MSN virus/several trojans help?!?

[Lisandro]

Frank- Thanks for prompt reply.( Thats why i use avast forums rather than others, so quick on the ball).

Well... it will be better using both the antivirus and the forum of avast 

I'm not too sure as to why AVG didn't catch it as it came in. It is possible he disabled it manually, he does stupid stuff like that. He just doesn't read things properly before he clicks.

So...

Is a-squared the old name for AVG anti-spyware/ewido?

No. They're different products. Ewido was bought by Grisoft (AVG), not a-squared.

Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?

It won't hurt...

[pandammonia]

Thanks again tech!
I know i cant wait to put avast on it. As frank said too though, i'd rather do that once it's all clean just so nothing interferes. Will be doing all this tomorrow, so will post back HJT log when done these steps. Cheers.

[FreewheelinFrank]

I think you need to do the HijackThis! scan in normal mode, otherwise it won't show any malware processes that are running in normal mode but not in safe mode.

It can be more effective at removing malware entries in safe mode, but a log file needs to be done in normal mode.

In a user account, your brother won't be able to disable security programs or open executable files.

He may not be too happy if he can't install new programs, but this may be a better alternative to having the computer overwhelmed by malware again. You need to talk to him about this- maybe talk over the reasons why he's getting infected and make him promise to change his ways.

[pandammonia]

Frank- Cheers again! I know im probably repeating myself but is this course of action correct:
Download and update necessary programs- adawre,spybot,avg,a-squared + firewall.
Turn off sytem restore
Run avg rootkit scanner.(btw what does this do?)
Run programs in safe mode.
install firewall
post hjt log
When i post hjt should i post other scan results too?
I read on someone else who had similar problems that msn messenger is now stuffed and must be re-installed. Should i uninstall it prior to the above process(if correct). Also should i try and stop processes and tasks of strange looking things before doing this scan, (checking them with processlibrary 1st of course)
Sorry if im repeating myself and bugging u.

[FreewheelinFrank]

No worries!

A rootkit scanner checks for malware (viruses, Trojans, spyware etc) that uses sophisticated techniques to hide from anti-virus and anti-spyware programs. If you find a process, dll, service etc that is detected as malware but cannot be removed, it may well be because a rootkit is hiding a Trojan or some spyware that is spawning that process, dll or service.

Another good rootkit detector I should recommend is BlackLight fron F-Secure:

http://www.f-secure.com/blacklight/

Run it just to check nothing else nasty is hiding on the computer.

I would recommend leaving System Restore on: any malware in there is inactive, and if you do delete something that causes system problems, at least you can use System Restore. Of course, if you do a system restore, you also restore any viruses that were backed up, so you have to start cleaning again...

The order to proceed is otherwise spot on.

Yes, please post any scan results. We are obviously going to look for infections reported but not cleaned, in which case we will maybe recommend some special tools.

I reckon if MSN Messenger is infected, one of the programs you use will either clean it or break it. I don't really think it matters if you reinstall before or after cleaning, but it may well be a wise precaution as you have been informed.

I would suggest not trying to kill strange processes. You will probably find that some are protected anyway- when you try to kill them, something else starts them up again straight away. Other processes may be hidden inside legitimate processes, so you won't even notice them.

Some anti-malware programs are good at killing malware processes- AVG Anti-Spyware for example will search all processes in memory and kill any bad ones. Other programs will prompt you to reboot and delete files during reboot before they are loaded into memory.

If anything survives all the scans you are doing, it should show up in the HijackThis! scan, in which case we might ask you to manually stop,delete or fix something, but for the moment, let the scanners do their work.

Don't hesitate to ask if you have any more questions.

Good luck with the scans.

[Spiritsongs]

   Hi "Pan" :

     HijackThis scans should ONLY be run in "normal" mode UNLESS it will NOT "run";
    as Frank shared, that program run in "Safe" mode will reveal little useful info .

[Lisandro]

HijackThis scans should ONLY be run in "normal" mode UNLESS it will NOT "run"; as Frank shared, that program run in "Safe" mode will reveal little useful info .

So... sorry for my first post...

Will do the rootkit scan tomorrow and run all in safe mode. Do i do HJT in safe mode too?

It won't hurt...

Living and learning...
By the way, why won't it reveal useful info when run in Safe Mode?

[DavidR]

Because that stuff might not be running in safe mode, so all those 04 run entries might be missing as might some of the 16 and 023 entries.

You can usually tell if it has been run in safe mode, it is very short.

[pandammonia]

You guys rock my world!
Cheers spirit.
Frank- thanks heaps.
I'll run all that stuff today n let u know the results asap. thanks again guys.
(Btw- Bette Midlers- "You are the wind beneath my wings" popped into my head just now, id sing it to ya if i could  )

[pandammonia]

Ok guys. Heres the contents of my hjt log. I tried to run all other scans in safe mode first, adaware and spybot both ran fine and deleted several things. But avg kept freezing during remove process and a-squared wouldn't even scan 1/4 of the way before freezing.
Did HJT in normal mode after rebooting, here tis.

Logfile of HijackThis v1.99.1
Scan saved at 9:52:03 PM, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Vet\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = kooee.com.au:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F82D1478-AE36-4DE0-B73C-A38F936797B9} - C:\Program Files\MSN\mefosy.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154473913093
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34141AD9-4712-4869-ADB5-C19088CEA211}: NameServer = 203.12.160.35
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\s8880ilue8q80.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

help!!! lol. cheerz guys.

[Lisandro]

You seem to be using an old version of Internet Explorer but your OS seems to be up to date.
Are you using any software firewall?
I can't find any harmfull items... but I'm not an experto on hjt 

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

But you don't have even avast installed... why don't you try to get help on AVG forums? 

[pandammonia]

I know. As i have stated earlier, we are trying to work through this first so i can put avast on. (I have it on my pc). I don't use AVG forums cause i hate their product and i posted there about 4 days ago n still no reply.

[FreewheelinFrank]

You don't seem to be using a firewall. If you don't have a firewall up, the computer will get reinfected very easily. Any Trojan downloaders on your computer can download and install malware, and hackers can connect to your computer and install stuff at will.

From your log file, I notice several entries for SurfSideKick/DxcDirect (Deluxe Communications). The removal procedure for this first requires you to attempt to uninsall the program. I would like you to try steps 4 and 5 of this guide, and then post a new log so that we can advise you of any remaining entries to remove.

http://www.pchell.com/support/surfsidekick.shtml

You can run HijackThis! again and tick these entries, then have HijackThis! fix them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// searchbar[dot]findthewebsiteyouneed[dot]com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// searchbar[dot]findthewebsiteyouneed[dot]com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:// searchbar[dot]findthewebsiteyouneed[dot]com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www[dot]findthewebsiteyouneed[dot]com

O2 - BHO: (no name) - {F82D1478-AE36-4DE0-B73C-A38F936797B9} - C:\Program Files\MSN\mefosy.dll (file missing)

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\s8880ilue8q80.dll (file missing)

There is one entry I am very suspicious about:

O4 - HKLM\..\Run: [windows] C:\\windows_e58.exe

Could you try to find the file windows_e58.exe? You may need to enable 'view hidden files':

http://www.bleepingcomputer.com/tutorials/tutorial62.html

If you can find the file, please submit it to VirusTotal for analysis. This should tell us if it is malware:

http://www.virustotal.com/en/indexf.html

Use the 'choose' then 'send' buttons.

EDIT: broke hyperlinks in HijackThis! enties.

[pandammonia]

Frank- I downloaded kerio firewall, am yet to install though.
The deluxe comms thing showed up in AVG anti-spy scan and this is where it got stuck and froze when trying to delete. (As i said a-squared wouldnt even complete scan.). I will do steps four and five as you asked- after this, should i follow the other instructions?
Oh btw, after i ran HJT n posted log, i realized i didnt do the geeks2go thing about alcan removal using BFU, so i went back and did this and it seemed to get rid of quite a few things.
Will be back out there again tomorrow, so will do as you requested and post new log.
Thanks again!

[FreewheelinFrank]

It's not a good idea to connect to the internet without a firewall, especially if you have a Trojan downloader- it may simply download again most of the malware you've spent so much time trying to remove!

By all means follow the other instructions if you feel confident doing this- look for any of the entries mentioned and fix them using HijackThis! When you post a new log we can check for any more.