Jump to content


Photo

Neverending!


  • This topic is locked This topic is locked
4 replies to this topic

#1 cenithx

cenithx

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 May 2004 - 10:06 AM

I woke up this morning and find AVG sitting open saying it's found 4 virii.. I look closer and find over 25 programs installed on the PC.. lots of them totally blatant ad-ware etc.. and lots of hidden stuff in registry and all throughout the PC.

I've spent the last 3 hours trying to find it all.. but there's still stuff i'm not sure of (i'm no expert with this stuff).. I just learnt about HijackThis and made a log.. any help would be appreciated..


Logfile of HijackThis v1.97.7
Scan saved at 12:56:50 AM, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nwafg.exe
C:\WINDOWS\System32\wnsintsv.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
D:\cenithx\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [p79Q3sl] nwafg.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Prah] C:\Documents and Settings\cenithx\Application Data\ceor.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.1933564815
O17 - HKLM\System\CCS\Services\Tcpip\..\{6305DD6A-491C-4760-ACEE-79C18ABFB14B}: NameServer = 203.194.27.57 203.194.56.150


#2 Kevin_b_er

Kevin_b_er

    Gliding through the clutter

  • Retired Staff - Helper
  • Pip
  • 36 posts

Posted 19 May 2004 - 10:28 AM

Ok, goto your add/remove programs panel in Control Panel and find something called 'twain-tec' uninstall it.

Next, you're infected with the Cool Web Search hijacker/trojan, get CWShredder by Merijn which kills(or rather, shreds) CWS. Run CWS w/ NO Internet Explorer windows open. Copy the rest of my post into notepad or something if you have to. Don't have Explorer windows open either(My Computer, any folder contents windows, any drive contents windows, main control panel window, file find window)

Reboot

Then checkmark these in hijackthis and 'fix':
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [p79Q3sl] nwafg.exe
O4 - HKCU\..\Run: [Prah] C:\Documents and Settings\cenithx\Application Data\ceor.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe

Reboot in safe mode find these files and delete them:
C:\WINDOWS\System32\wnsintsv.exe
C:\Documents and Settings\cenithx\Application Data\ceor.exe
C:\windows\nwafg.exe or C:\windows\system32\nwafg.exe
C:\Program Files\SysAI\ <-- FOLDER/DIRECTORY
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\msmc.exe
C:\WINDOWS\System32\SearchBar.htm

Restart again, rescan with hijackthis, and reply to this topic with a new log.

#3 cenithx

cenithx

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 May 2004 - 11:02 AM

Thanks Kevin_b_er... I did as you said, this is the new log.. for some reason msmc.exe is back even though I double-checked that I removed it.. is that possible? I'm thinking i'll just format tomorrow and put 98SE back on, XP has TOOO many openings for this kinda stuff to come in and it's getting really annoying.

Anyway.. the log:

Logfile of HijackThis v1.97.7
Scan saved at 2:03:40 AM, on 20/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
D:\cenithx\My Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38115.1933564815
O17 - HKLM\System\CCS\Services\Tcpip\..\{6305DD6A-491C-4760-ACEE-79C18ABFB14B}: NameServer = 203.194.27.57 203.194.56.150


#4 Kevin_b_er

Kevin_b_er

    Gliding through the clutter

  • Retired Staff - Helper
  • Pip
  • 36 posts

Posted 19 May 2004 - 11:17 AM

Look in add/remove, find mscman

If not, goto http://safer-networking.org and download SpyBot: Search & Destroy which will clean it.


Win98 wouldn't offer much more help for you.

Main problem is Internet Explorer, it has too many exploits. Several of your spyware problems were caused by automatically installing through exploits.

Solution to that is to use other browsers, like Mozilla (or FireFox) or Opera The first two are free, the last has ads or a pay version, but is not spyware.
Those are replacements for IE, and don't use any of IE's buggy and exploitable code.

Also keeping patches is a good idea.

And remember, there's pretty much only two avenues of malware to get on your system:
1. It comes with another program you installed (p2p apps are common)
2. It exploits Internet Explorer to install automatically.

Edited by Kevin_b_er, 19 May 2004 - 11:21 AM.


#5 cenithx

cenithx

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 May 2004 - 09:57 PM

Well I don't install anything off the net.. never use kazaa or any of that crap.. if I can't download it from a legit site, I get it on CD.. safer that way.

As for IE.. I knew it had issues but didn't know it was that serious. Will definitely go check out those other browsers right now..

Thanks for all your help :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button