Post by: tooke on March 29, 2005, 06:00:22 PM
Well, after reading a topic on these forums and following general advice I think I managed to get rid of most of the stuff, one thing I can't get rid of though is this wallpaper. It's not really wallpaper because it's clickable and I can't change it but I have no idea of how to remove it.
If you could help me out I would be very, very grateful.
edit: I didn't get rid of all the damn pop-up stuff and I suspect there is another trojan, stuff keeps getting installed onto my comp.
Here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 00:36:37, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\aawe.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
O2 - BHO: (no name) - {65B149C1-D956-D8A1-77B4-8A2D15DEF99B} - C:\WINDOWS\System32\emquz.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Caua] C:\WINDOWS\System32\aawe.exe
O4 - HKCU\..\Run: [Rzqwaeib] C:\WINDOWS\System32\m?iexec.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe (http://\"http://64.158.165.49/output/100039/uk/dbgames/dsldbaccess.exe\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email (http://\"http://by2fd.bay2.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: guestolo on March 29, 2005, 06:59:46 PM
O2 - BHO: (no name) - {65B149C1-D956-D8A1-77B4-8A2D15DEF99B} - C:\WINDOWS\System32\emquz.dll
O4 - HKCU\..\Run: [Caua] C:\WINDOWS\System32\aawe.exe
O4 - HKCU\..\Run: [Rzqwaeib] C:\WINDOWS\System32\m?iexec.exe
O9 - Extra button: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9422B185-08C4-4C86-8F65-389E3C6E15D7} - (no file) (HKCU)
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe (http://\"http://64.158.165.49/output/100039/uk/dbga...dsldbaccess.exe\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Find and delete these files if found
C:\WINDOWS\System32\emquz.dll
C:\WINDOWS\System32\aawe.exe
Post back with a fresh Hijackthis log afterwards
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Code: [Select]
dir C:\WINDOWS\System32\m?iexec.exe /a h > files.txt
notepad files.txtDouble click on Export.bat
A text file will open, copy and paste back the contents
Post by: Guest on March 29, 2005, 07:30:57 PM
I did all that and ran hijakthis again and it looked ok, but one thing didn't get removed.
Instead of my wallpaper is a big sign that you can click on that trys to get you to buy anti spyware stuff. Could you please tell me how to remove it ?
Here are the contents of the file you asked for:
---
Volume in drive C has no label.
Volume Serial Number is F8AC-23A5
Directory of C:\WINDOWS\System32
31/03/2003 13:00 64,512 msiexec.exe
28/03/2005 15:09 417,792 m?iexec.exe
2 File(s) 482,304 bytes
Directory of C:\Documents and Settings\Mark\Desktop
And here is the updated Hijakthis log:
Logfile of HijackThis v1.99.1
Scan saved at 01:29:53, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email (http://\"http://by2fd.bay2.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: tooke on March 29, 2005, 07:35:09 PM
Post by: guestolo on March 29, 2005, 07:55:35 PM
31/03/2003 13:00 64,512 msiexec.exe <--legit file
28/03/2005 15:09 417,792 m?iexec.exe <--bad guy
Navigate to your C:\WINDOWS\System32 folder
and look for this file
m?iexec.exe
It may even be disguised as the legit version of msiexec.exe
Don't delete the legit version
Right click on each file and left click properties
The bad file has a Creation date of 28/03/2005
And an approximate size of 417 kb<< delete this one
Also look for these files and delete them
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\WEB\desktop.html <--file
Also, do the following steps
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Restart the computer and then post back a fresh hijackthis log
Post by: tooke on March 29, 2005, 08:12:24 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />Here is the new log file:
Logfile of HijackThis v1.99.1
Scan saved at 02:05:40, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Mark\Desktop\Files and stuff\App. Files\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by2fd.bay2.Email (http://\"http://by2fd.bay2.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I hope everything is sorted, and I would just like to say that you sir are amazing! I would have been totally screwed if I'd not found this website with some kind soul to help me out
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />One more thing, can you give me any tips on steps to take to prevent myself getting this type of stuff as much as possible ? software to buy/DL or some such thing.
P.S If I can figure out how I will definately use paypal to donate
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />P.S.S This is my desktop with that crappy spyware junk:
http://img37.exs.cx/img37/4070/lamespyware3ui.jpg (http://\"http://img37.exs.cx/img37/4070/lamespyware3ui.jpg\")
this is it now:
http://img37.exs.cx/img37/6008/nightelf3mw.jpg (http://\"http://img37.exs.cx/img37/6008/nightelf3mw.jpg\")
Post by: guestolo on March 29, 2005, 08:17:37 PM
If everything is running better
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection