8 replies to this topic

[h1gg1]

Pop ups from life safety center and security online are causing me havoc - have run the free version of avg and spybot but this will not go - myy pc is so fustratingly slow and i was prevented from getting in contact with you guys yesterday - i am soon to be working from home and this would lose me thousands - why do these programs inflict such unnessecary misery??

My log as follows.

Logfile of HijackThis v1.99.1
Scan saved at 06:22:20, on 07/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\igihoc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lycos.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\urlpcnpu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [07d104b4] rundll32.exe "C:\WINDOWS\System32\jbbwvniy.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Norotn Anti Virus] igihoc.exe
O4 - HKLM\..\RunServices: [Microsoft Norotn Anti Virus] igihoc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f007.mail.lyc...ileUploader.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c00965A6.dat
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\xftuqoni.exe (file missing)
O23 - Service: Error Monitor Service - Unknown owner - C:\WINDOWS\system32\svshost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\System32\ZoneLabs\vsmon.exe

[h1gg1]

boing

[Simon V.]

Hi,

I'm afraid I have unpleasant news for you. You have been infected by W32/Rbot-GRO. This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
• If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

[h1gg1]

I have faith in you as the badboys who can destroy this ###### - can you please help me - if it is not successfu; then maybe i will have to reformat after all. or throw the pc away for an upgrade i cant afford!!

[Simon V.]

Hi

Let's get to work then

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 2

Please download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows directory, typically C:\SDFix)

• Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.
  
• Please reboot into Safe Mode. To do this, go to Start>Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

Once in Safe Mode, do the following:

• Open the extracted SDFix folder and double-click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any trojan services and registry entries that it finds, then prompt you to press any key to reboot; press any key and it will restart the PC.
• When the PC restarts SDFix will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to clipboard ready for posting back on the forum).

Step 3

Please download Combofix:

• From BleepingComputer
• From InfoSpyware
• From GeeksToGo

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Note: Combofix will disconnect your computer from the internet, to prevent fresh malware from coming in. The connection shall be restored once Combofix has finished; in the event you are unable to connect to the internet after Combofix has finished, you can restore it by doing the following:

• Go to Control Panel > Network Connections.
• Right-click on the network icons and select Repair.

• Alternately, if the network icon appears in the notification area in the lower right corner of your desktop, right-click it, and then click Repair from the shortcut menu.

Step 4

Please download and install CCleaner.

• Open CCleaner. In the Left Pane, click Tools.
• Verify that Uninstall is highlighted in color, or click on it.
• In the lower right, click Save to Text File.
• Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
• You can leave the filename as install.txt.
• Click Save.
• Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 5

In your next reply, please post:

• the SDFix log (C:\SDFix\Report.txt)
• the Combofix log (C:\Combofix.txt)
• the CCleaner Uninstall List (install.txt)
• a new HijackThis log

[h1gg1]

this may take a while as pc is on a snails pace remind me on safe mode - is that f8 on start up again?

[Simon V.]

Yes - could be F5 too, depends on what BIOS you have. Usually F8 works, though

[Simon V.]

Are you still with me?

[Simon V.]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log