help...me...

[Friedrich]

hello ppl......i m very sorry but i m fighting this two days.........
first of all i pic up everything that eddy says ......but i m still what process i should terminate in safe mode.

second i m constantlu attacked by various viruse now new one is Trojan (gen) and some JS and today a new one.Well i have problem with AD Aware.
Everytime i do scan i delete some possible brows.hijack.and when i deleti it appears again evry time when i start up my comp.
Here is that new virus i have told you Win32:Opas-a-fSG (Wrm).
What is that?

What should i post here that u said ?I cold just write u names of hijack browser......its some http: easy-biz.com .Thats on ad aware.

Just tell me what process i have to turn off.I entr safe mode i disable montoring, i do everything but dont know what is that harmfull process?

[DavidR]

Please do as many people have asked, run hijackthis, save the log file and attach it to a post here as a text file (.txt). If you have trouble doing this, then cut and paste the log file text into the post.

People want to help, but you need to help them to help you and the information contained in the hijackthis log file will do that.

[terrybuda]

I am getting ready to troubleshoot a machine with Trojano 302 too.  I will follow the steps that Eddy has outlined above.  Is there any cure for this virus which can be run from within Avast?

[Friedrich]

here it goes..................


Logfile of HijackThis v1.98.2
Scan saved at 16:20:55, on 9/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ipiz.exe
C:\WINDOWS\System32\windows\services.exe
C:\WINDOWS\System32\twink64.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\System32\ir.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Marija i Zeljko\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\runwin32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49FE9E16-856A-3121-F94B-0D522A4EABA7} - C:\WINDOWS\ippe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipiz.exe] C:\WINDOWS\ipiz.exe
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunOnce: [addtj.exe] C:\WINDOWS\addtj.exe
O4 - HKLM\..\RunOnce: [ipru.exe] C:\WINDOWS\ipru.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39E1B5B0-3B85-4A70-A67D-D0F6CB180AB6}: NameServer = 212.62.32.1 212.62.32.5

[Friedrich]

i couldnt done better....sorry for space...
i think that u wont mind me............

[whocares]

Hi Friedrich,

here's an Analysis:
http://hijackthis.de/logfiles/0d72307b76583fde40324a701e711c68.html
(CAUTION!! false positives are quite possible..)

But anyway, your system is loaded with baddies
-> if you in any way value the security of your system or Data, you should flatten the system and reinstall Windows; apply XP-SP2 OFFLINE then, before ever connecting to the inet


if you don't want to do this:
FIRST!!: move/unpack HIJACKTHIS.exe into a new empty folder of its own, or you might loose all its backups..!!

- disable system restore
- reboot to safeMode
- check & fix everything in Hijackthis that's marked RED in the above analysis; dito all yellow entries in O2, O15 & O16
- reboot in safeMode
- scan and fix severall times with Ad-Aware, SPYBOT & Cwshredder
- reboot normally..
- scan all files belonging to items flagged yellow with TREND, RAV & KAV and report findings here, and/or fix them yourself..
 

Oh, and activate XP's built-in Firewall, and read the link "VirusRemoval" below in my sig, especially
- the BACKDOOR.section and on
- how to secure your system better..

[DavidR]

All of these are redirecting stuff to easy-search.biz, unless this is your intention, you should tick the boxes in hijackthis and then click Fix Checked (these could be taking you to some dubious sites where infection is more likely). The last one about:blank could be valid, the bit about 'HomeOldSP = about:blank' seems strange.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

You are also running a lot of programs at start up (the Run entries) check and confirm that they are valid and need to run at startup.

Check all the Run entries (the .exe filenames) that are not familliar use google to search, I have just checked these three that are suspect, with a link to an information page below it (returned from the google search).

O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
http://www.techsupportforum.com/showthread.php?t=13944
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html this one could be passing/stealing your passwords, so you should change them all when you finally get rid of these.
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
This is also suspect

There really are too many to deal with all at once, and you should deal with these and run hijackthis again and either using Eddy's analysis program http://members.home.nl/edeijl/download/hjt5.005.exe

This should get you started but your computer is seriously compromised.

Edit: whocares bet me to it by a few minutes whilst I was  searching using google and his overall analysis is correct and you may need to consider a format and clean install.

[whocares]

Oh and:
O16 - DPF ... nethv32_EN_XP.cab -> RiskWare.Dialer.E-Group.d

--> if you still got a (dialUp)modem in the PC,
archive "nethv32_EN_XP.cab" and respective registry entries to maybe complain about your next phone bill