Need Help Removing Agent.2.BM and Agent.2.BO Trojans

BullGuard Antivirus Forum > Virus Removal > Removal Help > Need Help Removing Agent.2.BM and Agent.2.BO Trojans

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Graushwein
New Member

Date Joined Nov 2004
Total Posts : 7

Posted 11-13-2004 6:10 (GMT +1)

My Hijackthis Log

Logfile of HijackThis v1.97.7
Scan saved at 12:05:22 PM, on 11/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Graushwein\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkfi32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\GRAUSH~1\LOCALS~1\Temp\mwavscan.com" /s
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=fab19f64c271dfd5b772fcfb344ed4d5f8217f7b03e9b7145eeb15c7b73869070b857bc819ac1ca41787ff055d83fcb743482bfaec:0a002003c3f6d5950937c6314a45eb37
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094609265750
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{561E428B-49A6-41D7-B785-04E8BFCBA978}: NameServer = 4.2.2.2,4.2.2.1

I have downloaded Escan, aboutbuster, and CCleaner.

I can't find the shortcut for Escan though even though I downloaded and installed it.

I appreciate any help on this very pesky matter.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-13-2004 7:06 (GMT +1)

Hey

Infections change all the time, so do disinfection methods ;-)

Please download AboutBuster: http://tools.zerosrealm.com/AboutBuster.zip

Just unzip to Desktop.

Adware http://www.lavasoftusa.com/support/download/

Download this scanner – mwav exe: http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe

Leave the programs.

Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Disable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Please print out the remainder of these directions, as you'll have to proceed in Safe Mode. Now, disconnect to the net.

Reboot into Safe Mode (hit F8 key until menu shows up).

Start-run, type:regedit
Find- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
check for a key called-HOMEOldsp, if present- delete it.
And if you have some files in searchpage/searchbar which end with …\sp delete them
Go to Edit in registry and type - HOMEOldsp. Click-Find Next, delete it-if present.
Use F3 for search more, if you find more- delete them.
Same procedure with-About:blank
Close Registry.

Double click the AboutBuster.exe file. Click OK, then click Start, then click OK.

This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad and save as a .txt file).

Run Adware

we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Click on the Scanning button on the left and select :
Scan within archives
Scan active processes
Scan registry
-Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
Under Select drives & folders to scan, choose:
Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
Include additional object information
Include negligible objects information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:

2. Unload recognized processes & modules during scan
Under the Cleaning Engine:Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).

Now run the Scanner, you downloaded from Microworld.
Activate all in settings

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
Empty your "Recycle Bin"

There are usally a couple of files that you will not be able to delete..this is normal.

Reboot, this should be your first reboot! Please update Hijackthis, or download a new version: http://danborg.org/spy/HJT/hijackthis.exe

If you need updates: : http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en

post new log, with AboutBuster log

Touch

Member of - Alliance of Security Analysis Professionals

Graushwein
New Member

Date Joined Nov 2004
Total Posts : 7

Posted 11-14-2004 3:02 (GMT +1)

eScan says it will not get rid of the viruses unless I buy escan? there a way around this? Says it is like 50 bucks!

Graushwein
New Member

Date Joined Nov 2004
Total Posts : 7

Posted 11-14-2004 5:53 (GMT +1)

Ok, I have 2 computers, I am on the non-infected one.

When I first logged onto the forums I though I might just be able to get rid of it like you told someone else to,

so I did this:

Reboot to Safe Mode - F8

I know this was really stupid of me but I was very impatient at that time. I am sorry now though.

After I rebooted to go into safe mode there was a problem. I got to the Welcome/ login screen where you

choose what user you want to login as. Then when I tried to log in as any of them I was immediately and

and automatically logged out. I noticed that for some reason my computer was checking my floppy drive when it did this, I don't think that this was happening before. I Tried logging in every way that F8 allowed but the same thing constantly

happened. I then got out the Windows CD and ran the Repair sequence. ONce it finished I chose to hook

the comp back up to the net so that I could register Windows again. After I did that it let me back into

windows, and I did the stuff for the log I posted above. I logged out and back in just to see if I could, it

worked. Did not try rebooting though because I was about to log back in to safe mode anyways.

(All this happened before I posted the log above.)

I did all of what you said above and was allowed to log back onto my comp into safe mode like you said, although there was no "R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank"

I did all of what you said in safe mode. The only thing I am not sure about was eScan. It told me that

it found viruses but would not get rid of them unless I bought the program. I didn't. I proceeded to delete

all of the files and folders inside of the ones you told me. There were a couple I could not delete of course.

I just rebooted my comp and now I am back at the point where I can't login from the welcome screen,

it just logs me back out before I can do anything. I am going to Repair with the windows CD agains

so that I can get back into my comp and see if I can get you the about buster log.

The only thing I can thing that I did before the whole "not being able to log back in" thing started was

delete all of the "About:blank" files I could find in regedit with the F3 command.

If you have any suggestions so that I can log back in normally without having to take the hour for

the windows CD to repair my comp and allow me to get in and out of my computer normally I would be

very grateful.

(Also I just realized that I didn't have the same version of ad-aware that you specified. I had the regulare version 6, not the SE version. It still found like 110 things though.)

Post Edited (Graushwein) : 11/14/2004 5:08:56 AM GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-14-2004 10:40 (GMT +1)

I can´t see other ways than a repair cry

It is one of the worst infections you have . It can remove legal files from your system, which seems to, it have done.

Let me know when you are back online, we will use another fix

If you use one of these links:
http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe

You don´t have to pay

Touch

Member of - Alliance of Security Analysis Professionals

Graushwein
New Member

Date Joined Nov 2004
Total Posts : 7

Posted 11-14-2004 3:26 (GMT +1)

Ok I am back up now. One thing that I immediately notice is this:

The System Configuration Utility window has automatically come up and states:

You have used the system configuration utility to make changes to the way windows starts.

The system configuration utility is currently in diagnostic or selective startup mode,

causing thhis message to be displayed and the utility to run every time windows starts.

Choose the normal startup mode on the general tab to start windows normally and undo the

changes you made using the system configuration utility.

You told me to give you an about buster log before so I did that.

First I did a new Hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:12:17 AM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkfi32.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\GRAUSH~1\LOCALS~1\Temp\mwavscan.com" /s
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=fab19f64c271dfd5b772fcfb344ed4d5f8217f7b03e9b7145eeb15c7b73869070b857bc819ac1ca41787ff055d83fcb743482bfaec:0a002003c3f6d5950937c6314a45eb37
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094609265750
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{561E428B-49A6-41D7-B785-04E8BFCBA978}: NameServer = 4.2.2.2,4.2.2.1

Here is the aboutbuster log:Scanned at: 7:29:04 PM on: 11/13/2004

-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 9:21:37 AM on: 11/14/2004

-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 17

No ADS found on system
Removed! : C:\WINDOWS\d3ng32.exe
Removed! : C:\WINDOWS\iejy32.exe
Removed! : C:\WINDOWS\netqz.exe
Removed! : C:\WINDOWS\ntzi.exe
Removed! : C:\WINDOWS\orbpv.dll
Removed! : C:\WINDOWS\System32\atlde.exe
Removed! : C:\WINDOWS\System32\msug32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 17

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

I am currently leaving my comp the way it is without rebooting for fear of having to repair again.

Post Edited (Graushwein) : 11/14/2004 2:28:32 PM GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-14-2004 5:33 (GMT +1)

Download this scanner – mwav exe: http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe

Cwshredder: Cwshredder: http://www.spywareinfo.com/~merijn/downloads.html
Or: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Unzip to own folder,check for updates.

http://www.spywareinfo.com/~merijn/winfiles.html#control
Download them all to a folder where you can fins them again. I suggest you write down where they shall be installed

Leave the programs.

Disable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Please print out the remainder of these directions, as you'll have to proceed in Safe Mode. Now, disconnect to the net.

Reboot into Safe Mode (hit F8 key until menu shows up). If you can´t/won´t – Do it from normal mode

Start-Run, type/copy: regsvr32 /u msbe.dll “OK”

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbpv.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkfi32.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\GRAUSH~1\LOCALS~1\Temp\mwavscan.com" /s
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=fab19f64c271dfd5b772fcfb344ed4d5f8217f7b03e9b7145eeb15c7b73869070b857bc819ac1ca41787ff055d83fcb743482bfaec:0a002003c3f6d5950937c6314a45eb37

Find and delete:
C:\WINDOWS\orbpv.dll
C:\WINDOWS\system32\sdkfi32.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\web\related.htm
C:\Program Files\BullsEye Network\bin\bargains.exe <<<If you don’t use it

Double click the AboutBuster.exe file. Click OK, then click Start, then click OK.

This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad and save as a .txt file).

Run Adware

Now run the mwav scanner.
Activate all in settings

Run Cwshredder, close all other windows-Fix

Install the files from spywareinfo, if needed

Reboot, this should be your first reboot! If you need updates: : http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en

post new log, with AboutBuster log

Touch

Member of - Alliance of Security Analysis Professionals

Graushwein
New Member

Date Joined Nov 2004
Total Posts : 7

Posted 11-14-2004 11:14 (GMT +1)

I did all you recomended and have to say THANK YOU!

I forgot to log my About Buster log, but it got rid of 6 viruses / trojans.

Here is my new HijackThis log.

Logfile of HijackThis v1.98.2
Scan saved at 4:16:30 PM, on 11/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ghoulgamers.com/viewforum.php?f=40
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094609265750
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{561E428B-49A6-41D7-B785-04E8BFCBA978}: NameServer = 4.2.2.2,4.2.2.1

How does that look?

I have questions on how to keep my computer adware, spyware, and virus free. Currently I have AVG, Norton AV (Symantec), Spybot S&D, Spyware Blaster, Ad-Aware SE, CWShredder, CCleaner, Hijackthis, AboutBuster and I just uninstalled Stopzilla.

Are there any programs that I should have?

What programs can I get rid of or not use?

Also I am an avid internet gamer (Planetside) and am constantly trying to balance my computer programs to optimize for best performance. I guess I am wondering if there are programs that won't bring down my performance when I am not browsing the internet? Before this virus incident I had ,a week prior, disabled all programs from starting up with windows in an effort to help with my framerate and possible bandwidth issues (DSL). What safety programs, if any, should I leave enabled for startup?

I hope I am in the clear now. But I have to just say that you rock man! Seriously, do you accept donations because I'd like to express my appreciation?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-15-2004 9:35 (GMT +1)

Hey

You can get rid of-Hijackthis, AboutBuster
And one Antivirus program is enough. I prefer AVG.

Spywareblaster (update once in a week) and
http://www.javacoolsoftware.com/spywareguard.html Update when downloaded
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Will protect you on bad sites, they simpli block for spyware, tracking cookies etc.

If you run and update Adware, Spybot once a day, it´ll be fine

Run Ccleaner when you shut down your comp.

About Startup, you´ll have to try, what´s needed

Slow net performance! Try this:
Speed up Browsing in Internet Explorer -
Start/Run/Regedit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace
In the right pane find: {D6277990-4C6A-11CF-8D87-00AA0060F5BF} Value and delete it.

A site with many Performance tips: http://www.windowsxpatoz.com/cgi-bin/network/index.cgi

Yes, you have a clean log smilewinkgrin

Hide your system files and enable system restore again

Thanks for your offer. "I'd like to express my appreciation" these words are enough for me, besides- i have beaten a Hijacker ;-)

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Saturday, January 10, 2009 12:01 AM (GMT +1)
There are a total of 66.009 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 108 reply posts. View Active Threads