Free Malware Removal Forum

[Greg4050]

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:48 AM, on 5/22/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PERSONO\PERSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

[random/random]

You do not appear to beinfected, but there are a number of leftovers that can be cleaned up

You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:

• AVG
• Avast!

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
If you did not put p0rt2.com, also put a checkmark next to the following line
O15 - Trusted Zone: *.p0rt2.com

Then close all windows except HijackThis and click Fix Checked

• Create a folder on your desktop called Sysclean.
• Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
• Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
  This file will be called lptXXX.zip (XXX represents the version number)
• Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX. Read here how to unzip/extract properly.
• Move the lpt$vpn.XXX to the Sysclean-folder you created on your desktop.
• Open the sysclean-folder and doubleclick sysclean.com.
• Check: "Automatically clean or delete detected files".
• Click scan.

Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

Post back with a new HijackThis log, and the sysclean log

[Greg4050]

Thanks for your help.

My logs:


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-05-22, 12:00:51, Auto-clean mode specified.
2007-05-22, 12:00:51, Running scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\TSC.BIN"...
2007-05-22, 12:01:17, Scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\TSC.BIN" has finished running.
2007-05-22, 12:01:17, TSC Log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows Me

Start time : Tue May 22 2007 12:00:51

Load Damage Cleanup Template (DCT) "C:\WINDOWS\DESKTOP\SYSCLEAN\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\WINDOWS\DESKTOP\SYSCLEAN\tsc.ptn" (version 862) [success]

Complete time : Tue May 22 2007 12:01:17
Execute pattern count(3086), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-05-22, 12:40:23, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/22/2007 12:01:44
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 481 (191851 Patterns) (2007/05/21) (448100)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

C:\_RESTORE\TEMP\A0326020.CPY [TROJ_Generic.Z]
29508 files have been read.
29508 files have been checked.
21453 files have been scanned.
126717 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/22/2007 12:40:23
---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-22, 12:40:23, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/22/2007 12:01:44
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 481 (191851 Patterns) (2007/05/21) (448100)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

Can not Clean [ TROJ_Generic.Z]( 1) from C:\_RESTORE\TEMP\A0326020.CPY
Success Clean [ JAVA_BYTEVER.AA]( 1) from C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-246ce045-7459e7bb.zip,(A.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\WINDOWS\.jpi_cache\jar\1.0\loader.jar-771ffd62-654e04a0.zip,(Dummy.class)
29508 files have been read.
29508 files have been checked.
21453 files have been scanned.
126717 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/22/2007 12:40:23 38 minutes 37 seconds (2316.81 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-22, 12:40:23, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/22/2007 12:01:44
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 481 (191851 Patterns) (2007/05/21) (448100)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

Can not Clean [ TROJ_Generic.Z]( 1) from C:\_RESTORE\TEMP\A0326020.CPY
29508 files have been read.
29508 files have been checked.
21453 files have been scanned.
126717 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/22/2007 12:40:23 38 minutes 37 seconds (2316.81 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-22, 12:40:23, Scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN" has finished running.




Logfile of HijackThis v1.99.1
Scan saved at 1:00:30 PM, on 5/22/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\PERSONO\PERSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\_HIJACKTHIS\SCANNERHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Perstray.lnk = C:\Program Files\PerSono\perstray.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

[random/random]

Hows it running?

[Greg4050]

Its running great now. Thanks for you help.

[random/random]

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
The infections you had were

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

1. Turn off System Restore.
   On the Desktop, right-click My Computer.
   Click Properties.
   Click the System Restore tab.
   Check Turn off System Restore.
   Click Apply, and then click OK.
   
   Reboot.
   
   Turn ON System Restore.
   On the Desktop, right-click My Computer.
   Click Properties.
   Click the System Restore tab.
   UN-Check *Turn off System Restore*.
   Click Apply, and then click OK.
   NOTE: only do this ONCE,NOT on a regular basis
2. Keep your antivirus updated
3. Use a firewall
   While the firewall built into windows XP will protect you from incoming attacks, it will not monitor outgoing connections
   It is therefore recommended that you install one of the following firewalls
   Sunbelt kerio personal firewall
   Zonealarm
   
4. Keep windows up to date with the latest patches
   
   
   IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.
   
   If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
   
5. Install spywareblaster
   Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
   kill bits
   in the registry, so that certain activex controls can't install.
   If you don't know what activex controls are, see here
   You can download SpywareBlaster here here
   Make sure to update it on a regular basis
6. Install IE-SPYAD
   Dowload and instructions located here
   Make sure to update it on a regular basis
7. Use a HOSTS file
   
   • Every version of windows has a hosts file as part of them.
   • In a very basic sense, they are used to locate webpages.
   • We can customize a hosts file so that it blocks certain webpages.
   • However, it can slow down certain computers.
   • This is why using a hosts file is optional!!
   Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
   If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
   
   1. Click the start button (at the lower left hand corner of your screen)
   2. Click run
   3. In the dialog box, type services.msc
   4. hit enter, then locate dns client
   5. Highlight it, then double-click it.
   6. On the dropdown box, change the setting from automatic to manual.
   7. Click ok
8. Install and use Ad-aware & Spybot search & destroy
   Instructions are located here
   Make sure to update them on a regular basis
9. Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
   Two good alternative browsers are
   Firefox
   Opera
   It is essential to update to the latest version of your browser, as the updates fix known security holes
10. Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
11. Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
12. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

[NonSuch]

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.