Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help to Remove Winfixer 2005

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Silent Runners

Unread postby bigQoo » November 17th, 2005, 12:16 am

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "1" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS]
"DW4" = ""C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"" ["The Weather Channel Interactive"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [file not found]
"VTTimer" = "VTTimer.exe" [file not found]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"Reminder" = ""C:\Windows\Creator\Remind_XP.exe"" ["SoftThinks"]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"IPInSightLAN 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"]
"IPInSightMonitor 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"]
"Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"cdkhilgj" = "C:\WINDOWS\cdkhilgj.exe" [file not found]
"bpclvfhstxhe" = "C:\WINDOWS\System32\vdznmxb.exe" [file not found]
"¢‰¸u0–4C
}ïÃ
bigQoo
Regular Member
 
Posts: 15
Joined: November 10th, 2005, 7:42 pm
Advertisement
Register to Remove

REPLY to your 2 questions

Unread postby bigQoo » November 17th, 2005, 12:36 am

Hello Surreal2 and thanks so much for helping with my PC problems.

I have contacted my bank and there has been no activity out of the norm and they are monitoring it.

2nd I do have VPN for my office and they were alerted. But told me they did not see any problems from there end with the syste,


As for the two files you wanted me to email, I looked in the locations and did not find either file. Could they have been deleted or maybe in another location? I did a search of the computer and still didnt find them.

Thanks So Much!
bigQoo
Regular Member
 
Posts: 15
Joined: November 10th, 2005, 7:42 pm

Unread postby Surreal2 » November 18th, 2005, 6:02 am

Hi bigQoo

Don't worry about the two files - they probably were deleted if you can't find them using search, but we'll do one more thing to make sure they're gone in a moment. As you'll have seen, the KAV scan and Ewido removed a lot of rubbish.

Checking through the various logs you have provided I cannot see signs of the malware I was looking for (rootkits, hidden diallers etc). Our concerns were raised by the '01' listings in your original log, but there is no other evidence that I can see on your computer and your bank/office have confirmed that everything looks OK at their end.

It's possible that the malware added the '01' entries (perhaps it arrived in an email you received?) but that you didn't visit the bank since they were installed. Do you use the online banking site a lot?

Given the above, I propose that we continue cleaning your computer - and I then suggest you carry on as normal while at the same time remaining vigilant and keeping in regular contact with your bank, office IT staff and credit card companies (if any credit card numbers have been entered on the computer) so that any suspicious activity can be investigated.

OK - first, let's double-check that some bad files (including the two I asked you for) have gone. As before, print out this post as you will have to close IE and restart your computer a few times.
    Please check that Microsoft AntiSpyware's Real-time Protection is still turned off and that Windows' firewall is turned on.

    Also, please temporarily disable the Trojan Hunter Guard - right-click on the icon in the lower right corner of your screen (light blue magnifying glass with a red handle) and select 'Settings', then click to UN-check both 'Load at startup' and 'Enabled'.
Click HERE and download Pocket Killbox to your desktop, then click on the icon (red circle with a white 'X' in it) to start the program.
  • Click 'Tools' on the menu bar and then 'Find file'
  • In the box under 'Find something to search for', type:
      cdkhilgj.exe
  • Click on the first of the buttons to the right of the line (it should say 'Find File' when you hover the mouse cursor over the button)
  • There will be a pause while it searches for the file - if it finds it the name will stay in the box but the heading will change to 'Full path of file to delete'
  • Click to place a check-mark against 'Standard File Kill' in the lower half of the Killbox window
  • Now close all other programs/windows except for Killbox, then press the button with the red cross next to the dialogue line and then click 'Yes' in the new window that appears
  • When the program confirms the deletion, repeat the same steps for the files:
      vdznmxb.exe
      hardfont.dll
  • After deleting these files, close Killbox and restart your computer in Normal mode
  • Note - if Killbox says it cannot find the files, don't worry. If it does find the files but says the file cannot be deleted, click to place a check-mark against 'Delete on reboot' in the lower half of the window, then close Killbox and it will ask to restart your computer (if it does not, restart it manually in Normal mode)
In Normal mode, connect to the Internet and click HERE to download Ad-Aware and HERE to download SpyBot-Search and Destroy.

Ad-Aware
  • Install the program and start it, then click on the 'world' icon at the top and allow the program to download all updates it finds
  • When the updates have downloaded, click 'Scan now' and then, under 'Select a scan mode', click on 'Perform a full system scan' - then click 'Next' to run the scan
  • It will take a while for the scan to run, but when it's finished choose to Quarantine anything that it finds and Save the log file, then close the program
SpyBot
  • Install the program (but do not select the TeaTimer option at this stage) and start it, then click on 'Search for updates' and allow the program to download all updates it finds
  • When the updates have downloaded, click 'Search and Destroy' and then click 'Check for Problems'
  • When the scan has finished, highlight all problems the program identifies in RED (don't remove/fix items not listed in red at this stage) and choose 'Fix Selected Problems'
  • Close the program
Java cache
    Since the KAV scan removed a fair bit of malware from the Java cache, let's make sure nothing bad is in there:
    • Go Start --> Control panel and click on the Java icon
    • Once open, look for 'Temporary Internet files (or cache)' and select it
    • Choose the delete option and make sure all boxes are checked, then click 'OK'
Now restart your computer in Normal Mode to finish removing the malware found by Ad-Aware and Spy-Bot


The next step is to use HijackThis to fix a few bad entries that showed in your last log. Before doing that I need you to consider the following 'optional' items. These are currently running at start-up but do not need to do so - you can always start them manually if you need them. However, if you find them useful and want them to run at start-up then just skip the relevant fixes:
  • Realtek AC97 Audio - Event Monitor, although not sinister in itself, is considered 'spyware' because it surreptitiously monitor your action and is used by Realtek to gather data about customers
  • IP Insight, which is installed with Verizon DSL accounts, is a Quality of Service monitor and diagnostic tool but it constantly 'phones home' and is a resource hog
  • WindUpdates is adware and supports many free software products through its advertising relevancy technology. If you remove WindUpdates from your system, certain free software that you installed may no longer function properly and you may have to reinstall them from a backup
Stop running process
  • Press the Ctrl + Alt + Del key combination to open Windows Task Manager
  • Scroll through the list and look for the following, click on the name to highlight it and then click the 'End Process' button at the bottom of the window (ignore any warnings you receive and confirm that you want to end the task).

      ALCXMNTR.EXE <-- if you want to stop Realtek Event Monitor running at startup
      IPClient.exe <-- if you want to stop IP Insight running at startup
      IPMon32.exe <-- if you want to stop IP Insight running at startup
Uninstall program
    If you decided to remove Wind Updates from your computer, look to see if it is listed in Windows' 'Add/Remove Programs' - if it is, click on it to highlight the entry and choose to remove it
HijackThis[list]Start the program and click 'Do a system scan only', then click to place a check-mark against the following entries if they are there (don't worry if they are missing):[list]
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [cdkhilgj] C:\WINDOWS\cdkhilgj.exe

O4 - HKLM\..\Run: [bpclvfhstxhe] C:\WINDOWS\System32\vdznmxb.exe

O4 - HKLM\..\Run: [¢‰¸u0–4C }ïÃ
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

New HiJack Log

Unread postby bigQoo » November 18th, 2005, 12:21 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:19:42 AM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HiJack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: KeyCorp VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-24.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
bigQoo
Regular Member
 
Posts: 15
Joined: November 10th, 2005, 7:42 pm

Unread postby Surreal2 » November 22nd, 2005, 8:52 am

Hi bigQoo

Again, sorry for the delay but I've been researching your latest log.

Good job so far - you're well on the way to cleaning up the computer. I know it's taking a while but please stick with it - we should be able to finish up in just a couple more posts.

As before, you'll need to restart your computer a couple of times so please print out the following information.

Firstly, I see in your last log that you removed one of the 'optional' fixes related to IP Insight but left the other one. If you did this deliberately that's fine, but if you intended to stop both items running at startup, please do the following:

Stop running process - Use the Ctrl + Alt + Del key combination to open Task Manager, highlight the entry IPMon32.exe and click 'End process'

HijackThis - Start the program and click 'Do a system scan only', then check the following items, close all other programs/windows except for HijackThis and click 'Fix checked':
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" <--to prevent IP Insight running at startup

    Also, please check this which I omitted last time (it's a risky entry because it can lead to adware; and if needed it will automatically be recreated next time you visit the games site):

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab

Since we are unsure how the bad 01 banking entries were placed on your computer and cannot see evidence of a hidden hacker program, it would be a good idea to check Windows' protected files just in case any of these have been overwritten/replaced by a 'camouflaged' baddie.

To do this we're going to use Windows' System File Checker tool. This will scan protected Windows system files and verify their integrity. If it finds any problem it will replace the bad file with a legitimate version. In most cases it should find the correct file from copies that have been placed on your computer. However, in some cases it might ask you to insert the installation CD. You might have the full OS installation CD or possibly one titled 'Windows Restoration Disk' or somesuch (NOT the 'Recovery' CD). Alternatively, the computer supplier might have stored these backups in 'CAB' folders on a special partition on your hard drive (if you know this to be the case, you can browse to the drive). If the program asks for the CD and you don't have one or experience any other problems, let me know.

To run System File Checker:
    Go Start --> Run and in the command box type sfc /scannow (that's sfc(space)/scannow)

    System File Checker will then start and you should see a progress bar as it scans protected files. It will alert you if it finds problems, but unless it asks you to insert the CD the program will work automatically to replace bad files.

    When System File Checker has finished it may ask you to restart your computer - allow it to do so
When you've finished with System File Checker, please do the following:

Delete temporary files on your computer
  • Go Start --> Run and in the dialogue box type in: cleanmgr
  • If you have more than one hard drive or hard drive partition, choose each in turn from the drop down box (ignoring floppy/CD/DVD drives)
  • When the computer has scanned the drive, place a checkmark against all the entries in the dialogue box except for 'Compress old files' (unless you want to do this), then click 'OK' to remove the temporary files (if you haven't done this before it might take a while; this is normal)
Delete temporary Internet files
  • Start Internet Explorer, click on Tools --> Internet Options and choose the 'General' tab
  • Click 'Delete Files', click in the window that opens to place a check against 'Delete all offline content' and then click 'OK' (again, this might take a while, which is normal)
  • Click 'Clear History' and then click 'OK'
  • I would also recommend clicking on 'Delete Cookies' and then click 'OK' (Note - deleting the cookies is likely to mean that you will have to re-enter usernames/passwords to access certain sites, including web-based e-mail accounts)
  • Now move to the 'Programs' tab and click 'Reset Web Settings', then click 'OK' to close the dialogue box
  • If you have more than one user account on the computer, please log into each account in turn and complete the previous steps
Hosts file
  • As a further precaution related to the rogue 01 entries, please click HERE to download the Hoster file
  • Click or double-click on the Hoster.zip folder to open it and extract the Hoster.exe file
  • Click or double-click on Hoster.exe and then click 'Restore Original Hosts' and then click 'OK'

Now restart your computer


If you encountered problems with any of these steps please let me know. Otherwise, just use your computer as normal for a while, including browsing on the Internet. Then scan once more with HijackThis and post back with another log and also let me know how the computer is behaving now.

Assuming all is OK, we're very nearly there (you'll be pleased to hear!) and my next post will include just a couple more important steps to complete the process and help ensure your computer is protected against future attacks.

Cheers…
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Hijack Final Log :)

Unread postby bigQoo » November 23rd, 2005, 3:30 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:29:25 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HiJack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: KeyCorp VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-24.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
bigQoo
Regular Member
 
Posts: 15
Joined: November 10th, 2005, 7:42 pm

Unread postby Surreal2 » November 29th, 2005, 7:49 am

Hi bigQoo - and apologies for the delayed reply.

Excellent job…here are the words you've been waiting for: your log is clean :) .

As I said in my last post, there are just a few more important steps to take - along with a reminder to remain vigilant and in contact with your bank/office network about any suspicious activity.

OK - let's finish up. You'll have to restart your computer again so, as before, you might want to print out this post for reference.

Step 1 - Windows System Restore
    You may know that Windows XP has a function called System Restore, which backs up the system from time to time so that you can restore it to a previous state if you have problems (after, say, installing a new program).

    However, when a computer becomes infected it's likely that this backup will include the infections you've just got rid of! Unfortunately there is no way to 'clean' these backups, so they need to be deleted from your computer. That does mean you will lose all the previous restore points - but it's a price worth paying since you won't be able to use them without a high risk of becoming infected again.

    Please therefore:
    1. Turn off System Restore
      • Click on the 'Start' button, then hover the mouse pointer over 'My Computer' and RIGHT-click
      • Click 'Properties' on the pop-out menu
      • Choose the 'System Restore' tab in the new window that opens
      • Click to place a tick mark in the box next to 'Turn off System Restore on all drives'
      • Click 'Apply' and then click 'OK'
    2. Now restart your computer

    3. Turn ON System Restore again
      • Navigate to the 'System Restore' tab as you did before
      • Click to REMOVE the tick mark in the box next to 'Turn off System Restore on all drives'
      • Click 'Apply' and then click 'OK'
      • You may want to set a manual restore point
Step 2 - Re-hide system files
  • Go to Start --> Control panel --> Folder options and select the View tab
  • Click to REMOVE the check mark next to 'Show hidden files and folders' and click to REPLACE the check mark against both 'Hide protected operating system files' and 'Hide extensions for known file types'
  • When you have finished, click 'OK' to close the window
    NB - these settings ensure that important Windows files are 'hidden' so they cannot be accidentally removed.
Step 3 - Re-set some tools
    Microsoft AntiSpyware. I asked you to turn off Microsoft AntiSpyware's Real-time Protection function, but now is the time to re-enable it. Please therefore:
    1. Open Microsoft AntiSpyware, click on 'Tools --> Settings', and in the left-hand section click on Real-time Protection
    2. Under 'Startup Options' click to place a check mark next to 'Enable the Microsoft AntiSpyware Security Agents on startup (recommended)'
    3. Under 'Real-time spyware threat protection', click to place a check mark against 'Enable real-time spyware threat protection (recommended)'
    4. Click 'Save' and close the program

    Trojan Hunter Guard. I also asked you to temporarily disable this program's resident protection. To re-enable it, start the program and click to place a check-mark against 'Load at startup' (the icon should reappear in the lower right corner of your screen after you next restart the computer). Note: If you have the free trial version you'll need to manually update the program when the trial period expires.

And that's it (you'll be pleased to hear :D ). But to help protect you against further infections (and also to help prevent criminals using your computer to infect other people's computers on the world wide web), I recommend the following:


Firewall
    I asked you to enable Windows' built-in firewall while working through the cleaning process, because without a firewall you are leaving yourself wide open to infections from malware when connected to the Internet (even if you are using a router, it is still recommended that you have a software firewall on your computer).

    Windows' firewall has limitations since it only protects your computer from incoming attacks - it doesn't stop bad programs on your computer from calling out. I'd therefore strongly recommend that you download and install either Sygate Personal Firewall (from HERE) or Zone Alarm (from HERE) - both are free for personal use.

    Note: don't use more than one firewall (they conflict with each other and this can actually reduce the protection they provide, so if you download one of these make sure the Windows firewall is kept switched off).
Anti-Virus program
    I can see no evidence of an active anti-virus program running on your computer yet this is another essential tool for safe computing. I strongly recommend that you download and install one - two good programs that are often recommended are Avast (download from HERE) and AVG (download from HERE) - both are free for personal use.

    Note: - again, don't have more than one anti-virus program running as they can conflict with each other and reduce the protection provided.

    It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
Ewido Security Suite. You downloaded the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program - otherwise you can continue to use the trial version but when the trial period ends the automatic update feature will stop working, so you'll have to update it manually.

SpyBot and Ad-Aware. You downloaded both of these excellent programs and I recommend that you use them regularly. Each time you use them, make sure you update to the latest definitions and, after scanning and deleting any malware, always restart your computer since this is necessary to finish removing the infections. When you installed Spybot I asked you not to enable the TeaTimer option (which would have interfered with the malware removal). However, now's the time to enable this excellent additional protection:
  1. Run Spybot, go to the 'Mode' menu and make sure 'Advanced Mode' is selected
  2. On the left hand side, choose Tools --> Resident and click to place a check mark next to 'Resident TeaTimer'
  3. Click 'OK' to close the various windows (TeaTimer will not become activated until you restart your computer)

SpywareBlaster. This program adds a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. It's free for personal use, so download it from HERE - and then please click HERE for instructions on installing and using the program.

Windows Updates. The popularity of Windows and Internet Explorer make them a real target for virus writers and hackers. Microsoft regularly produces 'Security updates' to increase your protection against such attacks. I see you have Automatic Updates running, so please make sure you download and install all available updates for Windows XP and Internet Explorer.

Finally, you might be interested in reading THIS ARTICLE - "How Did I Get Infected In The First Place"

That's it...good luck and safe computing!

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

THank YOu, My PC Thanks You as Well

Unread postby bigQoo » November 30th, 2005, 9:50 am

I really appreciate all your help and information! My family is greatful to you since now they dont have to cry about me cursing the PC for all the crashes and pop ups!

Thanks So much!
bigQoo
Regular Member
 
Posts: 15
Joined: November 10th, 2005, 7:42 pm

Unread postby Surreal2 » December 1st, 2005, 5:05 am

Hi bigQoo...you're very welcome (as is your family LOL).

Since your computer seems to be 'fixed' now I'll ask a forum admin to move the thread into the Archive room - you can still see it there, together with instructions for what to do if you need it re-opened.

Cheers...
Surreal2
Regular Member
 
Posts: 207
Joined: September 30th, 2005, 1:24 pm
Location: Peterborough, UK

Unread postby NonSuch » December 1st, 2005, 5:28 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27226
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: mAL_rEm018 and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware