take your advice and switch to zone alarm instead. Will have to do it later becasue yet again its 3am here. Thank you soooo much for your help.. will let you know how it all goes. 8) ;D
-
:) Hi "Pan" :
Your screen shot showed "Limewire", which is a P2P program; having programs
like that on a computer increases the risk of getting "bad stuff", like trojans.
Would be better "replacing" it with the safer and "cleaner" Shareaza
from www.shareaza.com .
-
Hey spirit- Thanks for heads-up! I use Shareaza on my pc, and have already planned ditching limewire and putting shareaza on his pc instead. I don't know how much cleaner it is (lol) but i've never been infected by it, caught a few beforehand though, but i much prefer shareaza, better program, and Aussie made!
-
Hey i scanned installer5.exe ay virustotal. Only prevx1 found it as a virus, it called it Spyware.Free.Serials.Hijacker. Is this anything to worry about?
-
Hey i scanned installer5.exe ay virustotal. Only prevx1 found it as a virus, it called it Spyware.Free.Serials.Hijacker. Is this anything to worry about?
It looks like an installation file. It would be dangerous to click on, because it would install some spyware. Just sitting there it is not harmful. exe files like this downloaded from websites, messenger programs , P2P networks etc can be very dangerous if opened. Make sure you delete it , and also have a quick look for any suspicious exe files lying around. If you find any, check the name on Google or send them to VirusTotal.
-
Hey i scanned installer5.exe ay virustotal. Only prevx1 found it as a virus, it called it Spyware.Free.Serials.Hijacker. Is this anything to worry about?
To be sure, the better will be test the file against on-line scanners. Submit the file to:
Virustotal (http://www.virustotal.com/en/indexf.html)
Jotti (http://virusscan.jotti.org/)
-
Cool, will remove it though. Theres also some strange files n folders laying around i think might have come with virus too (ie empty folder 'bintheredunthat'), that i shall also check n delete. Other than that i think he's clean now, everythings working gr8 so far. I switched Kerio for Zone Alarm, which i find much better and will now be putting on my pc too. AVAST! is on, updated and happy! Having so much trouble getting CA/VET AV off, it fails through its own uninstallation process, but they dont seem to be clashing, any removal hints?
Can't thank you all enough, especially u frank ;D .
-
You're welcome!
I think you should try and remove VET because there are two running processes and services which at the vet least are taking up system resources. At the worst they may clash with avast! and cause instability.
I tracked down a manual removal guide for CA eTrust EZ anti-virus (which I think is the same as VET in Australia).
Basically it involves deleting the software and services registry keys- then rebooting the computer.
There are instructions for backing up the registry before you begin and some screen shots to help you.
Click on the eTrust link on this page:
http://virusthreatcenter.com/permalink.aspx?BlogId=92
-
Here are some instructions for older versions- they come from the same site and were quoted in an Experts Exchange thread. Looks like they've been removed from the CA eTrust site, but they may apply to you if you have an older version sitting on the computer. You'll need to check which registry entries exist on your computer.
"VERSION 6.0
Note: For security reasons, the following key and program file group are not deleted after the uninstall of version 6.0.
You may delete these manually:
HKEY_CURRENT_USER\Software\ComputerAssociates\InoculateIT
C:\Program Files\CA
If you did not uninstall via the Add and Remove programs menu, please follow the instructions below:
Delete Registry Keys:
Go to Start - Run - and type in regedit.
Hit Enter. (Click the + signs where you are instructed to "scroll").
In the Registry editor, scroll to:
+ HKEY_LOCAL_MACHINE
+ SOFTWARE
+ ComputerAssociates
+ InoculateIT
Once you have scrolled to HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\InoculateIT Click EDIT (at the top of the screen) and Select Delete.
Repeat these steps for the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\ScanEngine
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\CA-InstalledITProducts
HKEY_CURRENT_USER\Software\ComputerAssociates\InoculateIT
Remove Files and Directory: C:\Program Files\CA\…
Go to My Computer
Open the C: drive (or which ever drive on which you installed the program.)
Open the Program Files folder (click "show files" to view the files in that folder.)
Open the CA folder.
Open the eTrust EZ Armor folder.
Highlight the eTrust EZ Antivirus folder and click delete.
Highlight the ScanEngine folder and click delete.
Make sure you delete those folders from the recycle bin as well.
VERSION 6.1
Delete Registry Key:
Go to Start - Run - and type in regedit.
Hit Enter. (Click the + signs where you are instructed to "scroll").
In the Registry editor, scroll to:
+ HKEY_LOCAL_MACHINE
+ SOFTWARE
+ ComputerAssociates
+ Anti-Virus
Once you have scrolled to HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\Anti-Virus Click EDIT (at the top of the screen) and Select Delete.
Remove Files and Directory: C:\Program Files\Computer Associates\eTrust EZ Antivirus
Go to My Computer
Open the C: drive (or which ever drive on which you installed the program.)
Open the Program Files folder (click "show files" to view the files in that folder.)
Open the CA folder.
Highlight the eTrust EZ Antivirus folder and click delete.
Make sure you delete the folder from the recycle bin as well.
http://www.experts-exchange.com/Miscellaneous/Q_21919042.html?qid=21919042
(Registration required.)
-
I looked on the VET website and they provide removal tips for every other anti virus but theirs, thanks for finding removal instructions, will do it asap. Also, what exceptions do i need to allow for avast using ZoneAlarm, so it will update, etc? Also, do u know if microsoft/windows updates get through or do i need exceptions for that 2?
-
Also, what exceptions do i need to allow for avast using ZoneAlarm, so it will update, etc?
avast.setup, ashMaiSv.exe (avast! mail scanner) and ashWebSv.exe (avast! web shield).
-
Also, do u know if microsoft/windows updates get through or do i need exceptions for that 2?
The majority of Microsoft updates does not require 'exceptions' (it's better to say that does not be allowed to connect).
Some of them are small executable files that start a full set of files in order to update your computer. In this case, this specific executable needs to be allowed to connect ;)
-
Cheers oldman! :D
Thanks tech- so i dont add exceptions for microsoft, just let it go if it comes up asking?!?
-
Thanks tech- so i dont add exceptions for microsoft, just let it go if it comes up asking?!?
Yes... wait for the update to ask to connection 8)
-
Allow connections for trusted programs. (Allow trusted programs to access the internet.)
The term exceptions is used in Windows firewall to mean incoming connections.
Kerio calls these attempts from outside to connect to your computer incoming connection alert. (Red Warning). Zone Alarm warns that a program is trying to act as a server. (Blue warning.)
Server Alerts
You may receive some alerts asking you if a certain program should act as a server and be given "server rights". Under most circumstances, you do not want to give a program "server rights" unless you want to allow outside connections to access that specific program.
The safest approach is to deny "server rights" to any program (unless you are running a Web site from your computer for instance).
http://www.zonelabs.com/store/content/support/zasc/faqs.jsp?dc=12bms&ctry=US&lang=en&lid=zasupp_i#13
http://www.zonelabs.com/store/content/support/zasc/gettingStarted.jsp?anchor=alerts&lid=zasupp_u