This is my third post...someone please help
CastleCops
-> Trend Micro HijackThis Logs
Author: diagonalorange, Location: Canada
Posted: Sat Jul 03, 2004 9:28 pm Post subject: This is my third post...someone please help
If no one responds to this thread, then I will have to do a full system restore so please give me any input you may have. It will take me forever to back up everything that I need.
The main symptom my computer has is that I cannot open more than one IE browser. My computer is running incredibly slow and frequently shuts down by itself...mostly after I have deleted a harmful file from the registry.
I am running Mcafee Virus scan 7.1.0 updated scan engine 4.3.20. Trend micro's virus scan found 5 different trojans on my computer that I am unsure if I have got rid of yet. The viruses I have found are:
trojan agent.EA
trojan blazefind.A
trojan agent.BO
trojan agent.L
trojan delf.ra
trojan agent.L
I have followed steps to get rid of all of these viruses but still have problems because I am unable to find the location of the filenames for some of the trojans. For example in registry edit I am supposed to delete file 83DE620.....60FAF2 which is not located in CLSID folder where it should be.
I have run ad aware and spybot and deleted all the files that were flagged. I have also deleted all that I am sure of from my hijackthis log. None of this has helped the problem. Here is my hijackthis log if it helps.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\Config\vbsys.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Documents and Settings\My Documents\My Received Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.g7welcomingcommittee.com/propagandhi/news.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_18_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [vbsys] C:\WINDOWS\Config\vbsys.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37427.6236689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Canada Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_18_0.cab
Author: Yellowhammer,
Posted: Sun Jul 04, 2004 3:15 am Post subject:
Disable Messenger Service per the following instructions.
Click Start > Run and type "services.msc" (no quotes) in the Open: line and click OK
In the right pane, scroll down to Messenger.
Double click Messenger and click the General tab.
Under Service Status: click the Stop button.
In the Startup Type: drop down box, select Disable.
Click Apply and OK.
Uninstall EAcceleration or EAnthology or similarly named programs from add/remove programs.
Make sure you can view hidden and system files: Instructions here.
ReBoot to safe mode: Instructions here.
Then Close all windows and have hijackthis fix the following that are still listed:
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [vbsys] C:\WINDOWS\Config\vbsys.exe
Then while in safe mode delete the following:
C:\WINDOWS\Config\vbsys.exe <-File
Then browse to the C:\documents and settings\User Names(repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.
Then empty the recycle bin.
Then reboot to normal mode.
Then,
Download ad-aware here if it is not already installed on your computer.
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........
From main window :Click "Start" then " Activate in-depth scan"
then......
click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"
then.........
Click the "Tweak" button.
Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"
Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"
then...... click "proceed" to save your settings.
Now to scan it´s just to click the "Next" button.
When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.
See if you have a VX2 Infection
How to use Lavasoft’s VX2 Cleaner plug-in
Close Ad-Aware 6 build 181 and Ad-Watch (if running)
Download the free VX2 Cleaner here
Install the VX2 Cleaner
Start Ad-Aware 6 build 181
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.
If your computer is infected
Select “Clean system”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer
Then,
Download SPYBOT Search and Destroy here if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.
Then Disable system restore: Instructions here.
Reboot
Finally, do an online scan using Trend Micros Housecall. It is available here. Clean or Delete everything it finds.
Enable system restore.
Post a fresh HijackThis log please.
Author: diagonalorange, Location: Canada
Posted: Mon Jul 05, 2004 8:36 pm Post subject: Thanks
Thanks for your help. Unfortunately I could not fix my computer because it would no longer run windows...even in safe mode, so I had to reinstall windows and all other programs. Hopefully partitioning my hard drive and using ad-aware, spybot and cwshredder regularely will help minimize further infection.
Author: Yellowhammer,
Posted: Mon Jul 05, 2004 8:55 pm Post subject:
Sorry you had to go that way.
Some other ideas to protect it from happening again.
How to Protect Yourself:
1. Keep Windows Updated via the windows update site. Better yet, set it up to automatically update. Instructions here
2. Keep a good antivirus system updated and running at all times. I use NOD32 available here.
3. Keep a firewall running at all times. I recommend Sygate Personal Available here.
4. Set up your internet explorer security properly. See instructions here.
5. Use Adaware and Spybot S&D weekly after updating.
6. Use SpywareBlaster, SpywareGaurd, IE-Spyad. Links to all of these on my site here.
I am going to lock this topic since the issue has been resolved.
CastleCops
-> Trend Micro HijackThis Logs
All times are GMT
Page 1 of 1
Powered by phpBB © 2001 phpBB Group