Post by: ill on February 11, 2006, 01:36:29 AM
is infected with the Download.Trojan virus.
here is my hijack log maybe u all can help me ?
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Logfile of HijackThis v1.99.1
Scan saved at 10:26:51 PM, on 10/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\winsysban7.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\lssas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\scvhost.exe
C:\windows\system\hpsysdrv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\services.exe
C:\WINDOWS\wxpdll32.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca8.hpwis.com/ (http://\"http://qca8.hpwis.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca8.hpwis.com/ (http://\"http://qca8.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qca8.hpwis.com/ (http://\"http://qca8.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban7.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Internet Explorer Helper] C:\WINDOWS\System32\scvhost.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AdobeReaderPros] sysmsn.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [AdobeReaderPros] sysmsn.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe
O23 - Service: wxpdll32 - Unknown owner - C:\WINDOWS\wxpdll32.exe
Post by: guestolo on February 11, 2006, 02:20:45 PM
Can you do the following please
Redownload Hijackthis 1.99.1 from my signature below and save it too a permanent folder on your harddrive
ONLY run hijackthis from this new location
I don't see a firewall running on your system
At minimum, for now, ensure that the firewall built into XP is activated
Here's a link to explain how
http://www.microsoft.com/windowsxp/using/n...rnmore/icf.mspx (http://\"http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx\")
It may not activate at this time, if not, ensure you try to activate it later
I need you too download a few tools please
==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
Download and InstallAd-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\").
* Save it to your desktop
==Download and save rdrivrem.zip
[attachment=466:attachment]
UNZIP the contents to your desktop so you now have a rdrivrem folder on your desktop
Please save these instructions to a Notepad file and save it to your Desktop for reference
Too open a notepad file go to START>>RUN>>type in notepad
Click OK
Ensure you have saved these instructions: I need to to copy and paste some instructions in safe mode
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
Once in safe mode
Go to START>>>RUN>>>type in
services.msc
Hit OK
In the next window, look on the right hand side for this exact service
name---- MicroSoft Media Tools
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
APPLY it and OK
Do the same for these service names
Microsoft Windows Update Service
and
wxpdll32
==Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder
I'll need to see it later
=Remain in safe mode
Go to START>>RUN>>Copy and paste the following commands into the open field and click OK after each
sc delete Windows Update Service
sc delete "wxpdll32"
=Access the add/remove programs via control panel and remove the following if found
MaxiSearch
Toolbar888
=Open Killbox.exe
Copy the file name below and paste it to the Full path of file to delete in Killbox
C:\WINDOWS\wxpdll32.exe
Then click the Red Circle with the White X
Allow to delete the file and make backup
Do the same with the rest of these
Don't worry about any file not found messages
==================================
C:\windows\winsysban7.exe
C:\WINDOWS\System32\lssas.exe
C:\WINDOWS\System32\scvhost.exe
C:\WINDOWS\services.exe
C:\WINDOWS\wxpdll32.exe
C:\windows\gimmygames.exe
C:\windows\winsysupd7.exe
C:\WINDOWS\System32\sysmsn.exe
C:\WINDOWS\MSmedia.exe
=================================
Find and delete the following files or folders if found
C:\eied_s7.cab
C:\Program Files\Toolbar888
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido anti-malware 3.5
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
If Ewido prompts about remove a compressed file(archive)>>allow it
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban7.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe
O4 - HKLM\..\Run: [Internet Explorer Helper] C:\WINDOWS\System32\scvhost.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AdobeReaderPros] sysmsn.exe
O4 - HKLM\..\RunServices: [AdobeReaderPros] sysmsn.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Ad-aware SE Personal 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
Reboot back to Normal mode
Don't open a browser yet, instead
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Activate the XP firewall if you couldn't do it earlier
1. Post back a fresh hijackthis log
2. Post rdriv.txt in the rdrivRem folder
3. Post the whole report from Ewido's
Post by: guestolo on March 05, 2006, 04:52:18 PM