0

I've been trying to destroy this for quite a while and thought that I had succeeded. I know little about computers, but I gave it my best shot.
I've tried my antivirus, online ones spybot, spyware scanner and bazooka scanner. my explore usually doesn't work anymore but coolsearch tries to load up even though the page can't be dsiplayed. Sometimes about 30 windows open up in only what I can describe as an agreessive manner in reaction to my meddling. :cheesy:.
my computer is often unstable and I keep getting reports of the same virus in system volume information? I think this is whare my restore points are stored.
Svchost.exe keeps trying to access the internet, i'm pretty sure that this is the virus.. colud be windows update though.
Also very lately I keep geting messages about being unable to install my mouse and keyboard etc... I don't know what that's about..

Anyway I don't know what else I can do without any advice, so I would be happy if you could help please.
heres the log.


Logfile of HijackThis v1.97.7
Scan saved at 16:26:33, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Omar\Desktop\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Omar\Desktop\moo\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {98C4149B-4E13-41B1-8079-9E8965E3AD8A} - C:\WINDOWS\System32\jnp.dll (file missing)
O2 - BHO: (no name) - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

4
Contributors
10
Replies
11
Views
13 Years
Discussion Span
Last Post by DMR
0

You are running an older version of HijackThis; please download the latest version (1.98.2), run it, and post the log here.

I keep getting reports of the same virus in system volume information? I think this is whare my restore points are stored.

That's correct. The Restore folder is a protected system folder, which is why your anti-virus program can't delete the infected files there. To erase the contents of the Restore folder you need to turn off the System Restore function:

1. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

2. In the System Properties window, click on the System Restore tab and then put a check in the box next to the "Turn off System Restore" option and hit the "Apply" button.

3. Click "Yes" in the resulting confirmation box and then click "OK" in the main Properties window.

0

It's a little worrying that there are viruses in the restore points too!
Heres the log for the latest version.

Logfile of HijackThis v1.98.2
Scan saved at 19:39:42, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Omar\Desktop\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Q811630_WXP_SP2_EN.exe
c:\a4e06e5516ec0fd526f6948f33\xpsp1hfm.exe
c:\a4e06e5516ec0fd526f6948f33\sp2\update\update.exe
C:\Documents and Settings\Omar\Desktop\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {98C4149B-4E13-41B1-8079-9E8965E3AD8A} - C:\WINDOWS\System32\jnp.dll (file missing)
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O18 - Filter: text/html - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll
O18 - Filter: text/plain - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll

0

That is still the older version of hijackthis....the new version is 1.98.2. And be sure to save it to its own permanent folder, not in a temp one of your desktop. :)

0

Ok I did that, but i'm still uinable to go through my system restore files even though I disabled restore. My antivirus was still denied permission.


Here's the log after I put it in a proper folder and closed down all windows etc.


Logfile of HijackThis v1.98.2
Scan saved at 20:28:39, on 29/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Omar\Desktop\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Omar\Desktop\My Documents\utilities\HijackThis19802\HijackThis19802.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Omar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {98C4149B-4E13-41B1-8079-9E8965E3AD8A} - C:\WINDOWS\System32\jnp.dll (file missing)
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O18 - Filter: text/html - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll
O18 - Filter: text/plain - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll

hmmm.. I... nope.. can't make much sense from it :cheesy:

0

Ok I did that, but i'm still uinable to go through my system restore files even though I disabled restore. My antivirus was still denied permission.

Yes, the AV program will still not have permission to modify the restore area, but disabling the restore function should have purged the files there. Are you saying that the AV program still finds virus-infected files there?

It's a little worrying that there are viruses in the restore points too!

What happens is this: system restore works by making scheduled backups of critical windows components, including the registry. That way, if your system becomes corrupted you can (ideally) "roll back" to a previous, working configuration. Unfortunately, if your system is already infected at the time when Windows takes a restore "snapshot", the infected files get backed up along with everything else. Thank Microsoft for not having the forethought to check the intergrity of the files before backing them up, but that's another story....


As for your log:

1. Have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Omar\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {98C4149B-4E13-41B1-8079-9E8965E3AD8A} - C:\WINDOWS\System32\jnp.dll (file missing)
O2 - BHO: BHO Class - {CBEFB350-ED5B-4115-B846-C1041676B377} - C:\WINDOWS\System32\CustomIE32.dll
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O18 - Filter: text/html - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll
O18 - Filter: text/plain - {148ACC67-F1C4-47D0-9158-5B5003B10170} - C:\WINDOWS\System32\jnp.dll


2. Immediately after HJT completes the fixes:

Reboot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)

- Empty your Recycle Bin.

- Reboot normally.

- Run HijackThis again and post a new log.

0

There haven't been any further triggers of trojans recently.
However evertime I deny access to svchost I get a constant string of device install errors.

I followed your advice.
Strangely under one of the accounts there was no content.IE5 folder, the files were just in the temporary internet files folder for some reason.
Also under the main user account in the cookies folder I was unable to delete the index dat file because it was in use..

Well here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 01:12:37, on 30/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Omar\Desktop\My Documents\utilities\HijackThis19802\HijackThis19802.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

0

There haven't been any further triggers of trojans recently.

This is a Good Thing. :)

However evertime I deny access to svchost I get a constant string of device install errors.

svchost.exe is a normal windows process which loads/handles other services, most of which are valid. You can read more about it here:
http://support.microsoft.com/?kbid=314056

Unfortunately, malicious programs can and do "attach" themselves to svchost in such a way that svchost will load them in the way that Windows loads valid services.

Given the above, if you try to restrict the actions of svchost in general you're bound to have problems such as you describe.

Strangely under one of the accounts there was no content.IE5 folder, the files were just in the temporary internet files folder for some reason.

If it was one of the built-in Windows accounts, that could be normal. Which account name was it?

Also under the main user account in the cookies folder I was unable to delete the index dat file because it was in use

Normal for the index.dat or desktop.ini files in the main folders under which I asked you to delete content. The subfolders also have their own versions of those files; it was the those I was refering to.

Well here is the log.

Actually, you log looks clean.

0

The dat file was under the administrators.

Thankyou very much, it is indeed clean, the explorer is working perfectly, I never thought that I would get rid of that pesky thing"

Also,
I'd like to learn how to use the hijackthis program properly, to understand all the log entrys completely and to know what to do myself, so do you know what steps I could take to gain a better understanding of hijack this and viruses in general? How could I teach myself?

Thanks for all your help!

1

You can find more hijackthis tutorials...

Here: ;)

http://hjt.wizardsofwebsites.com/
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://www.angeltowns.com/members/zupe/lsps.html
http://www.help2go.com/article153.html
http://www.fbeej.dk/NewHJTEntries.htm


In terms of viruses and the like, Norton, Sophos, Trend Micro, and other AV companies have areas on their support sites where you can find detailed info on thousands of known malicious programs.

One very helpful thing is to become quite familiar with what files and folders should exist on Windows systems; that will help you more quickly spot possible suspects when you're weeding out an infected computer.

Votes + Comments
Good advice -- dlh
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.