Jump to content


Photo

Porn icons keep appearing on my desktop


  • Please log in to reply
5 replies to this topic

#1 Shepherdmed

Shepherdmed

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 13 June 2004 - 04:35 AM

I have already read the FAQ.

Hi. I think I have been hijacked. I am running Windows XP. I'm semi computer illiterate but I've already tried getting rid of the problem with Spybot Search & Destroy, Ad-Aware, McAfee, CWShredder and advice from other threads. My anti-spyware programs keep catching things and I keep deleting them, but they just wont die. It's like something out of a horror movie. Can someone please help?

Whenever I log onto the internet (and sometimes at random while I am online) 2 IE windows pop up. One of them says "connector object", the other says "///C:/WINDOWS/dl.html". Then sometimes I am booted offlline, and also sometimes an icon that says "sex" appears on my desktop and start menu. I delete these icons but they continue to re-appear. Also, right after I am booted offline, I here a dial tone coming from my computer.

I looked in the history and the only things there were 3 files under "My Computer". They were "file:///C:/WINDOWS/dl.html", "tibs://connect", and "tibs://start". I dont recognize any of these 3 files. Im guessing they are from the spyware/trojan/virus/whatever it is. Also, the properties of the porn icon are ""C:\Program Files\WebSiteViewer\123794.exe" /ac:123794 /sk: /lc: /ul". I can delete the icons (though they keep coming back), but when I search my computer for 123794.exe it wont let me delete the actual program that comes up.

I dont know if this is of relevance but, the same time this started my IE homepage was hijacked. It was changed to a bunch of numbers and then .php. I plugged that address into a search engine and I found instructions on how to get rid of it - I had to delete 2 files, "system32.dll" and "system.exe". After that the homepage went back to normal, but these pop up and porn icon problems have remained.

Here is the Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:44:29 AM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wintime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\OOZELOGONAME\Wipe Load.exe
C:\WINDOWS\mstasks2.exe
C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe
C:\Program Files\America Online 8.0c\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\WebSiteViewer\123794.dlr
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\America Online 8.0c\aol.exe
C:\Program Files\America Online 8.0c\waol.exe
C:\Program Files\America Online 8.0c\aolwbspd.exe
C:\Documents and Settings\Hamed Ahmadzai\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotf...count_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotf...count_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.co...count_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Ford Cake] C:\PROGRA~1\OOZELOGONAME\Wipe Load.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0c\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flings...TInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - http://www.talkingbu...uddyinstall.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68AE3827-E572-4C29-B07C-874BCF5E0E85}: NameServer = 198.81.16.4

I hope you good people can help me out. Any help at all would be much appreciated. Thank you.

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 13 June 2004 - 03:13 PM

Hello,

You have a CoolWebSearch infection. Please be patient, because I will be asking you to repeat some of the things that you have done previously. They do need to be done again:

We need to make sure that you are running the latest version of CWShredder as the program is frequently updated and/or revised. Please click here to download CWShredder by Merijn Bellekom. Boot into safe mode and then run the program,with all other windows closed, hitting 'fix' as opposed to 'scan only.' Then reboot and run the program a second time. Reboot when finished.

Verify that you have the latest version of Spybot Search & Destroy, v1.3. If you have the latest version, update it, scan and fix all RED items it finds. If you do not have v1.3, click here to download v1.3 Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Perform a customized scan with Ad-aware:

Verify that you have the latest version of Ad-aware 6, build 6.181, then update and install the latest reference file from June 13, 2004. If you do not have the latest version of Ad-aware, click here to download Ad-Aware and install.

Before scanning, always click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives," "Scan active processes," "Scan registry," "Deep scan registry," "Scan my IE Favorites for banned sites" and "Scan my Hosts file."

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next, perform an online virus scan at Trend Micro and an online Trojan scan at Sygate. (Links are in my signature below). Allow these programs to delete anything they may find. Reboot after each scan.

When finished, rescan with HijackThis and post a fresh log to this same thread.

#3 Shepherdmed

Shepherdmed

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 June 2004 - 02:09 AM

This is ridiculous. I followed your directions for CWShredder, Spybot, and Ad-Aware - and they detect and delete things, but as soon as I get on the internet everything comes right back.

And I can't complete a scan using Trend Micro or Sygate, cause I keep getting booted offline halfway through. Im gonna keep trying though.

Also, now there's a new thing on my desktop, covering my entire wallpaper at all times. It says "Warning! you're in danger!" And it has some text about every internet action logged and saved on my computer. When I right click and view it's properties, it says it's an AOL HTML document and it's address is "file://C:\WINDOWS\Web\desktop.html".

Here is the current Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 12:06:07 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wintime.exe
C:\PROGRA~1\OOZELOGONAME\Wipe Load.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wnsintit.exe
C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe
C:\Program Files\America Online 8.0c\aoltray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\WebSiteViewer\123918.dlr
C:\Program Files\America Online 8.0c\aol.exe
C:\Program Files\America Online 8.0c\waol.exe
C:\Program Files\America Online 8.0c\aolwbspd.exe
C:\Documents and Settings\Hamed Ahmadzai\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Ford Cake] C:\PROGRA~1\OOZELOGONAME\Wipe Load.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0c\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68AE3827-E572-4C29-B07C-874BCF5E0E85}: NameServer = 198.81.19.134

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 15 June 2004 - 05:16 AM

Hello,

Let's try a slightly different approach......

First, are your virus definitions up to date, and your antivirus program as well? Are you using a firewall other than the one that is native to Windows XP? If not, please download and install one of the free antivirus programs and one of the free firewall programs in my signature below. Be sure to uninstall any old antivirus or firewall program after downloading the new ones and before installing them.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Reboot into safe mode, this way:

Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

While in safe mode, open CWShredder. Click on the FIX button at the bottom of the right side of the panel. It will show a screen reminding you to CLOSE ALL WINDOWS AND BROWSERS. Be sure only the Shredder window is open, then click "OK." It will analyze your system and tell you what it has found. Let it FIX everything it finds. Reboot (in safe mode again). Then, to be safe, run CWShredder AGAIN and do the same if it finds anything further. Reboot (safe mode again).

Right now, you have HijackThis in a temporary folder. Please create a new folder on the C: drive and name it C:\HJT or something similar. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT.

Unzip HijackThis into the new folder. When you run HijackThis from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy of HJT please.

Please run HijackThis and place a check mark next to the following items (some of these may not remain after the above procedure) then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe

F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe

O1 - Hosts: 38.115.131.131 sk2.slsk.org

O1 - Hosts: 38.115.131.131 www.slsk.org

O1 - Hosts: 38.115.131.131 mail.slsk.org

O1 - Hosts: 38.115.131.131 server.slsk.org

O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [Ford Cake] C:\PROGRA~1\OOZELOGONAME\Wipe Load.exe

O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe


If you placed these restrictions (indicated by the following two 06 items) with a program such as Spybot Search & Destroy, or somthing similar, in an attempt to secure your homepage, leave these two 06 items. If you did not do this, fix them with HijackThis:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Reboot into safe mode

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:


C:\WINDOWS\system32\wintime.exe < file

C:\PROGRA~1\OOZELOGONAME\ < folder

C:\WINDOWS\system32\config\services.exe < file

C:\WINDOWS\System32\wnsintit.exe < file

C:\Documents and Settings\Hamed Ahmadzai\Application Data\ttuh.exe < file


Reboot.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\ (Win 98 and ME don't have this)

Also delete your Temporary Internet Files, be sure to also select "delete all offline content." Delete history and cookies as well.

Reboot into safe mode, and perform the customized scan with Ad-aware as previously directed, removing all that the program finds. Reboot, again in safe mode, and scan with Spybot Search & Destroy and remove all Red items.

Reboot.

Now, go back online and perform the online virus scan and online Trojan scan.

Reboot, scan with HijackThis and post a fresh log into this same thread.

#5 Shepherdmed

Shepherdmed

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 June 2004 - 12:43 AM

Hi Nonsuch.

First off, I want to say thank you. You've been a huge help.

I followed your instructions completely except for the sygate scan, which wasnt working for some reason. Almost everything is back to normal now. There were just a couple things that couldnt be deleted.

The only one still bothering me is the HTML document on my desktop. I searched for the file "file://C:\WINDOWS\Web\desktop.html" and I deleted it, but it was still there on top of my wallpaper. So I rightclicked and went to refresh, thinking that would make it go away. The original message - about every internet action logged and saved on my computer - that went away, but the actual HTML document is still there. Now its a white screen that occcasionally flashes beige.

Also, a bunch of new things have appeared. There's an icon on my desktop that says "desktop" and the icon is a picture of a notepad and a gear. There are lots of new things on my C drive, among them folders that say RECYCLER and System volume information, and programs like AUTOEXEC and NTDETECT. Should I just leave these, or delete them?

Here is the latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 10:34:36 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 8.0c\aoltray.exe
C:\Program Files\America Online 8.0c\aol.exe
C:\Program Files\America Online 8.0c\waol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 8.0c\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0c\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68AE3827-E572-4C29-B07C-874BCF5E0E85}: NameServer = 198.81.16.4

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 22 June 2004 - 02:08 AM

Hello,

You're very welcome. :D

Hopefully, if you can rid your system of the virus or Trojan that's causing your problems, your Desktop problems will also resolve. In the meantime, do not remove anything that you are not sure should be removed.

The F0 and F2 items below are indicative of a virus or a Trojan. Therefore, please complete online virus scans at both Panda and Trend Micro. (See links below). Also do an online virus scan here: http://www.ravantivirus.com/scan/ Allow these programs to remove all that they may find. Reboot after each scan.

Since you had difficulty with Sygate's online Trojan scan, download a free trial of TrojanHunter here: http://www.misec.net/ Update the definitions manually, and then scan. Allow this program to delete all that it may find. Reboot after the scan.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Please run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe Virus or Trojan!

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe Virus or Trojan!

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\WINDOWS\System\user32.exe < file

C:\WINDOWS\questmod-1.dll < file

Reboot.

Now, scan with Spybot S&D, and also do a customized scan with Ad-aware. (Follow the instructions in my post above). Be sure you update each program before scanning. Remove all the RED items Spybot S&D finds, and everything that Ad-aware finds. Reboot after each scan.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot.

If you do not have a firewall, other than XP's native firewall, please download and install one of the excellent free ones in my signature below.

Next, go to the Windows Update site (link below) to download and install ALL critical updates. Reboot when finished.

Scan with HijackThis and post a fresh log into this same thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button