Help - Search - Members - Calendar
Full Version: Still can't fix it!
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
SJP
Jun 1 2005, 08:02 PM
Hi

I have a black screen on my pc with a warning box saying that I should delete the spyware I have on my pc, and I don;t know how it got there or how to delete it. I have scanned my computer and the problem is coolwwwsearch. I have copied the log from hijackthis and would appreciate it if you could let me know what I have to do to put my pc back to normal.


Logfile of HijackThis v1.99.1
Scan saved at 20:47:36, on 01/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\msxct.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mad.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\PROGRA~1\YAHOO!\MESSEN~1\YSERVER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2326
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\system32\wer8274.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [fndrjt] c:\windows\system32\qppren.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {12DB6D9E-365E-452E-8E78-510A1132E1D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12DB6D9E-365E-452E-8E78-510A1132E1D7} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9A3A083-18C4-4977-86E3-0BA4E3BD9C52}: NameServer = 194.72.9.34 62.6.40.178
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



Many Thanks

SJP
Mosaic1
Jun 1 2005, 11:19 PM
Download FindIt's.zip to your desktop.
Create a new folder. Extract the files inside to this new folder. Open the folder. Do not use it yet.

http://forums.net-integration.net/index.ph...=post&id=142443

----------------------------------------
Please download, install, and update the Ewido Security Suite:
http://www.ewido.net/en/download/

Do not use it yet.

--------
Please download save and then extract nailfix
http://users.pandora.be/bluepatchy/nailfix.zip
--------

Download CWShredder from this link:
http://www.intermute.com/spysubtract/cwshr...r_download.html

Do not use it yet.

--------


You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406
--------

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
--------

Go to Control Panel >Add Remove Programs.

Find these programs on the list ( if they exist) one at a time and highlight. Click Remove.

The BullsEye Network
Security IGuard
Virtual Maid
Search Maid



--------------------------

Restart into Safe mode.


Find and double-click on nailfix.cmd which you extracted earlier.

You'll lose your desktop and taskbar for a second. That's ok.
------
Next run a full scan in Ewido. Post the log from the Ewido scan into your next reply when you get back to regular windows.
--------

Run hijackthis and fix these items if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2326

R3 - Default URLSearchHook is missing
O2 - BHO: IEsearch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - c:\progra~1\2search\plugin.dll

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\system32\wer8274.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [fndrjt] c:\windows\system32\qppren.exe
O9 - Extra button: Microsoft AntiSpyware helper - {12DB6D9E-365E-452E-8E78-510A1132E1D7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12DB6D9E-365E-452E-8E78-510A1132E1D7} - (no file) (HKCU)

O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007guard.com/msnnames/msnnames.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Delete these folders if they exist:

c:\program files\2search
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard



Run Killbox.exe by double clicking on it.

Select Delete on Reboot.


Copy this entire list of files to the clipboard.

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\svcproc.exe
C:\windows\nail.exe
c:\windows\system32\qppren.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe



(Highlight the list. Press CTRL + C
In the Killbox,
Go to the toolbar to File> Paste from clipboard.

Paste this path into the

Click the red icon with the white X at the upper right.

You will be prompted to restart. Say yes.

------------------
Once back in regular windows, run Hijackthis and post the new log and the Ewido log.

Run Findit's.bat inside the new folder you created earlier. Double click on Findit's.bat
It will take a while to run. When it finishes a notepad file will open.
Post the contents of that file as well into your next reply here.


If your desktop is now white:

Copy the contents of the Quote box to notepad.
Name the file out.reg
Save as type:All files
Save it someplace where you will remember it, like My documents.

Double click on out.reg and say yes to the prompt.

QUOTE
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-


Restart the computer.
Go to Display properties and click the desktop tab.
Click the Customize Desktop Button.

Click the Web tab and remove the checkmark from the the Lock Desktop Items box.
Apply.
Apply and Exit Display properties.

In display Properties > Desktop
Choose a new background color and picture. Apply.

Close Display properties. If you need to, click the desktop and press F5 to refresh.
SJP
Jun 3 2005, 10:11 PM
Hi

I've had instructions on how to rid my pc of the virus I have, but only get as far as safe mode. Then the mouse doesn't work! Can you advice me on what to do please.

Many Thanks

SJP

When making replies, please do not create a new topic as your reply. Instead just add the reply to the existing topic

The threads have been merged!
Mosaic1
Jun 4 2005, 02:13 PM
Thanks Bobbi,

I almost missed this one.



Hi SJP,

I bet you have a USB mouse? My best advice is to go out and buy a cheap mouse. Use it for these emergencies. Safe Mode is so very important for troubleshooting. Sometimes you are not able to boot to regualar Windows mode because of problems. Going into Safe mode and making changes has saved a lot of people from format and reinstall.


Mo
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.