HJT :] (mostly for mercifull :P)

[Futurama]

msn virus...

 

friend clicked the link.

 

arrgh.

 

cheers in advance :)

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

Scan saved at 07:57:39, on 01/10/2006

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

MSIE: Unable to get Internet Explorer version!

 

 

 

Running processes:

 

E:\WINDOWS\System32\smss[Caution: Executable File]

 

E:\WINDOWS\system32\winlogon[Caution: Executable File]

 

E:\WINDOWS\system32\services[Caution: Executable File]

 

E:\WINDOWS\system32\lsass[Caution: Executable File]

 

E:\WINDOWS\system32\svchost[Caution: Executable File]

 

E:\WINDOWS\System32\svchost[Caution: Executable File]

 

E:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

E:\WINDOWS\IE9DVUs\command[Caution: Executable File]

 

E:\WINDOWS\System32\CTsvcCDA[Caution: Executable File]

 

E:\WINDOWS\System32\gearsec[Caution: Executable File]

 

E:\WINDOWS\System32\svchost[Caution: Executable File]

 

E:\WINDOWS\System32\MsPMSPSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

 

E:\WINDOWS\Explorer[Caution: Executable File]

 

E:\WINDOWS\system32\CTHELPER[Caution: Executable File]

 

E:\WINDOWS\system32\rundll32[Caution: Executable File]

 

E:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: Executable File]

 

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

E:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]

 

E:\Program Files\QuickTime\qttask[Caution: Executable File]

 

E:\PROGRA~1\PRINTV~1\pvmodule[Caution: Executable File]

 

E:\Program Files\Winamp\winampa[Caution: Executable File]

 

E:\Documents and Settings\OCUK\Yinstall[Caution: Executable File]

 

E:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

E:\WINDOWS\system32\crunner\cproc[Caution: Executable File]

 

E:\Program Files\Winamp\winamp[Caution: Executable File]

 

E:\Program Files\MSN Messenger\msnmsgr[Caution: Executable File]

 

E:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

E:\WINDOWS\system32\svchost[Caution: Executable File]

 

E:\Program Files\MSN Messenger\msnmsgr[Caution: Executable File]

 

E:\Program Files\MSN Messenger\msgs[Caution: Executable File]

 

E:\Documents and Settings\OCUK\Desktop\HijackThis[Caution: Executable File]

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xgmlzlavcxrhjiiqjnkovah.com/ ... LgfFyo.asp

 

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)

 

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - E:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

 

O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck[Caution: Executable File]

 

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg[Caution: Executable File]

 

O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet[Caution: Executable File]"

 

O4 - HKLM\..\Run: [CTHelper] CTHELPER[Caution: Executable File]

 

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32[Caution: Executable File] bthprops.cpl,,BluetoothAuthenticationAgent

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: Executable File]

 

O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking[Caution: Executable File]

 

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

O4 - HKLM\..\Run: [siSUSBRG] E:\WINDOWS\SiSUSBrg[Caution: Executable File]

 

O4 - HKLM\..\Run: [siS KHooker] E:\WINDOWS\system32\khooker[Caution: Executable File]

 

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]" -osboot

 

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck[Caution: Executable File]

 

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [PVModule] E:\PROGRA~1\PRINTV~1\pvmodule[Caution: Executable File]

 

O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa[Caution: Executable File]

 

O4 - HKLM\..\Run: [explorer] E:\Documents and Settings\OCUK\Yinstall[Caution: Executable File]

 

O4 - HKLM\..\Run: [newname] c:\\nwnmff_e19[Caution: Executable File]

 

O4 - HKLM\..\Run: [defender] c:\\dfndrff_e19[Caution: Executable File]

 

O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e19[Caution: Executable File]

 

O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking[Caution: Executable File]

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] E:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - HKCU\..\Run: [mapiball] E:\DOCUME~1\OCUK\APPLIC~1\IDOLHE~1\Eq Bolt Soft[Caution: Executable File]

 

O4 - HKCU\..\Run: [cprocsvc] E:\WINDOWS\system32\crunner\cproc[Caution: Executable File]

 

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: Executable File]

 

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9[Caution: Executable File]

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab

 

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll

 

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab

 

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL

 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL

 

O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll

 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]" /service (file missing)

 

O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]" /service (file missing)

 

O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\IE9DVUs\command[Caution: Executable File] (file missing)

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA[Caution: Executable File]

 

O23 - Service: gearsec - GEAR Software - E:\WINDOWS\System32\gearsec[Caution: Executable File]

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: Executable File]

 

O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing[Caution: Executable File]

[Mercifull]

Ctrl+Alt+Del the following, shut them down

 

 

 

E:\WINDOWS\IE9DVUs\command[Caution: Executable File]

 

E:\Documents and Settings\OCUK\Yinstall[Caution: Executable File]

 

E:\WINDOWS\system32\crunner\cproc[Caution: Executable File]

 

E:\Program Files\MSN Messenger\msgs[Caution: Executable File]

 

 

 

Fix the following

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xgmlzlavcxrhjiiqjnk.....LgfFyo.asp

 

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)

 

O4 - HKLM\..\Run: [explorer] E:\Documents and Settings\OCUK\Yinstall[Caution: Executable File]

 

O4 - HKLM\..\Run: [newname] c:\\nwnmff_e19[Caution: Executable File]

 

O4 - HKLM\..\Run: [defender] c:\\dfndrff_e19[Caution: Executable File]

 

O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e19[Caution: Executable File]

 

O4 - HKCU\..\Run: [mapiball] E:\DOCUME~1\OCUK\APPLIC~1\IDOLHE~1\Eq Bolt Soft[Caution: Executable File]

 

O4 - HKCU\..\Run: [cprocsvc] E:\WINDOWS\system32\crunner\cproc[Caution: Executable File]

 

O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\IE9DVUs\command[Caution: Executable File] (file missing)

 

 

 

Try that, then restart. Post a fresh log. ty :D

[Futurama]

Cheers mate havn't had anything come up yet and startup seems to be faster!

 

Here's an updated log.

 

 

 

Logfile of HijackThis v1.99.1

 

Scan saved at 08:18:54, on 01/10/2006

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

MSIE: Unable to get Internet Explorer version!

 

 

 

Running processes:

 

E:\WINDOWS\System32\smss[Caution: Executable File]

 

E:\WINDOWS\system32\winlogon[Caution: Executable File]

 

E:\WINDOWS\system32\services[Caution: Executable File]

 

E:\WINDOWS\system32\lsass[Caution: Executable File]

 

E:\WINDOWS\system32\svchost[Caution: Executable File]

 

E:\WINDOWS\System32\svchost[Caution: Executable File]

 

E:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

E:\WINDOWS\System32\CTsvcCDA[Caution: Executable File]

 

E:\WINDOWS\System32\gearsec[Caution: Executable File]

 

E:\WINDOWS\System32\svchost[Caution: Executable File]

 

E:\WINDOWS\System32\MsPMSPSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

 

E:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

 

E:\WINDOWS\system32\wuauclt[Caution: Executable File]

 

E:\WINDOWS\Explorer[Caution: Executable File]

 

E:\WINDOWS\system32\CTHELPER[Caution: Executable File]

 

E:\WINDOWS\system32\rundll32[Caution: Executable File]

 

E:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: Executable File]

 

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

E:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]

 

E:\Program Files\QuickTime\qttask[Caution: Executable File]

 

E:\PROGRA~1\PRINTV~1\pvmodule[Caution: Executable File]

 

E:\Program Files\Winamp\winampa[Caution: Executable File]

 

E:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

E:\Program Files\Opera\Opera[Caution: Executable File]

 

E:\Program Files\Winamp\winamp[Caution: Executable File]

 

E:\Documents and Settings\OCUK\Desktop\HijackThis[Caution: Executable File]

 

 

 

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - E:\PROGRA~1\PRINTV~1\PRINTH~1.DLL

 

O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck[Caution: Executable File]

 

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg[Caution: Executable File]

 

O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet[Caution: Executable File]"

 

O4 - HKLM\..\Run: [CTHelper] CTHELPER[Caution: Executable File]

 

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32[Caution: Executable File] bthprops.cpl,,BluetoothAuthenticationAgent

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched[Caution: Executable File]

 

O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking[Caution: Executable File]

 

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

 

O4 - HKLM\..\Run: [siSUSBRG] E:\WINDOWS\SiSUSBrg[Caution: Executable File]

 

O4 - HKLM\..\Run: [siS KHooker] E:\WINDOWS\system32\khooker[Caution: Executable File]

 

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched[Caution: Executable File]" -osboot

 

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck[Caution: Executable File]

 

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [PVModule] E:\PROGRA~1\PRINTV~1\pvmodule[Caution: Executable File]

 

O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa[Caution: Executable File]

 

O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking[Caution: Executable File]

 

O4 - HKCU\..\Run: [ctfmon[Caution: Executable File]] E:\WINDOWS\system32\ctfmon[Caution: Executable File]

 

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: Executable File]

 

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9[Caution: Executable File]

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab

 

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll

 

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab

 

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL

 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL

 

O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll

 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

 

O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

 

O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]" /service (file missing)

 

O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]" /service (file missing)

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA[Caution: Executable File]

 

O23 - Service: gearsec - GEAR Software - E:\WINDOWS\System32\gearsec[Caution: Executable File]

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: Executable File]

 

O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing[Caution: Executable File]

[Mercifull]

Seems alright to me, now delete those nasty exe files but keep em in recycle bin for a few days just incase. ^_^

[Futurama]

Looks like i'm gonna have to format my computer mate

 

i can't wait around because i need this computer for just about everything...

 

gonna stick everything on disks and get going!

[Mercifull]

:( Stupid MSN viruses. Watch what you click on, and add the url to your HOSTS list incase you accidently click again.

[T-Roach]

gsus

 

i have the same thing :((

 

 

 

first i was gonna kill my friend for this but when i found out it wasnt by him on purpose (i think) woot! \

 

 

 

but still, trying to fix this with spybot and ad-aware :/

[coltm4carbine]

Ad-aware and spybot might not work.

 

 

 

Try Ewido. ALthough it's a free trial it removes most of the virus.

 

 

 

First download ewido anti-spyware from HERE and save that file to your desktop.

 

This is a 30 day trial of the program

1. 
    
   [*:ea1ly24x]Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    
   [*:ea1ly24x]Once the setup is complete you will need run ewido and update the definition files.
    
   [*:ea1ly24x]On the main screen select the icon "Update" then select the "Update now" link.

• 
   
  [*:ea1ly24x]Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

 

[*:ea1ly24x]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

 

[*:ea1ly24x]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

 

[*:ea1ly24x] Do a full system scan with it

[Mercifull]

afaik, Rob already scanned with anti-virus, spybot S&D and ad-aware.

[Futurama]

yeah my anti virus catches everything that comes through and wont bugger off til it's gone...lol

 

and yea i used S&D and AdAware anyway to no avail.

 

i'm just gonna reformat anyway now :)

 

thanks tho

[Stephen9o3]

http://looce.dyndns.org/trojan-advisory.php