Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HijackThis Log Attached

Started by spengelly , Nov 23 2005 01:50 PM

  • This topic is locked This topic is locked
17 replies to this topic

#1 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 23 November 2005 - 01:50 PM

Hi,

I would be very grateful if you could help me with the following problem.

Having only recently connected to broadband I now find myself infected with the folowing virus.

Trojan Horse/IRC BackDoor.SDBot.MYX

It is picked up with AVG on boot up, I heal it but it always reappears!...I have also run spybot and Ad-aware but am unable to lose it.
I have done some searching on this but not tried any remedies until I get some expert advice from my log file, however, I also find that I am unable to run regedit. Is this related?

Here is my HijackThis log, hope you guide me into removing this scum!
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 19:30:33, on 23/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD11D8CA-6523-4CE4-BA78-BF8F360C3A18}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



Size Edit
LDT

Edited by LDTate, 23 November 2005 - 04:17 PM.

    Advertisements

Register to Remove

#2 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 23 November 2005 - 02:38 PM

Hi spengelly, Welcome to the tomCoyote Forums. My name is mschroe919 and I will be reading your log and get back to you. Please wait.
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 24 November 2005 - 05:48 AM

Hello spengelly, welcome to the forum.

The infection you have, IRC BackDoor.SDBot.MYX, can be a real pain to remove.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#4 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 24 November 2005 - 01:13 PM

Hi....Ran Ewido as suggested.

Here are the log files created. Followed by a new HijackThis report.

Regards,

Steve

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 19:08:23, 24/11/2005
+ Report-Checksum: B0229769

Reg\HKLM\Run Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
Reg\HKLM\Run REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
Reg\HKLM\Run Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Reg\HKLM\Run SpeedTouch USB Diagnostics "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
Reg\HKLM\Run AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Reg\HKLM\Run TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run MsMovies C:\Program Files\MsMovies\MsMovies.exe /auto
Reg\HKLM\Run FLMK08KB C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
Reg\HKLM\Run FLMBROWSEMOUSE C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
Reg\HKLM\Run DataLayer C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
Reg\HKCU\Run ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 19:11:49, 24/11/2005
+ Report-Checksum: 5A6F5385

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 88.105.178.217:139 0.0.0.0:0 LISTENING
TCP 88.105.178.217:1132 67.19.38.167:80 TIME_WAIT
UDP 0.0.0.0:135
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1026
UDP 0.0.0.0:1033
UDP 0.0.0.0:1043
UDP 88.105.178.217:123
UDP 88.105.178.217:137
UDP 88.105.178.217:138
UDP 88.105.178.217:1900
UDP 127.0.0.1:123
UDP 127.0.0.1:1028
UDP 127.0.0.1:1900

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 19:12:12, 24/11/2005
+ Report-Checksum: 11F87056

0: System Process
4: System Process
216: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
444: C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
480: \SystemRoot\System32\smss.exe
528: \??\C:\WINDOWS\system32\csrss.exe
552: \??\C:\WINDOWS\system32\winlogon.exe
596: C:\WINDOWS\system32\services.exe
608: C:\WINDOWS\system32\lsass.exe
776: C:\WINDOWS\system32\svchost.exe
800: C:\WINDOWS\System32\svchost.exe
916: C:\WINDOWS\System32\svchost.exe
952: C:\WINDOWS\System32\svchost.exe
1024: C:\WINDOWS\system32\spoolsv.exe
1128: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
1140: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1184: C:\Program Files\ewido\security suite\ewidoctrl.exe
1216: C:\Program Files\ewido\security suite\ewidoguard.exe
1344: C:\WINDOWS\System32\wdfmgr.exe
1376: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1404: C:\Program Files\RealVNC\VNC4\WinVNC4.exe
1532: C:\WINDOWS\System32\ctfmon.exe
1576: C:\Program Files\Internet Explorer\IEXPLORE.EXE
1624: C:\WINDOWS\Explorer.EXE
1804: C:\WINDOWS\System32\RunDll32.exe
1824: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1852: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
1860: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
1872: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1912: C:\Program Files\MsMovies\MsMovies.exe
1944: C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
1972: C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
2336: C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
2752: C:\Program Files\Real\RealOne Player\RealPlay.exe
3008: C:\Program Files\ewido\security suite\SecuritySuite.exe
3104: C:\WINDOWS\system32\NOTEPAD.EXE

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 19:09:13, on 24/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Documents and Settings\Steve\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132776756515
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD11D8CA-6523-4CE4-BA78-BF8F360C3A18}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#5 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 24 November 2005 - 04:05 PM

Hello,

Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/p2pnetwork.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Post back to this topic using the add reply button with a fresh HijackThis log.

In case you get an error that you can't download the script: http://metallica.gee.../p2pnetwork.bfu, please use this url instead to copy and paste in BFU.exe:
http://home01.wxs.nl.../p2pnetwork.bfu

Edited by miekiemoes, 24 November 2005 - 04:12 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#6 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 25 November 2005 - 05:12 AM

Hi, Thanks for your response. I am away this weekend but hope to try your suggestion on Sunday night. Regards, Steve

#7 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 25 November 2005 - 05:21 AM

Ok; no problem. I'll read you sunday. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#8 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 27 November 2005 - 12:15 PM

Hi,

Followed your instructions, and here is the new Hijackthis log.

Regards,

Steve

Logfile of HijackThis v1.99.1
Scan saved at 18:13:45, on 27/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Documents and Settings\Steve\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132776756515
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD11D8CA-6523-4CE4-BA78-BF8F360C3A18}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#9 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 27 November 2005 - 12:40 PM

Ok, that one is also gone. :)

But we're not finished yet, because this infection leaves a lot of traces everywhere. We'll find out afterwards.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#10 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 27 November 2005 - 02:45 PM

Hi,

Done as instructed.

I can't believe what that has found!!!... Looks like I have been hijacked by some porn site!!

This would explain the desktop picture that appeared last week!...replacing my normal one with a couple lesbians!

Thanks for your time on this, we are obviously getting somewhere close to nailing this virus..

Regards,

Steve

Here is the Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 27, 2005 20:40:17
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/11/2005
Kaspersky Anti-Virus database records: 152049
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 30541
Number of viruses found: 2
Number of infected objects: 98
Number of suspicious objects: 0
Duration of the scan process: 1716 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Steve\Complete\Babe Gets Boobs Tortured By Bdsm Mistress.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Babe Gets Boobs Tortured By Bdsm Mistress.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Boobs Tortured Hardcore.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Boobs Tortured Hardcore.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets ###### Clamps & Tied Up.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets ###### Clamps & Tied Up.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets ###### Tortured At Home.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets ###### Tortured At Home.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Spanked On rear At Home.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Spanked On rear At Home.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Spanked On Tight rear.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Spanked On Tight rear.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Tied Up & Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Tied Up & Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Wax Tortured Hardcore.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Gets Wax Tortured Hardcore.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Shows Tiny Tits & Tight rear.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Shows Tiny Tits & Tight rear.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Tied Up Gets Tortured Hardcore.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Tied Up Gets Tortured Hardcore.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Tied Up Shows Shaved Cunt.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Babe Tied Up Shows Shaved Cunt.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Movies.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Movies.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Slave Blows Her Master.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Bdsm Slave Blows Her Master.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Boobs Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Boobs Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets ###### Clamps.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets ###### Clamps.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets ###### Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets ###### Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Tied Up At Home.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Tied Up At Home.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Toes Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Busty Bdsm Babe Gets Toes Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Boobs Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Boobs Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Nipples Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Nipples Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets ###### Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets ###### Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Spanked On Tight rear.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Spanked On Tight rear.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Wheel Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Gets Wheel Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Nude At Home Shows Tits.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Bdsm Babe Nude At Home Shows Tits.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Blond Bdsm Babe Gets Tits Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Cute Blond Bdsm Babe Gets Tits Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Group Of Bdsm Lovers With A Hard Outdoor Bondage.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Group Of Bdsm Lovers With A Hard Outdoor Bondage.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Hard Lesbian Bdsm.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Hard Lesbian Bdsm.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets Nipples Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets Nipples Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets ###### Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets ###### Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets Tortured At Home.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Gets Tortured At Home.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Nude Gets Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Babe Nude Gets Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets Cunt Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets Cunt Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets Nipples Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets Nipples Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets ###### Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Innocent Bdsm Teen Gets ###### Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Intense Bdsm With Cute Babe.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Intense Bdsm With Cute Babe.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Kimberly Restrained For Fun.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Kimberly Restrained For Fun.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Latina Babe Bdsm #######.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Latina Babe Bdsm #######.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Lesbian Lesson In Bdsm.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Lesbian Lesson In Bdsm.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Ouch That Really Stings Me.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Ouch That Really Stings Me.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Queen Of Bdsm.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Queen Of Bdsm.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Rough Bdsm Style #######.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Rough Bdsm Style #######.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Something Solid Goes Deep Into Vagina Of Bdsm Lover.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Something Solid Goes Deep Into Vagina Of Bdsm Lover.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Taylor Must Obey Her Master.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Taylor Must Obey Her Master.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Boobs Tortured.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Boobs Tortured.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets ###### Clamps.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets ###### Clamps.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Tortured At Home.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Tortured At Home.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Tortured Hardcore.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Gets Tortured Hardcore.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Shows Bald ######.zip/Video.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\Documents and Settings\Steve\Complete\Tied Up Bdsm Babe Shows Bald ######.zip Infected: Trojan-Dropper.Win32.WinAD.h
C:\System Volume Information\_restore{E6925715-6979-4395-B6B6-4FDBEB15B56D}\RP3\A0002297.exe Infected: Trojan-Dropper.Win32.WinAD.h
C:\WINDOWS\system32\TFTP3800 Infected: Backdoor.Win32.Rbot.ul

Scan process completed.

And now the HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 20:44:12, on 27/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132776756515
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD11D8CA-6523-4CE4-BA78-BF8F360C3A18}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

    Advertisements

Register to Remove

#11 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 27 November 2005 - 03:30 PM

Hello,

Well, this is caused by this infection. The infection is responsible for downloading infected files to your C:\Documents and Settings\Steve\Complete-folder and sends it further when connected with a P2Pprogram. Could it be possible you have/had Limewire present on your system?

Anyway, delete that folder: C:\Documents and Settings\Steve\Complete

Also delete next file: C:\WINDOWS\system32\TFTP3800

Your hijackthislog looks clean, but I see you used msconfig. Did you disable some programs in there in the startup-option?
Let's find out without reenabling them. Let's see if there are still some bad entries present that need to get deleted instead of disabled, so perform next:

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick on look.bat and post the contents of it in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#12 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 27 November 2005 - 03:33 PM

By the way, now your regedit and taskmanager must work again. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#13 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 27 November 2005 - 04:19 PM

Hi, Folder and file deleted as instructed. Wow!......this is going great!....Yes you are correct. I had disabled some of the startup programs in msconfig as there were so many programs running at startup......and yes I have had Limewire on my system......I uninstalled it about a week ago. Would you suggest that it is not a good idea to have this on my system then?....... I was using it for the odd MP3 file download now and then....... Anyway, here is the contents of the startup.txt file created from the batch file you had me run. Is this the information you require. Steve P.S Yes - Regedit does now run! :) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg] Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

#14 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 27 November 2005 - 04:55 PM

Hmm, according to the regexport, nothing is disabled for the moment. :)

Anyway, your problem must be fixed now.
About P2P Programs, read here which are infected and which are safe to use:
http://www.spywarein...m/articles/p2p/

Also, keep in mind, BE CAREFUL what you download via P2P. It's not always what it looks like it is... that's how you got infected. Always scan the file before you open it! And it is a bad idea to let a P2P Program start up with windows. :)

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#15 spengelly

spengelly

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 28 November 2005 - 02:05 AM

miekiemoes, Thank you very much for your all your help with this problem!!.......All seems to be fine now. I am currently at work but when I get home tonight I will carry out the suggested updates. Well, I really hope I don't get into this situation again so will take your advice to try and avoid this. In th UK I would be offering to 'buy you a pint' for all your help......however, I will be leaving a donation on this website as it has proved very worthwhile! I have recommended this forum to friends who are having similar problems and I will know where to look if I have a problem again! Thanks once again....All the best! Steve

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·