Recommended Posts

im having problems with viruses...n dont kno wat to do.....

Logfile of HijackThis v1.99.1

Scan saved at 8:23:32 PM, on 1/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\toshiba\ivp\ism\pinger.exe

C:\toshiba\sysstability\tsyssmon.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\mfcod32.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe

C:\WINDOWS\system32\TPWRTRAY.EXE

C:\WINDOWS\system32\TFNF5.exe

C:\WINDOWS\system32\s3hotkey.exe

C:\WINDOWS\system32\paytime.exe

C:\WINDOWS\System32\00THotkey.exe

C:\Program Files\Messenger\msmsgs.exe

C:\winstall.exe

C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\sysxi32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R3 - Default URLSearchHook is missing

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Class - {12560FD0-2D24-CE5F-05C1-805E95B9124E} - C:\WINDOWS\system32\addom.dll

O2 - BHO: Class - {2F9B49D5-798A-2D7C-7B1B-AC149C906ABC} - C:\WINDOWS\system32\addom.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exe

O4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysxi32.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Link to post
Share on other sites

First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.

First off please put HijackThis in it's own, permanent folder. It's needed for backups.

Help with unzipping files is HERE

Download AboutBuster 6.0:

http://www.besttechie.net/tools/AboutBuster.zip

http://www.malwarebytes.org/AboutBuster.zip

Once downloaded, unzip it, and put the folder on your desktop

Don't run it yet, well do it later in safe mode.

You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all

Please download Ewido Security Suite, it is a free version of the program.

  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu

    [*] Launch ewido, there should now be an icon on your desktop, double-click it.

    [*] The program will now open to the main screen.

    [*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    [*] You will need to update ewido to the latest definition files:

    • On the left hand side of the main screen click update.
    • Then click on Start Update.

    [*] The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display "Update successful")

    [*] Close Ewido Security Suite

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Next, please reboot your computer in SafeMode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to the following items

[R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {12560FD0-2D24-CE5F-05C1-805E95B9124E} - C:\WINDOWS\system32\addom.dll

O2 - BHO: Class - {2F9B49D5-798A-2D7C-7B1B-AC149C906ABC} - C:\WINDOWS\system32\addom.dll

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exe

O4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exe

O4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe

O4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Close all other windows and browsers and click FIX CHECKED

Close HiJackThis.

Open the folder where you put AboutBuster. Double click on the AboutBuster icon>Click Begin Removal

> Click YES> when it's done running click OK to close it.

Run Ewido:

  • Click on scanner
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite

Reboot back into Windows and scan your system with Ad-aware:

Ad-aware SE - Download - Home Page

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.

Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Once the definitions have been updated:

Reconfigure Ad-Aware for Full Scan as per the following instructions:

  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.

    [*]Click the "Scanning" button (On the left side).

    [*]Under Drives & Folders, select "Scan within Archives"

    [*]Click "Click here to select Drives + folders" and select your installed hard drives.

    [*]Under Memory & Registry, select all options.

    [*]Click the "Advanced" button (On the left hand side).

    [*]Under "Shell Integration", select "Move deleted files to Recycle Bin".

    [*]Under "Log-file detail", select all options.

    [*]Click on the "Defaults" button on the left.

    [*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.

    [*]Click the "Tweak" button (Again, on the left hand side).

    [*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:

    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"

    [*]Under "Cleaning Engine", select the following:

    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarantined objects after restoring"

    [*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"

    [*]Click on "Proceed" to save these Preferences.

    [*]Click on the "Scan Now" button on the left.

    [*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

Close all programs except ad-aware.

Click on "Next" in the bottom right corner to start the scan.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Then run this online virus scan: ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.

Post the contents

  • of the Panda scan report
  • a new HijackThis Log
  • Log from AboutBuster
  • Ewido Log

in a reply to this thread.

Edited by jwbirdsong
Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.