Okay...well, alot of things happening since ytour post, my friend. I was able, using the HackThis data, to basically kill the active infections shortly after I posted last....but, I went ahead and tried to follow your directions. Here are (some) of the results....
First, I copied your post, and edited the text as I progressed. Here is that text. Following tha are, in order, the HackThis log, and the smitRem.txt, which were the only files I was able to obtain. The edited message has more.
-- the SASS Man
=====================================================================
Using this file to verrify your instructions...
I should note that before I received your mail, I evaluated my existing HackThis! log, and from the information I found there, I rebooted into "Safe Mode With Command Prompt." I then took the following steps:
1. I renamed "mssearchnet.exe" to "mssearchnet.deadexe".
2. I renamed "nvctrl.exe" to "nvctrl.deadexe".
3. I created a text file to replace each of the above .EXE files containing three characters:
"ZZZ" (then Ctrl-Z to close)
4. I located a folder named "windows\windows32\W?nSxS" (but I was unable to modify it).
5. I located a file in that folder named "w?auboot.exe" (but was unable to modify it from DOS).
6. I returned to Windows and was able to rename the file (now called "wυauboot.exe") to
"wυauboot.deadexe".
However, I was still unable to manipulate "system32\W?nSxS" (now called WinSxS").
7. Finally, I started the computer with SpyBot S&D running at atartup, and this found and
destroyed the following items:
"SpyFalcon",
"Smith-C" (or something like that), and about four others.
8. This removed each problem from my memory! By the time I received your post,
everything APPEARED to be clean.
Later, as I started this procedure, and entered Safe Mode, I was finally able to rename and move that directory. I moved all of the .deadexe files into it, and renamed it "!Quarrentine". It sits in my Virus folder, and I can archive and send it to you, if you'd like. Also, the file indicated below has been renamed to ".deaddll" and added to the "!Quarenteen" folder.
"-Hi the SASS Man:
Yes, looks like it regenerated and some others were added, for good measure."
Please download Look2Me-Destroyer.exe to your desktop.
(done)
* Close all windows and browsers, before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
(done)
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
(When I ran this and checked the box, the program never reappeared...)
(Update! This thing ran the next day! --and apparntly found nothing.)
...
Next:
Download smitRem.exe and save the file to your desktop.
(it's there)
Double click on the file to extract it to it's own folder on the desktop.
(It sits in a "Virus" folder along with all this other stuff)
Please do not run it yet.
Please download, install, and update the free version of Ewido Security Suite:
(unable to launch link from WordPad)
(Opened link from the site the next day)
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
(Done.)
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
(This warning did not appear!)
From the main Ewido screen, click on update in the left menu, then click the Start update button.
(When I did this, the program errored out with a hard memory error!)
After the update finishes, the status bar at the bottom will display "Update successful"
Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also, be sure to check for updates:
Ad-Aware SE Setup
(unable to launch link from wordpad)
(Opened the link from the site the next day)
Again, do NOT run a scan yet.
(I did go ahead and run a "Fast Memory Scan" the next day, after performing all of the
instructions I could. I was in normal mode, although there were still no apparent active
infections. I removed several questionable items.
The program faulted when I went to save a log file, and the log info was lost!)
Next:
Please set your system to show all files; please see here if you're unsure how to do this.
(This is the only setting I use)
Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.To disable TeaTimer:
Run Spybot-S&D
Go to the Mode menu , and make sure "Advanced Mode " is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer " and OK any prompts
Restart your computer.
After all of the fixes are complete it is very important that you enable TeaTimer again.
Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
(done)
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - D:\WINDOWS\System32\hp744A.tmp
(not found)
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
(not found)
O20 - Winlogon Notify: winxzq32 - D:\WINDOWS\SYSTEM32\winxzq32.dll
(done)
Click on Fix Checked when finished and exit HijackThis.
While remaining in SAFE MODE:
Using Windows Explorer, locate the following files/folders shown DARK and delete them:
D:\WINDOWS\System32\hp744A.tmp
(not found)
D:\WINDOWS\SYSTEM32\winxzq32.dll
(done, and see above)
Exit Explorer, but DO NOT REBOOT and remain in SAFE MODE.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
(done)
Next, run Ad-aware and perform a full scan. Remove everything found.
Now open Ewido Security Suite
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.
Restart your computer in normal mode.
Run the Panda online virus scan at
http://www.pandasoft.../activescan.htm
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan,the contents of C:\Look2Me-Destroyer.txt and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
HijavkThis.log: Present
Ewido Log: Lost due to program failure!
Look2Me-Destroyer.txt: Nonexistant
smitRem.txt: Present
To post, please use the Add Reply feature, so I will be notified.
I am (obviously) including this file so you can see what went right and/or wrong when I tried to perform these steps.
Murphy's law has the final say in alot of areas, no?
-- the SASS Man, Thursday, March 23, 2006, 10:14:52 PM
=====================================================================
Logfile of HijackThis v1.99.1
Scan saved at 10:21:29 PM, on 3/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
D:\ApacheGroup\Apache2\bin\Apache.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\K-Share\D-Drive Contents\Program Files\Spybot - Search & Destroy 1.1\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "D:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Monitor Apache Servers.lnk = D:\ApacheGroup\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.s...rl/SymAData.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Apache2 - Unknown owner - D:\ApacheGroup\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=====================================================================
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/22/2006
The current time is: 22:30:10.21
Running from
D:\Documents and Settings\Henry Sasser\Desktop\Virus Repair\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
ld****.tmp
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1672 'explorer.exe'
Killing PID 1672 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!