 Unknown Virus, Dangerous infection can't be found |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Jan 29 2006, 04:54 PM
Post
#1
|
|
|
New Member  Group: Member Posts: 3 Joined: 29-January 06 Member No.: 17587  |
Logfile of HijackThis v1.99.1
Scan saved at 16:50:32, on 29/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\blueyonder\PCguard\fws.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\mssearchnet.exe C:\WINDOWS\system32\nvctrl.exe C:\WINDOWS\system32\VTtrayp.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Power Manager\PM.exe C:\Program Files\blueyonder\PCguard\RPS.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\blueyonder IST\bin\mpbtn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SpyAxe\spyaxe.exe C:\Program Files\SpyAxe\spyaxe.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Karl Booth\My Documents\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp82A8.tmp O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash-- Look for another playground --.ladbrokes.com/instant-p...-en/FlashAX.cab O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing) |
 |
|
|
Jan 29 2006, 06:05 PM
Post
#2
|
|
|
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164 |
I strongly urge you to uninstall LimeWire. It and other File sharing are the source of a lot of the infections we see. You have no idea what you are really downloading and what us being passed to you on the network!
Copy these instructions to notepad and save them to your desktop for easy reference. You will be restarting into Safe mode later. Here's help if you need it. To use the F8 key to start Windows XP in Safe mode Restart the computer. Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening. As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again. Using the arrow keys on the keyboard, select Safe mode and then press Enter. ------ Download smitrem.zip Save the file to your desktop. Double click on smitRem.exe to extract the files it contains. This will create a folder named smitrem on your desktop. We'll use it later. ------------ Download CCleaner. http://www.filehippo.com/download_ccleaner.html Install CCleaner Launch CCleaner and look in the upper right corner and click on the "Options" button. Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours". Click OK Do not run CCleaner yet. You will run it later in safe mode. Download the trial version of Ewido Security Suite: http://www.ewido.net/en/download/ Install ewido. During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido It will prompt you to update click the OK button and it will go to the main screen On the left side of the main screen click update Click on Start and let it update. DO NOT run a scan yet. You will do that later in safe mode. -------------------------- Restart into Safe Mode. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Run Ewido: Click on scanner Click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK When the scan is finished, look at the bottom of the screen and click the Save report button. Save the report to your desktop Start Ccleaner and click Run Cleaner Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar.If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK. Restart back into regular windows. Go for a free online Virus scan here: http://www.pandasoftware.com/activescan/ Allow it to clean Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. It will be saved under the name activescan.txt Do that and post that log into your next reply here. Post a new HiJackThis log along with the results from ActiveScan and the ewido scan Open C:\smitfiles.txt and post the contents of that file. You may have to reply more than once to fit all the logs into your response. Please be sure the entire contents of all logs is showing in your reponses. Thank you. ----------- There has been an issue found recently with Sun Java. When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way. First update to the very latest version of Sun Java, which is 1.5.0_06 Then go into Add Remove programs and uninstall any older versions you find listed there. |
|
|
|
|
Jan 31 2006, 10:05 PM
Post
#3
|
|
|
New Member Group: Member Posts: 3 Joined: 29-January 06 Member No.: 17587 |
Carried outhe instructions and ran hijack this again : Below is the log file
Logfile of HijackThis v1.99.1 Scan saved at 22:03:42, on 31/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\blueyonder\PCguard\fws.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\system32\VTtrayp.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Power Manager\PM.exe C:\Program Files\blueyonder\PCguard\RPS.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\blueyonder IST\bin\mpbtn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Karl Booth\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash-- Look for another playground --.ladbrokes.com/instant-p...-en/FlashAX.cab O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing) |
|
|
|
|
Jan 31 2006, 10:09 PM
Post
#4
|
|
|
New Member Group: Member Posts: 3 Joined: 29-January 06 Member No.: 17587 |
here is the scan from panda:
Incident Status Location Potentially unwanted tool:application/spyaxe Not disinfected C:\Documents and Settings\Karl Booth\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SpyAxe 3.0.lnk Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Karl Booth\My Documents\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Karl Booth\My Documents\smitRem.exe[Process.exe] Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinFixer 2005\FCrXML.dll Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinFixer 2005\uwappchk.dll Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer 2005\FTR.dll Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer 2005\FxCr.dll Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer 2005\MFix.dll Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer 2005\str.exe Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer 2005\updater.dat |
|
|
|
|
Jan 31 2006, 10:32 PM
Post
#5
|
|
|
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164 |
You are currently running Hijackthis ofm the temp folder. Why is that?
You had been running from: C:\Documents and Settings\Karl Booth\My Documents\hijack this\HijackThis.exe Please do not run Hijackthis from the temp follder, IF you do, you'll lose any backups it makes. ---------------------------------- Delete this file: C:\Documents and Settings\Karl Booth\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SpyAxe 3.0.lnk Delete this folder: C:\Program Files\Common Files\WinFixer You are still using Lime Wire. Dothat at your own risk. You'll be infected shortly again if you use high risk file sharing. --------------------- There has been an issue found recently with Sun Java. When newer versions are installed, the older versions are left behind and malware can call these older versions to exploit flaws. Some malware has been found to install this way. First update to the very latest version of Sun Java, which is 1.5.0_06 Then go into Add Remove programs and uninstall any older versions you find listed there. ------------ Stop Sign is not a good application. There are better Anti Viyus apps out there. I suggest you uninstall it. AVG offers free Anti Virus. http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5 http://free.grisoft.com/softw/70free/setup...ree_308a468.exe ------------------------------ I also do not see any Firewall. Zone Alarm offers a free firewall if you need one. http://www.zonelabs.com/store/content/comp...reeDownload.jsp Either a router or the Windows Firewall will protect you from inbound traffic only. Anything trying to get out will not be prevented. This is not a good thing and it is strongly recommended that you install a software firewall as well to prevent unauthorized outbound traffic. ----------------------- How is the system running now? |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 01:14 PM |
