Logfile of HijackThis v1.99.1
Scan saved at 11:29:16 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Welcome to DAL, you are extremely infected. Bear with us and we will do our best to get you cleaned up. We will start on the Vundo Trojan first and a few cws files and go from there.
Go here to learn how to show hidden files/folders:
Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:
Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.
Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.
Next:
Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Remote Procedure Call (RPC) Helper and press OK. OK any prompts, close HijackThis, and restart your computer.
Do the same for the other two services if listed
Please print these instructions out for use in Safe Mode.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Nothing open but hijackthis and click "fix checked"
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
Okay, I did everything you suggested, and I found most of the items I was told to delete, however Ive noticed some of the items I've deleted have reapeared on the HijackThis log. Such as the O20 items.
PS: I would just like to thank you for all the assistance, it is very appreciated!
Logfile of HijackThis v1.99.1
Scan saved at 5:13:16 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Spyware:spyware/cydoor Not disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Adware:adware/searchaid Not disinfected C:\WINDOWS\SYSTEM32\sdkhs32.exe
Adware:adware/delfinmedia Not disinfected C:\keys.ini
Adware:adware/antivirus-gold Not disinfected C:\WINDOWS\desktop.html
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Brian\Favorites\1111
Spyware:spyware/virtumonde Not disinfected Windows Registry
Possible Virus. Not disinfected C:\asdf.exe
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-37504352-675cbc42.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc hive.jar-6c1459c8-29f04557.zip[Beyond.class]
Virus:Bck/Obot.C Not disinfected C:\Documents and Settings\Brian\Desktop\backups\backup-20051229-153849-943.dll
Virus:Trj/ShellHook.E Not disinfected C:\WINDOWS\SYSTEM32\pmkjg.dll
Don't run any of the below tools yet just update and exit if updates available
Please read the complete post first, you should copy and paste this post to a new text Document or print it.
Download and install http://www.ccleaner.com/ccdownload.php
Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later
Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
Unzip it to its own DESKTOP folder, right click open area on the desktop, click new, the new folder, name the folder Aboutbuster . It is VITAL that it be unzipped.
Please open/run the program and check for updates. After you update it exit.
Do not run the actual scan/fix until instructed.
Now go get firefox and make it your default browser, download those tools above and post a new hijackthis log and we can procede.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
Did everything you suggested. Heres my results with HijackThis.
Thanks alot!
Logfile of HijackThis v1.99.1
Scan saved at 901 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
If the weatherbug program you have is the free version please remove it thru add/remove program
Did you run the about:buster fix?
Did you run the CWShredder fix?
Did you run the fixagentB fix?
I am not seeing part of your troubles. Don't be surprised if those infections come back but may not but best results are when those tools are run from safe mode.
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)---only if the free version
Nothing open but hijackthis and click "fix checked"
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete if present:
C:\WINDOWS\mfcxg32.exe < file
C:\DOCUME~1\Brian\LOCALS~1\Temp\3F.tmp.exe < file
C:\DOCUME~1\Brian\LOCALS~1\Temp\40.tmp.exe < file
C:\WINDOWS\mssy.exe < file
C:\Program Files\AWS < folder---only if the free version gebya.dll pmkhg.dll
C:\WINDOWS\system32\pmnlk.dll < file
Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter at the prompts.
Then:
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter
Reboot and post a new hijackthis log please. Thanks.
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
I did everything suggested and it does look alot smaller now!
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 2:33:48 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
If you are no longer having any more trouble here is some preventative measures for you.
Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser. http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!. AVG:http://free.grisoft.com/doc/1
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update. Mozilla Firefox: www.mozilla.org/products/firefox/
6. Consider increasing your browser security by using these programs: SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free
__________________ Stalking and killing Spyware
Have we helped you? Please consider a donation to help keep D-A-L free.Click on donate below
01 PM, on 12/29/2005
