Damm Spyware

Redler · #1 (**permalink**) 11-01-2005, 05:49 PM

Hello,
I, like a lot of other people, seem to be dammed with recent variants of Spyware. I seem to have tried everything and now I turning to the so-called experts to help me out. Here's a summary of my issues plus my Hijackthis log which by the way throws up a virus alarm from my nortan antivirus evertime I try to save Hijacthis log. I have to disable the real time protection to save the log! That's just minor compared to what I seem to be picking up.
I continuously get infected by B-S SPY. I've disabled System restore, booted up on safe mode ran the virus protection etc. etc. to no avail. I keep getting re-infected. My Desktop Wallpaper has changed to a black background and I can't get it back. My Task manager is disabled and everytime I enable it via regedit it keeps getting disabled when I log out and log back in again.

Any help would be much appreciated!

Logfile of HijackThis v1.99.0
Scan saved at 16:38:14, on 11/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet\ICC\icc2000.exe
C:\Program Files\Intelligent ISDN Utilities\ccmon.exe
C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\kernels32.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\data\downloads\Nav Updates\virusfixes\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iusage] C:\PROGRA~1\INTERN~1.7\netdet.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICC2000] C:\Program Files\Internet\ICC\icc2000.exe
O4 - Global Startup: CAPI Tray.lnk = C:\Program Files\Intelligent ISDN Utilities\ccmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://anytime2.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...my_car_pop.jsp
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C

ne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104704582356
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AA2F31F-640B-4D69-B478-9FDEA4EEC9E5}: NameServer = 195.218.116.2 194.46.8.57
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RVS CommCenter - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE
O23 - Service: RvscomSv - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE
O23 - Service: RVS Installer - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE

spud · #2 (**permalink**) 11-01-2005, 07:11 PM

please be patient with us "so-called experts" we will get you out of trouble asap

thanks

Redler · #3 (**permalink**) 11-01-2005, 08:28 PM

Dear Spud,

Any idea how long I'll h ave to wait? :-)

spud · #4 (**permalink**) 11-01-2005, 10:19 PM

hi there owen is the expert on hijack this logs and he will do it as soon as poss but it seems at the mo that he is not on line he is usually doing the answers with in 2-3 hours please be patient he will do it i promise

Redler · #5 (**permalink**) 12-01-2005, 11:18 PM

..... any idea how long more I'll have to wait??

spud · #6 (**permalink**) 12-01-2005, 11:41 PM

i have just asked owen to have a look at it

please bear with him as you can see he has a lot to catch up with tonight

thanks

Redler · #7 (**permalink**) 12-01-2005, 11:58 PM

owen · #8 (**permalink**) 13-01-2005, 09:48 PM

Hello, in future be patient. What we do is voluntary and we have a lot to do and sometimes it piles up and takes hours to get through. PMing spud won't really help you get a faster response.

Please download the attached DelDomains.zip. Unzip it and right click the file DelDomains.inf and from the drop down menu, click Install. It will perform a silent process.

Warning: This will delete all sites in the IE Trusted and Restricted Zones! If you have made immunizations with software such as SpywareBlaster and Spybot, you will need to perform them again after this procedure.

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels32.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\WINDOWS\system32\kernels32.exe

Reboot and post a fresh log

D-A-L · #9 (**permalink**) 14-01-2005, 10:03 AM

Quote:

so-called experts

I'm suprised you actually got help after that comment Redler, your pushing your luck!

spud · #10 (**permalink**) 14-01-2005, 07:48 PM

has the advice fixed your problems redler if so could you please let us know so we can close the thraed if not we will help you further

thanks