0

I cant get rid of Shopping wizard, home search assistent, and The ABI network- A divioson of direct revenue. I was told to start a new topic and post a log from hijackthis so here goes. Any help is much appreashiated. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 11:41:38 AM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\jjqdpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\aaron\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

2
Contributors
11
Replies
12
Views
12 Years
Discussion Span
Last Post by DMR
0

You have a couple of different infections there, including the rather nasty Aurora/Nail.exe infection. Please do the following:

(you should print out these directions, as you will need to stay disconnected from the Internet during the course of the fixes)

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

0

ok i didn't know that i had to click clean for each file ewido found so i had to stay up a few hours last night while it finished. Here are the two logs that i got.

HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 8:59:26 AM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\aaron\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

And the Ewido.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:53:15 AM, 6/2/2005
+ Report-Checksum: 52FD7F70

+ Date of database: 6/2/2005
+ Version of scan engine: v3.0

+ Duration: 816 min
+ Scanned Files: 12780
+ Speed: 0.26 Files/Second
+ Infected files: 53
+ Removed files: 53
+ Files put in quarantine: 53
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\tbaa.dll -> TrojanDownloader.Small -> Cleaned with backup
C:\WINDOWS\system32\winlo.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\system32\apptb.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\system32\nettg.txt -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\system32\sdksd32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\apiom32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\afgqobk.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\afgqobkndw30103lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\rirndw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\system32\jjqdpr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\tozozb.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\vxgfgx.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\whmzqa.dat -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\qluhio.txt -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\sqcwhk.dat -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\lqnbbn.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\jnexqh.log -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\bnfzxb.log -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\jzxwlu.log -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\javamz.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\ltbqpw.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\nwlncd.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\zbezzd.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\fxdiun.log -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\cqjijlrbsy.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\xpichk.dat -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\wxiuwr.dat -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\oxbzqb.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\FPCW4BFF\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\3210TJFV\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\3210TJFV\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\aaron\Local Settings\Temporary Internet Files\Content.IE5\96VTT2CE\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\aaron\Cookies\aaron@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP49\A0006915.exe -> Spyware.SurfSide -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP53\A0007926.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP53\A0007927.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP53\A0007928.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP53\A0007929.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP54\A0007944.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP54\A0007945.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{62A5F5BC-96B8-4457-B02C-782EBC8F8701}\RP54\A0007946.dll -> Trojan.Agent.db -> Cleaned with backup


::Report End

Thanks for the help, really. I just hate getting this stuff when i dont even use my computer... its other people who come in my room and use it.Grr.

0

Ok- ewido cleaned up quite a bit; let's finish:

1. Close all Internet Explorer and Windows Explorer windows, run HijackThis again, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)


2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following file:
C:\WINDOWS\System32\rir.exe

- Delete the following folder entirely:
C:\Program Files\AWS

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


3. Run HJT again and post the new log. Also: when you paste logs into a post, please do not use the "CODE" or "QUOTE" tags. Just paste the text of the log into the body of the post; it makes things more readable that way.

0

Hers the new log. Sorry about the code before. Oh and, my home page changed to about:blank, but thats because i deleated thoes things on HJT right?

Logfile of HijackThis v1.99.1
Scan saved at 2:42:48 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\aaron\Desktop\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

I really appreashiate your help. Thank you!

0

You should be able to reset your homepage to something other than about:blank once we're done cleaning your system; that probably was just a side effect of our fixes.

Were you able to find and delete the C:\WINDOWS\System32\rir.exe file? It's still listed in your log, and if you did delete it once already, that probably means that there's a hidden malicious file which is recreating it. If so, we'll need to find that file by running another scanning utility.

Please do the following:


Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Run HijackThis and have it fix:

O4 - HKLM\..\Run: [rir] C:\WINDOWS\System32\rir.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)

Once HJT completes the fixes:

- Click on the "Config" button in the lower right corner of HJT's main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Paste the following in the box and click OK (omit the qoutes, and note that there is a blank space before the first "1"):

" 11Fßä#·ºÄÖ`I"

- Again in the "Misc Tools" window, click on "Delete a file on reboot". In the Explorer windows that opens, navigate to C:\WINDOWS\System32\rir.exe and double-click on it. Click "NO" when when the system asks you if you want to reboot now.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient. rkfiles will save the results of its scan to the file "C:\log.txt".
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply, along with a new HijackThis log.

0

ok it was wierd... I ran HJT and i removed the 2 items you told me to remove. Then i went into the deleate a nt service and pasted the thing in the box. When i tried to deleate it it said it is a vital process which was running and it said that you could stop it by using HTJ or something else. I tried ending it a few times and i kept getting the error. Finally like 6 times later (i dont know why i tried that many times) i get this. These are my steps in picture form.
[IMG]http://i6.photobucket.com/albums/y221/gctbob/stinkin%20virus%20stuff/1.jpg[/IMG]
[IMG]http://i6.photobucket.com/albums/y221/gctbob/stinkin%20virus%20stuff/2.jpg[/IMG]
[IMG]http://i6.photobucket.com/albums/y221/gctbob/stinkin%20virus%20stuff/3.jpg[/IMG]

Then i tried removing the rir.exe file and it could not be located in the file.
[IMG]http://i6.photobucket.com/albums/y221/gctbob/stinkin%20virus%20stuff/itshouldbearoundhere.jpg[/IMG]


Log.txt

C:\Documents and Settings\aaron\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\epx30104.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


HTJ Log

Logfile of HijackThis v1.99.1
Scan saved at 2:48:38 PM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\aaron\Desktop\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing) came back...


Oh, another thing... what is this? O15 - Trusted Zone: http://www.neededware.com

0

The gibberish characters in the service's filename may very well be confusing HijackThis, but it also looks like you were leaving out the first character of the filename (the blank space) when you entered the name into HJT's "delete an NT service" box.

Try this:

- Open the Services utility in your Administrative Tools control panel.

- Locate the service named "Workstation NetLogon Service" or " 11Fßä#·ºÄÖ`I" and double-click on it to check its status. If the service is not reported as both "Stopped" and "Disabled", stop the service and set its startup type to "Disabled". Close the Services utility after that.

- Run HJT again and retry the service deletion process.


If that does not work, try deleting the service manually through the Windows Registry Editor:

- Click on the "Run..." option under your Start menu, type the following command in the resulting "Open:" box, and hit Enter:

regedit

- At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

- Navigate through the folder tree to the following locations and look for a sub-folder named either "Workstation NetLogon Service" or " 11Fßä#·ºÄÖ`I". Delete the folders if found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

(Note that not all of the "ControlSet00X" folders listed above may exist on your particular system)

- Close the Registry Editor and reboot. Run HJT again and see if the O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdksd32.exe (file missing) entry still exists.

what is this? O15 - Trusted Zone: http://www.neededware.com

A crapware vendor's site. Sorry, I missed that before; have HJT fix that entry as well, and then post a new log for us to review.

0

ok i did that and i stopped and disabled it. i ran hjt to see if it were still on the list and it was gone so i went ahead and deleated the other thing, crap ware or whatever. Ok, so i figured since we not only stopped it, but also disabled it i went ahead and ran the deleate nts server thing and deleated it and ran hjt to make sure everything was ok. i then restarted my computer and ran hjt and got this log. It seems all is in order, but i may be wrong. Thank you verry much for your help. If it indeed is gone i have some extra questions if you wouldnt mind answering.

Logfile of HijackThis v1.99.1
Scan saved at 9:22:15 PM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\aaron\Desktop\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

0

If it indeed is gone i have some extra questions if you wouldnt mind answering.

Good work. :)

The infections do indeed seem to be gone; there's only one loose end left to take care of. Run HJT again and have it fix:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)


Other than that, your log is now clean, and of course we'll course we'll try to answer any further questions you have; just ask.

0

well first and foremost i would like to sincerly thank you very much! THANK YOU!!! thank you, thank! I don't see why people have to do stuff like make programs to harm other people's computers. :'(. THANK YOU!!!


ok, im not that good with computers but im not as bad as my mom. Infact by your standards im probalby horrifically ignorant. I usually ask my friend computer questions because he has never failed to know. ok so i was wondering, cus he doesnt know. There is a process that is always running called svchost.exe... infact there are alot of them. what exactly are they?

Oh wait. i frogot to look at my add/ remove list... And the icons are still there. We got rid of the infections (or rather you did all the work) but how do i get rid of the icons?

oh yeah and, im going to put all the folder option settings back to default if its ok.

just remembered this too. I want to keep all this stuff we did in a folder incase this ever happens again... which i wont let it, but i dont want the program files like security suites to be in my start up thing when i turn on my computer. how do i remove it from the atrt up list? infact i dont even want it to active unless i start the program if possiable.

While on the topic of not letting it happen again; what can I do to assure this doesnt happen again taking into consideration i only have 96 mgs of ram, and pentitum 2 processor with 918 megs of space free on the HD... (dont ask i got the computer for free :mrgreen: )

0

You're welcome; glad we could help. :)

To answer some of your questions:

1. svchost.exe is a core Windows process which manages DLLs and Windows services. Because svchost is reponsible for handling a variety of tasks, you'll almost always see multiple instances of it running on your computer. Each of those individual instances of svchost is managing a certain type/group of sevices (networking-related tasks, for example).

2. To keep the utility programs from running automatically when Windows starts up, go into each programs properties/preferences settings and disable their "auto start" features.

3. Removing items that get "stuck" in your Add/Remove Programs control panel involves editing a key in your Registry. Instructions are here:
http://www.winguides.com/registry/display.php/110/

4. Yes, you can put the folder settings back to their defaults now.


And finally, here are some general suggestions that can help minimize your chances of getting reinfected:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.

8. More suggestions can be found in this thread:
http://www.daniweb.com/techtalkforums/thread5690.html

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.