Numerous Virus Problems

[Guest]

Dear whoever can help,

I recently inherited an enormous number of problems when researching for my
business studies homework! I have got rid of what I can but it still doesn't
seem as it was before hand. Im still getting a lot of pop-ups and a lot of
programs installing themselves without permission like online dating, cheap
holiday travel, free online music etc. If it helps, here's my Hijack this
log. Can anyone help?

Logfile of HijackThis v1.99.0
Scan saved at 13:16:34, on 12/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\System32\vuoowk.exe
C:\windows\system32\otlfjb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Steven\Application Data\pooi.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\windows\system32\calc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\installer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steven\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee
VirusScan\alogserv.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program
Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [otlfjb] c:\windows\system32\otlfjb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mtea] C:\Documents and Settings\Steven\Application
Data\pooi.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program
Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program
Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -
http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) -
http://pcpitstop.com/antivirus/PitPav.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. -
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

Thanks

Steve

 

[David H. Lipman]

From: "Steve Box" <Steve (e-mail address removed)>

| Dear whoever can help,
|
| I recently inherited an enormous number of problems when researching for my
| business studies homework! I have got rid of what I can but it still doesn't
| seem as it was before hand. Im still getting a lot of pop-ups and a lot of
| programs installing themselves without permission like online dating, cheap
| holiday travel, free online music etc. If it helps, here's my Hijack this
| log. Can anyone help?
|
| Logfile of HijackThis v1.99.0

< HJT Log snipped >

| Steve




Steve:


There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

/ * This is the WRONG place to post HJT logs as well ! */



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt488.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Update Ad-aware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode [F8 key during boot]
and shutdown as many applications as possible.
5) Using Trend Sysclean, Stinger and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *

 

[Guest]

Oops OK didnt see the anti virus groups! Do you want me to post the log file
here once I'm done or not?

Thanks

 

[David H. Lipman]

From: "Steve Box" <[email protected]>

| Oops OK didnt see the anti virus groups! Do you want me to post the log file
| here once I'm done or not?
|
| Thanks

Which log, HiJackThis ? No.

You are already in this News Group so we'll continue the support here.
Realize for future posts that a query should be geared towards the place that can *best*
answer that query.

Please perform the; Stinger, Ad-aware and TrenMicro Sysclean scans and based upon those
results, we can continue from there.

 

[MoiMeme]

For HijackThis logs go here
http://www.hijackthis.de/forum/forumdisplay.php?f=10&guestlanguageid=4
That's an expert group dedicated to it.
Also : disconnect your PC from the network while cleaning ( after having
downloaded the programs suggested of course ) :that will prevent viruses
downloading other blends while you try to clean. Only reconnect to web once
everything seems OK
Also add to what you should get CWShredder (
http://www.intermute.com/products/cwshredder.html ) : only download free
separate CWShredder : it is specialized on removal of CoolWebSearch items
that parasite Internet Explorer. Do a "fix" run with internet closed ( no IE
windows open).

Good luck.
Phil

 

[Guest]

Ok I've run those 3 twice now. Adaware found 73 first time, Stinger nothing,
and Sysclean about 10. Second time, the only one to find anything was Adaware
with 11. I've run CWShredder and it got rid of 1 thing. Ive also had a couple
of blue screen of death crashes recently, the error was Stop: c0000021a
0xc0000005 0x00000000.

What ever I've got seems to have done something do my security settings,
because I can no longer play Battlefield 1942 online, as it says I have
"inadequate O/S privileges."

If I keep having problems would it be worth me trying a windows repair
install? Any other suggestions?

 

[MoiMeme]

I woul do an image of boot partition ( for security if needed) then do a
repair install.
Phil

 

[Guest]

Would this likely sort out the problems? How do I do the image of the boot
partition?

 

[MoiMeme]

Commercials ones are :
Norton Ghost ( ww.symantec.com ),
Acronis TrueImage ( www.acronis.com , evaluation version available),
BootIt Ng ( eval version available
http://www.terabyteunlimited.com/bootitng.html ) or Image for Windows
Free :
http://www.download.com/Drive-Snapshot/3640-2250_4-10208492.html

That way if something goes wrong during repair you at least recover your
"not perfectly good system", but don't losse anything.
If you do not have many software installed, best is totall reinstall on same
partition ( with reformatting when asked to do so - be sure to select
correct drive and partition). Also if your data are on same partition, move
them elsewhere ( CD/ DVD, other drive, ...) including your contacts ( .wab
file), favorites, ...

Good luck !

 

[Simon Brown]

Dear whoever can help,

I recently inherited an enormous number of problems when researching for my
business studies homework! I have got rid of what I can but it still doesn't
seem as it was before hand. Im still getting a lot of pop-ups and a lot of
programs installing themselves without permission like online dating, cheap
holiday travel, free online music etc. If it helps, here's my Hijack this
log. Can anyone help?
SNIP

Thanks

Steve

pop along to http://www.bleepingcomputer.com/forums/forum22.html (the
HJT Forum)and post your HJT Log there.
There are people there who are best placed to help.

HTH
Sim

 

[cquirke (MVP Windows shell/user)]

From: "Steve Box" <Steve (e-mail address removed)>

| I recently inherited an enormous number of problems when researching for my
| business studies homework! I have got rid of what I can but it still doesn't
| seem as it was before hand. Im still getting a lot of pop-ups and a lot of
| programs installing themselves without permission like online dating, cheap
| holiday travel, free online music etc. If it helps, here's my Hijack this
| log. Can anyone help?

I'd isolate the PC from all networks, then work in layers.

First, exclude or log what traditional malware (viruses, worms,
trojans) are on the system. The best way to do that is to formally
scan the whole HD, e.g. Trend SysClean from bart's PE CDR boot, F-Prot
for DOS from DOS mode diskette boot (FATxx only), or hosting the sick
HD in another PC and cautiously scanning from there.

If you cannot scan formally, and are forced to use "Safe Mode" etc.
(Safe Mode Cmd Only is safer, but still not malware-safe) then you'd
want to start by excluding rootkits. "Rootkit" is the fancy name
given to the functionality of malware to hide itself by modifying the
system to do so. As at March 2005, this functionality is expected to
reside in one of a small number of stand-alone rootkit malware, and
thus be amenable to tools designed specifically to look for these.

Having excluded or logged traditional malware, swot up any caveats
involved for these, and clean them accordingly. Log everything you
do; what files are affected, etc.

Once that's done, move on to commercial malware, starting with AdAware
and Spybot scans, then on to manual tools such as HiJackThis, BHO
Lister, Shell Extension Viewer and ADS Spy. As usual, log all
changes, and repeat the scans and cleanups in each user account (this
is where multiple accounts starts to look like a bad idea; more work).


Once the system is clean, purge temp files and all web caches in all
user accounts, and while in each account, reduce the size of the web
caches to something sane (say, 20M) for better overall performance.
If the system is running well, clear all existing System Restore
points (to get rid of hidden infected material) and create a new
baseline restore point. This is a good time to defrag.


Now, build the system's defences. Review the malware you found, and
determine hos this got into the system.

Patch the OS, IE, Firefox (1.0.1 is out, and fixes several holes) and
Sun's Java JRE (make sure you uninstall all older Java JREs!).

Apply your own risk management; tighter web safety settings (block
BHOs and Install on demand in IE, block software installs in Firefox),
better email management, etc.

Most email apps hide attachments where av cannot find them; import
mail into Eudora, which will break these out as files that you can
scan and kill. I'd stay with Eudora after that, but if you'd rather
go back to the snake that bit you, then at least turn of message
preview, find all messages that correspond to the malware attachments
Eudora revealed, delete those messages from mailboxes and trash, and
then compact the mailboxes.

One of the core things to determine, is whether there are signs that
humans have paid personal attention to your malware'd PC. If the
pattern of malware, or other real-world things like strange credit
card payments etc., suggest this is so, then you may have a lot of
real-world work to do - changing credit cards and passwords, moving
data to different paths on the system, perhaps changing ISPs, etc.


Only when all this is done, reconnect to the Internet. If on a LAN,
the whole business has to be repeated for each PC before those PCs are
allowed to reconnect to the LAN.

Wiping the system isn't a shortcut to this; in fact, it can make
things far more difficult in the "big picture". You PC falls to
as-shipped (unpatched, no risk management) vulnerability, you have no
idea who or how you were attacked, etc. and if you find problems
continue and you need to know these things after all, it's too late.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"