Win32:Trojan-gen (other and UPX!)

[dante1]

I posted a message here last night and do not see it here on the forum so I'm trying again.  After running the scan, Avast! said the 2 viruses above were found in wingua,exe ( the UPX version) and in and mserv.exe (the Other one).  My homepage is constantly being hijacked by something called easy-search.com and Google, Yahoo, and MSN.com all have been taken over by something called Premium Searches.
The files and their embedded viruses have been put in the Virus Chest.  Is there any advice on how to clean the files and get my homepage and Google, etc. back?
Thanks.

[raman]

Please post a hijackthis log: Download the file here: http://www.tomcoyote.org/hjt/  then unzip the file and double click on the "HijackThis" icon. When finished loading click on the "Scan button".
Next click on the "Save Log" button. Save the log somewhere you will remember and open the log file with notepad. Then copy the contents and paste them in a reply to be checked.

[dante1]

Raman-
  Thanks for replying  so quickly.  Here is the log file you requested from HijackThis.   I look forward to your reply.

Logfile of HijackThis v1.97.7
Scan saved at 8:44:49 AM, on 12/8/2003
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://66.98.142.163
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easy-search.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.98.142.163/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O1 - Hosts: 66.98.142.163 auto.search.msn.com
O1 - Hosts: 66.98.142.163 search.msn.com
O1 - Hosts: 66.98.142.163 msn.com
O1 - Hosts: 66.98.142.163 www.msn.com
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O1 - Hosts: 66.98.142.163 www.thehun.com
O1 - Hosts: 66.98.142.163 thehun.net
O1 - Hosts: 66.98.142.163 www.thehun.net
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Jeff Davis\Application Data\winlink\winlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37960.7453472222
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx

[raman]

There are several things you have to do. Let Hijackthis fix every "O1 - Hosts" line , restart and read this carefully: http://www.merijn.org/cwschronicles.html#cwshredder

After using the Cleaner and after a restart,  please post a second Hijackthis log to see if everything is clean now.

All Browserwindows has to be closed if using the cleaner.

[dante1]

I followed your instructions.  The 2nd log is below.  Also, after restart, I opened IE and it went to easy-search and was notified while the page was loading that I had another virus in 2 more files;
Win32 Jeet (Tr) in msdos.exe and out32c.exe.
I went to Windows update and downloaded all security patches and used the CWS Shredder.  This log is after all these actions...
Do we need to do something with the R1 entries??
Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 2:16:03 PM, on 12/8/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37960.7453472222
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx

[raman]

Looks great. Some little things to fix and everything should be fine:

Everything under R1 and R3
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

[dante1]

Thanks for your reply.
When you say 'everything under R1 and R3' and then list the 4 '04' entries, do you mean I should delete them??  I assume you do but I will wait for your confirmation.
Also, what about the other virus, Win32 Jeep, and the 4 files that are in the Virus Chest affected by Jeep and the Win32 Trojan Other and UPX!?  Just leave them there or can they be fixed?  

[raman]

You do not need to delete the "04", but they aren´t nessessary. About the files in the chest, you can delete them, but they are not dangerous anymore.

[dante1]

Thanks very much for your help, you saved me a lot of aggravation.