Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with spyware & trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with spyware & trojans

Unread postby clarek » June 16th, 2005, 12:14 pm

Hi

I am having problems with my bosses laptop, for a while now he has been getting popups, but now it seems to have got worse.

This morning spySherriff appeared on the desktop and does not seem to want to go, he cannot get onto files on the network, we get the error "Logon failure, account is currently disabled", and a black box with red writing has appeared on the desktop saying that the pc is infected with spyware and should not be used until it is removed. We are also constantly getting messages that a trojan virus has been found and deleted

I have run spybot s&d and ad-aware in safe mode. I want to update to XP sp2 but am worried about doing this when there is so much running on the machine.

HiJack this log below:

Logfile of HijackThis v1.98.2
Scan saved at 11:15:04, on 16/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\r_server.exe
C:\Windows\System32\DRIVERS\CDANTSRV.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\paytime.exe
C:\Windows\sys5530.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\ACT\SideACT.exe
C:\Windows\System32\wuauclt.exe
C:\Documents and Settings\davec\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itfc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c28 -w
O4 - HKLM\..\Run: [PayTime] C:\Windows\System32\paytime.exe
O4 - HKLM\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKLM\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKLM\..\Run: [sys146] C:\Windows\sys146.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKCU\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKCU\..\Run: [wupd] C:\Windows\System32\win32.exe
O4 - HKCU\..\Run: [sys146] C:\Windows\sys146.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3018411621
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\Windows\System32\vbsys2.dll
O21 - SSODL: System - {C7C375FA-4221-4FC9-B0F3-181E8F01A888} - vr_sys.dll (file missing)
clarek
Active Member
 
Posts: 4
Joined: June 16th, 2005, 12:11 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » June 16th, 2005, 12:20 pm

Your version of HJT is very outof date. Please get the lates version from the downloads page at the top of this forum.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

sorry, here is updated log

Unread postby clarek » June 16th, 2005, 12:32 pm

Logfile of HijackThis v1.99.1
Scan saved at 17:30:37, on 16/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\r_server.exe
C:\Windows\System32\DRIVERS\CDANTSRV.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\paytime.exe
C:\Windows\sys955.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\ACT\SideACT.exe
C:\DOCUME~1\davec\LOCALS~1\Temp\msldf.exe
C:\Windows\explorer.exe
C:\Windows\System32\newdial1.exe
C:\Windows\System32\newdial1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\davec\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itfc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c28 -w
O4 - HKLM\..\Run: [PayTime] C:\Windows\System32\paytime.exe
O4 - HKLM\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKLM\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKLM\..\Run: [sys146] C:\Windows\sys146.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKCU\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKCU\..\Run: [wupd] C:\Windows\System32\win32.exe
O4 - HKCU\..\Run: [sys146] C:\Windows\sys146.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 195.95.218.170
O15 - Trusted IP range: 195.95.218.170 (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3018411621
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\Windows\System32\vbsys2.dll
O21 - SSODL: System - {C7C375FA-4221-4FC9-B0F3-181E8F01A888} - vr_sys.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Windows\System32\r_server.exe" /service (file missing)
O23 - Service: Ç-DillaSrv - C-Dilla Ltd - C:\Windows\System32\DRIVERS\CDANTSRV.EXE
clarek
Active Member
 
Posts: 4
Joined: June 16th, 2005, 12:11 pm

Unread postby Susan528 » June 16th, 2005, 8:22 pm

Hello and Welcome Clarek,

First I need you to do a download and then you can go to safe mode and perform the tasks.

Trojan Hunter
Download TrojanHunter free trial from http://www.trojanhunter.com/
Update and install, Do not use yet!

Show Hidden and System files:
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Safe Mode
You already know how to do this but here are instructions anyway.Now you need start you computer in safe mode.
You will find instructions here for http://www.bleepingcomputer.com/forums/ ... tut61.html

Trojan Hunter
Select Full Scan and let the scan complete. Please note that this scan takes awhile to complete so allow a few hours. On the tool bar go to File => Save the scan report.

Disable Trojan Hunter Guard while fixing entries.
Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue magnifying glass icon with a red handle. Right click it and select Settings. Uncheck Load at startup and Enabled

Run Hijackthis
Open Hijackthis and tick this entries if present.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php RIPE Network Coordination Centre
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php RIPE Network Coordination Centre
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe
O4 - HKLM\..\Run: [PayTime] C:\Windows\System32\paytime.exe
O4 - HKLM\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKLM\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKLM\..\Run: [sys146] C:\Windows\sys146.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKCU\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKCU\..\Run: [wupd] C:\Windows\System32\win32.exe
O4 - HKCU\..\Run: [sys146] C:\Windows\sys146.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 195.95.218.170 RIPE Network Coordination Centre
O15 - Trusted IP range: 195.95.218.170 (HKLM) RIPE Network Coordination Centre
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

Is drg_norwich.co.uk company related? Please do not check these if
it is company related!
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk [/color][/b]
Close ALL windows and browsers except HijackThis and click "Fix checked

Now delete the following file(s) in RED if present
C:\DOCUME~1\davec\LOCALS~1\Temp\msldf.exe
C:\Windows\System32\newdial1.exe
C:\WINDOWS\system32\usbn.exe
C:\Windows\System32\paytime.exe
C:\Windows\sys5530.exe
C:\Windows\sys955.exe
C:\Windows\sys146.exe
C:\winstall.exe
C:\Windows\sys5530.exe
C:\Windows\sys955.exe
C:\Windows\System32\win32.exe
C:\Windows\sys146.exe
c:\ex.cab

Hijackthis – ADS
Open Hijackthis
Click “Open Misc Tools sectionâ€
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby clarek » June 17th, 2005, 8:59 am

Thanks for your help so far. I have done everything you suggested, nothing showed up in the hijackthis ads scan, so nothing to log (or did i do something wrong?). Here are the hijack thi sand trojan scan logs:

Logfile of HijackThis v1.99.1
Scan saved at 13:55:16, on 17/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\alg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\DRIVERS\CDANTSRV.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\ACT\SideACT.exe
C:\Documents and Settings\davec\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itfc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKCU\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKCU\..\Run: [wupd] C:\Windows\System32\win32.exe
O4 - HKCU\..\Run: [sys146] C:\Windows\sys146.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3018411621
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\Windows\System32\vbsys2.dll
O21 - SSODL: System - {C7C375FA-4221-4FC9-B0F3-181E8F01A888} - vr_sys.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Windows\System32\r_server.exe" /service (file missing)
O23 - Service: Ç-DillaSrv - C-Dilla Ltd - C:\Windows\System32\DRIVERS\CDANTSRV.EXE

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temp\bb.exe (Adware.BargainBuddy.101)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temp\bb.exe (Adware.BargainBuddy.104)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temporary Internet Files\Content.IE5\GDURCLAN\0006_regular[1].cab (Adware.ISTBar.214)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temporary Internet Files\Content.IE5\NIWZNPKL\adp8032[1].exe (Adware.BargainBuddy.104)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temporary Internet Files\Content.IE5\S9QV0PMN\bb[1].exe (Adware.BargainBuddy.101)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temporary Internet Files\Content.IE5\S9QV0PMN\bb[1].exe (Adware.BargainBuddy.104)
Found trojan file: C:\Documents and Settings\davec\Local Settings\Temporary Internet Files\Content.IE5\S9QV0PMN\sidefind13[1].dll/vrXmDX1.exe (Adware.SideFind.104)
Found trojan file: C:\WINDOWS\ms1.exe/VtDtRG.exe (Exploit.IE.Dword.100)
Found trojan file: C:\WINDOWS\system32\init32m.exe/oSqY.exe (Exploit.IE.Dword.100)
Found possible trojan file: C:\WINDOWS\system32\newdial.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\realupd32.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\realupd_32.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Error: Directory not found: F:\
Error: Directory not found: H:\
Error: Directory not found: R:\
7 trojan files found
3 possible trojan files found

Thanks!
clarek
Active Member
 
Posts: 4
Joined: June 16th, 2005, 12:11 pm

Unread postby Susan528 » June 17th, 2005, 3:22 pm

Hello Clarek,

Move Hijackthis off the desktop and into its own folder, this is important as it allows useful backups to be made.

We made a little progress. You have no ADS on your system which is fine. We need to work on the bad hijackthis entries and remove some more files.

Is drg_norwich.co.uk company related? Please let me know so I know if it should show up in the hijackthis log or be removed.

Show Hidden and System files:
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Safe Mode
Now you need start you computer in safe mode.

Disable Trojan Hunter Guard while fixing entries.
Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue magnifying glass icon with a red handle. Right click it and select Settings. Uncheck Load at startup and Enabled

Remove SpySheriff
Open the Control Panel then double click on Add/Remove Programs. Look for the SpySheriff and uninstall it if found.

End Processes using Task Manager
Don’t be alarmed if you cannot find all the processes listed here.
Press Ctrl- Alt-Del to enter the Task Manager.
Click on the Process tab to end the following processes.
Processes are in RED.
C:\winstall.exe
C:\Windows\sys955.exe
C:\Windows\System32\win32.exe
C:\Windows\sys146.exe
C:\WINDOWS\system32\newdial.exe
C:\WINDOWS\system32\realupd32.exe
C:\WINDOWS\system32\realupd_32.exe

Run Hijackthis

Open Hijackthis and tick this entries if present.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [sys5530] C:\Windows\sys5530.exe
O4 - HKCU\..\Run: [sys955] C:\Windows\sys955.exe
O4 - HKCU\..\Run: [wupd] C:\Windows\System32\win32.exe
O4 - HKCU\..\Run: [sys146] C:\Windows\sys146.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
Close ALL windows and browsers except HijackThis and click [b]"Fix checkedâ€
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby ChrisRLG » July 6th, 2005, 8:57 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 551 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware