dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2325
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

HJT, can't get rid of trojan

I have a trojan that is called backdoor.beasty.family. It gets quarenteened but everytime i right click to execute something it comes back 201 times for each right click.
I went through all the suggested things to do b4 posting HJT log, so here is my log:

Logfile of HijackThis v1.98.2
Scan saved at 1:03:47 AM, on 12/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\DAVE\Local Settings\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.0.0.0.0
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Mats
Here kitty and the chimp. Smash
Premium Member
join:2002-03-16

Mats

Premium Member

can you not update your Norton AV?? NAV has this in its bases for over a year and a half..

removal instructions on on this page..

»securityresponse.symante ··· ily.html
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

Done all that , it comes back every time i right click something.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

1 edit

Cudni

MVM

While in SafeMode run HJT and remove
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = »minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »minisearch.startnow.com/

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

edit: clarify
Delete contents of your temp and TIF folder

Cudni

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to daveyz

Premium Member

to daveyz
Not sure if this is the same trojan, but it might be worth a read.

»Re: help getting rid of beast

illukka
Premium Member
join:2003-04-06
finland

illukka to daveyz

Premium Member

to daveyz
if its detected as beasty its the same thing, probably a different version. but tatayes removal instructions are still the ones to go for. after all HE is the beast expert !
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

here is my problem. I can't find any file assciated with this beast. the only way i can tell it is here is it gets quarentined when i right click stuff on my desktop or in folders. the ? i have is, where the hell is the file that tries to execute when i right click. it can't be found anywhere on my machine.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to daveyz

Premium Member

to daveyz
If it get quarantined i am assuming you are talking about Norton and if so does it give you a log for you to tell us the file or the path ?
If so please post that info..and if you open up that quaratine folder...what do you find in it..any names..etc ?

then also try this.

It is recommended that you do a couple of things after a serious infection.

Just to be sure.

Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
Internet Options. Under the General tab click the Delete temporary internet files,
choose to delete all Offline content. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
File > delete.

Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

This will result in your having to re-enter passwords at forums, banks, and the like.

A small price to pay if it gets rid of any bad guys.

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
»service1.symantec.com/SU ··· 12274039

Also if you have sunjava installed it's cache should be cleared too.
> control panel java-plugin > cache tab > hit clear!
And make sure you have the latest version if you have sunjava.

Adjust your security settings for ActiveX:
a. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set/click the options as follows:
Download signed ActiveX controls > prompt
Download unsigned ActiveX controls > disable
Initialize and Script ActiveX controls not marked as safe > disable
b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
c. Never add any site to your Trusted Sites Zone.
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

here is what norton has logged for the last episode of this beast trying to initialize itself:

Source: C:\WINDOWS\msmqinst.log:
Source: C:\WINDOWS\Cache:
Source: C:\WINDOWS\Cache:
Source: C:\WINDOWS\Q817606.log:
Source: C:\WINDOWS\setuperr.log:
Source: C:\WINDOWS\winhlp32.exe:
Source: C:\WINDOWS\winhlp32.exe:
Source: C:\WINDOWS\$NtUninstallKB837001$:
Source: C:\WINDOWS\KB840374.log:
Source: C:\WINDOWS\KB840374.log:
Source: C:\WINDOWS\$NtUninstallQ817606$:
Source: C:\WINDOWS\$NtUninstallQ817606$:
Source: C:\WINDOWS\Prefetch:
Source: C:\WINDOWS\PATCH.EXE:
Source: C:\WINDOWS\$NtUninstallQ324380$:
Source: C:\WINDOWS\Q319580.log:
Source: C:\WINDOWS\xpsp1hfm.log:
Source: C:\WINDOWS\xpsp1hfm.log:
Source: C:\WINDOWS\$NtUninstallQ317277$:
Source: C:\WINDOWS\Q311967.log:
Source: C:\WINDOWS\SoftwareDistribution:
Source: C:\WINDOWS\dcstds3.dll:
Source: C:\WINDOWS\AppPatch:
Source: C:\WINDOWS\Q328310.log:
Source: C:\WINDOWS\Setup1.exe:
Source: C:\WINDOWS\PIF:
Source: C:\WINDOWS\Q329115.log:
Source: C:\WINDOWS\twunk_32.exe:
Source: C:\WINDOWS\tsoc.log:
Source: C:\WINDOWS\$NtUninstallQ313450$:
Source: C:\WINDOWS\msdownld.tmp:
Source: C:\WINDOWS\Q323172.log:
Source: C:\WINDOWS\VerizonOnline:
Source: C:\WINDOWS\DHCPUPG.LOG:
Source: C:\WINDOWS\MedCtrOC.log:
Source: C:\WINDOWS\MedCtrOC.log:
Source: C:\WINDOWS\rtpmsi32.dll:
Source: C:\WINDOWS\mozver.dat:
Source: C:\WINDOWS\twunk_32.exe:
Source: C:\WINDOWS\AU_Temp:
Source: C:\WINDOWS\Config:
Source: C:\WINDOWS\msagent:
Source: C:\WINDOWS\LPT$VPN.218:
Source: C:\WINDOWS\unvise32.exe:
Source: C:\WINDOWS\VPTNFILE.218:
Source: C:\WINDOWS\$NtUninstallKB823182$:
Threat category: AdwareSource: atpart~1.dll,Description: The compressed file atpart~1.dll within C:\Program Files\PestPatrol\Quarantine\20041203011206234.zip is a Adware threat.
Source: C:\WINDOWS\ServicePackFiles:
Source: C:\WINDOWS\security:
Source: C:\WINDOWS\netfxocm.log:
Source: C:\WINDOWS\mui:
Source: C:\WINDOWS\PATCH.EXE:
Source: C:\WINDOWS\Installer:
Source: C:\WINDOWS\$xpsp1hfm$:
Source: C:\WINDOWS\$xpsp1hfm$:
Source: C:\WINDOWS\Config:
Source: C:\WINDOWS\Config:
Source: C:\WINDOWS\mini motoring course racing gam.exe:
Source: C:\WINDOWS\KB840315.log:
Source: C:\WINDOWS\setdebug.exe:
Source: C:\WINDOWS\Gone Fishing.bmp:
Source: C:\WINDOWS\bootstat.dat:
Source: C:\WINDOWS\Q319580.log:
Source: C:\WINDOWS\Q819696.log:
Source: C:\WINDOWS\Tasks:
Source: C:\WINDOWS\DHCPUPG.LOG:
Source: C:\WINDOWS\Internet Logs:
Source: C:\WINDOWS\$NtUninstallQ319580$:
Source: C:\WINDOWS\iis6.log:
Source: C:\WINDOWS\rtpmsi32.dll:
Source: C:\WINDOWS\TMUPDATE.DLL:
Source: C:\WINDOWS\AU_Temp:
Source: C:\WINDOWS\$NtUninstallKB873376$:
Source: C:\WINDOWS\Q329834.log:
Source: C:\WINDOWS\LPT$VPN.218:
Source: C:\WINDOWS\eReg.dat:
Source: C:\WINDOWS\control.ini:
Source: C:\WINDOWS\mini motoring course racing gam.exe:
Source: C:\WINDOWS\VPTNFILE.218:
Source: C:\WINDOWS\$NtUninstallKB841533_RTM$:
Source: C:\WINDOWS\KB810217.log:
Source: C:\WINDOWS\msdfmap.ini:
Source: C:\WINDOWS\Prefetch:
Source: C:\WINDOWS\$NtUninstallKB835732$:
Source: C:\WINDOWS\imsins.log:
Source: C:\WINDOWS\rtpmsi32.dll:
Source: C:\WINDOWS\$NtUninstallQ311889$:
Source: C:\WINDOWS\setuperr.log:
Source: C:\WINDOWS\jautoexp.dat:
Source: C:\WINDOWS\SoftwareDistribution:
Source: C:\WINDOWS\$NtUninstallQ329048$:
Source: C:\WINDOWS\WMSysPr9.prx:
Source: C:\WINDOWS\$NtUninstallKB885884$:
Source: C:\WINDOWS\Q329834.log:
Source: C:\WINDOWS\VPTNFILE.218:
Source: C:\WINDOWS\srchasst:
Source: C:\WINDOWS\AU_Temp:
Source: C:\WINDOWS\Blue Lace 16.bmp:
Source: C:\WINDOWS\ime:
Source: C:\WINDOWS\KB810217.log:
Source: C:\WINDOWS\ocmsn.log:
Source: C:\WINDOWS\Q329115.log:
Source: C:\WINDOWS\Q323172.log:
Source: C:\WINDOWS\Q329048.log:
Source: C:\WINDOWS\MININU.LOG:
Source: C:\WINDOWS\wmsetup.log:
Source: C:\WINDOWS\regopt.log:
Source: C:\WINDOWS\mini motoring course racing gam.exe:
Source: C:\WINDOWS\Q315403.log:
Source: C:\WINDOWS\KB835732.log:
Source: C:\WINDOWS\eMusicSetup.exe:
Source: C:\WINDOWS\KB823182.log:
Source: C:\WINDOWS\Q330994.exe:
Source: C:\WINDOWS\Q323172.log:
Source: C:\WINDOWS\wmsetup.log:
Source: C:\WINDOWS\Q810833.log:
Source: C:\WINDOWS\$NtUninstallKB842773$:
Source: C:\WINDOWS\LPT$VPN.218:
Source: C:\WINDOWS\_default.pif:
Source: C:\WINDOWS\Internet Logs:
Source: C:\WINDOWS\msgsocm.log:
Source: C:\WINDOWS\Q817606.log:
Source: C:\WINDOWS\Registration:
Source: C:\WINDOWS\0.log:
Source: C:\WINDOWS\IsUninst.exe:
Source: C:\WINDOWS\Greenstone.bmp:
Source: C:\WINDOWS\eMusicSetup.exe:
Source: C:\WINDOWS\unvise32.exe:
Source: C:\WINDOWS\unvise32.exe:
Source: C:\WINDOWS\Prairie Wind.bmp:
Source: C:\WINDOWS\nero.INI:
Source: C:\WINDOWS\KB824105.log:
Source: C:\WINDOWS\KB824105.log:
Source: C:\WINDOWS\$NtUninstallKB840315_RTM$:
Source: C:\WINDOWS\KB841533.log:
Source: C:\WINDOWS\system.ini:
Source: C:\WINDOWS\system.ini:
Source: C:\WINDOWS\$NtUninstallQ311967$:
Source: C:\WINDOWS\$NtUninstallQ311967$:
Source: C:\WINDOWS\Active Setup Log.BAK:
Source: C:\WINDOWS\Q331953.log:
Source: C:\WINDOWS\RegisteredPackages:
Source: C:\WINDOWS\UninstallFirefox.exe:
Source: C:\WINDOWS\Tasks:
Source: C:\WINDOWS\setupapi.log:
Source: C:\WINDOWS\setupact.log:
Source: C:\WINDOWS\ocgen.log:
Source: C:\WINDOWS\Zapotec.bmp:
Source: C:\WINDOWS\$NtUninstallKB823182$:
Source: C:\WINDOWS\KB828028.log:
Source: C:\WINDOWS\$NtUninstallQ817606$:
Source: C:\WINDOWS\$NtUninstallQ315403$:
Source: C:\WINDOWS\imsins.log:
Source: C:\WINDOWS\Q810565.log:
Source: C:\WINDOWS\VPTNFILE.218:
Source: C:\WINDOWS\KB841356.log:
Source: C:\WINDOWS\twunk_32.exe:
Source: C:\WINDOWS\$NtUninstallKB840315_RTM$:
Source: C:\WINDOWS\Resources:
Source: C:\WINDOWS\PIF:
Source: C:\WINDOWS\$NtUninstallKB840315_RTM$:
Source: C:\WINDOWS\msnavpklog.txt:
Source: C:\WINDOWS\Prefetch:
Source: C:\WINDOWS\Internet Logs:
Source: C:\WINDOWS\Internet Logs:
Source: C:\WINDOWS\$NtUninstallKB833987$:
Source: C:\WINDOWS\twain_32:
Source: C:\WINDOWS\Q318138.log:
Source: C:\WINDOWS\Q810833.log:
Source: C:\WINDOWS\$NtUninstallKB841873_RTM$:
Source: C:\WINDOWS\$NtUninstallKB841873_RTM$:
Source: C:\WINDOWS\Q329834.log:
Source: C:\WINDOWS\Q329834.log:
Source: C:\WINDOWS\hh.exe:
Source: C:\WINDOWS\Q315000.log:
Source: C:\WINDOWS\Q329048.log:
Source: C:\WINDOWS\SETUP32.INI:
Source: C:\WINDOWS\KB873376.log:
Source: C:\WINDOWS\$NtUninstallKB833987_RTM$:
Source: C:\WINDOWS\$NtUninstallKB833987_RTM$:
Source: C:\WINDOWS\vb.ini:
Source: C:\WINDOWS\peernet:
Source: C:\WINDOWS\srchasst:
Source: C:\WINDOWS\nsreg.dat:
Source: C:\WINDOWS\0.log:
Source: C:\WINDOWS\WMSysPrx.prx:
Source: C:\WINDOWS\java:
Source: C:\WINDOWS\Q313450.log:
Source: C:\WINDOWS\The Cleaner.bmp:
Source: C:\WINDOWS\tsc.exe:
Source: C:\WINDOWS\system32:
Source: C:\WINDOWS\Q814033.log:
Source: C:\WINDOWS\VPTNFILE.218:
Threat category: AdwareSource: C:\WINDOWS\system32\ATPartners.dll,Description: The file C:\WINDOWS\system32\ATPartners.dll is a Adware threat.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to daveyz

Premium Member

to daveyz
If you really have the Beast trojan, I would invest in BOClean. It will remove all variations completely, as well as giving you the best possible protection from any other trojan, now, or in the future.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to illukka

Premium Member

to illukka
said by illukka:

if its detected as beasty its the same thing, probably a different version. but tatayes removal instructions are still the ones to go for. after all HE is the beast expert !
The beast you are talking about does not have a right click function to install like this. Beast doesn't activate on right click.
Name Game

Name Game to daveyz

Premium Member

to daveyz
One glaring symptom of being compromised by this adware Trojan is the constant barrage of pop-ups and ads that come from seemingly nowhere. This Trojan exists on a system in the form of a .DLL named "ATPartners.dll" and may be 96,256 bytes in size. It is probably that a data file also exists of variable size named "IM64.dll".

Threat Analysis
This adware Trojan is installed under suspicious circumstances and most often through the use of exploits. The Trojan is found on malicious websites within a Cabinet file such as "ATPartners.cab". Within the .CAB file are two files - ATPartners.inf and ATPartners.dll. Once the Trojan is installed from a web page, it will load as an Internet Explorer Browser Helper Object [BHO].

BHO files are not dangerous inherently, however Trojans, spyware and adware should be treated with high prejudice.

When Internet Explorer loads, all BHO components will also load, running in memory. The ATPartners BHO connects with a hard-coded website to identify specifics about what additional components it should download. The additional components are considered by the Trojan to be "partners" in ad delivery, thus the name "ATPartners".

"Addictive Technologies" coded ATPartners. The ATPartners BHO will "phone home" and connect with its website at 'www.f1organizer.com' to update and download link information related to current adware partners. The Trojan will interpret the link information, and retrieve the related adware.

It is not uncommon for a system to have more than one adware component installed after becoming compromised by ATPartners. In fact, it is likely at least five or more adware threats are installed.
»www.fortinet.com/VirusEn ··· fid=1788

see also

»www.spynet.com/spyware/s ··· ers.aspx

»www.spynet.com/spyware/s ··· mes.aspx

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

Gee, you are a smart fella John
John2g

John2g to daveyz

Premium Member

to daveyz
Just a thought. I notice that you have XP installed. Have you thought of using System Restore to rectify the situation?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game to John2g

Premium Member

to John2g
said by John2g:

Gee, you are a smart fella John
It must have been that..

Source: C:\WINDOWS\Prairie Wind.bmp:

»www.google.com/search?cl ··· mp%3A%20

That made me such a fart smeller.

Getting cold here even in MB..hope you have better weather
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

ran kav and it found a lot of stuff nav didn't. i just kept deleting and now i have the use of my right click function without the beast being detected. thanks everyone for your suggestions.

larsfum
Premium Member
join:2000-09-01
Saint Petersburg, FL

larsfum to daveyz

Premium Member

to daveyz
I am by far not an expert, but have you thought about turning off System Restore, then quarantining it. Restart, delete the quarantined file. Restart again and turn System Restore back on? I don't know if it will work, but that may be what keeps bringing it back.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to daveyz

Premium Member

to daveyz
said by daveyz:

ran kav and it found a lot of stuff nav didn't. i just kept deleting and now i have the use of my right click function without the beast being detected. thanks everyone for your suggestions.
Good davey..cause it really looked messed up..and you are going to need more that you are running to keep out of that junk. the firefox was a good step..but still you should now do all the rest of this and clean out that system restore again also.

It is recommended that you do a couple of things after a serious infection.

Just to be sure.

Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
Internet Options. Under the General tab click the Delete temporary internet files,
choose to delete all Offline content. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
File > delete.

Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

This will result in your having to re-enter passwords at forums, banks, and the like.

A small price to pay if it gets rid of any bad guys.

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
»service1.symantec.com/SU ··· 12274039

Also if you have sunjava installed it's cache should be cleared too.
> control panel java-plugin > cache tab > hit clear!
And make sure you have the latest version if you have sunjava.

Adjust your security settings for ActiveX:
a. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set/click the options as follows:
Download signed ActiveX controls > prompt
Download unsigned ActiveX controls > disable
Initialize and Script ActiveX controls not marked as safe > disable
b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
c. Never add any site to your Trusted Sites Zone.

I would also recommend, In your own self defense and to reduce the potential for spyware infection in the future, installing both SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

More info and download is available at:
SpywareBlaster: »www.majorgeeks.com/downl ··· det=2859
SpywareGuard: »www.majorgeeks.com/downl ··· det=3045

Maybe consider this as well:
IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit
innocent-looking sites that aren't really innocent at all.
»netfiles.uiuc.edu/ehowes ··· urce.htm
Also some info on that page to tighten your IE security.

Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
»v4.windowsupdate.microso ··· ault.asp

Internet Explorer security and critical updates.
»www.microsoft.com/window ··· ault.asp

Keep all of these programs updated, its free.
Name Game

2 edits

Name Game to daveyz

Premium Member

to daveyz
And here is another good free tool..just let it scan to Clean the Registry on your whole drive for all the ClSD's and other junk that might be left..take a look at each, but I am sure you will find none are needed any more..then just select all..then right click on the whole group you find in the mini window and delete them..

This tool also has many other features you will find comes in handy.

RegSeeker Copyright 2002-2003 Hover Inc.
Thibaud DJIAN
Russ SCHWENKLER

RegSeeker website : »www.hoverdesk.net/freeware.htm
Hover Inc. website : »www.hoverdesk.net

RegSeeker is the perfect companion for your Windows registry !
RegSeeker includes a powerful registry cleaner and can display various informations like your startup entries, several histories (even index.dat files), installed applications and much more ! With RegSeeker you can search for any item inside your registry, export/delete the results, open them in the registry. RegSeeker also includes a tweaks panel to optimize your OS !
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

i don't keep system restore on. i have done everything that has been posted here and other posts

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by daveyz:

i don't keep system restore on. i have done everything that has been posted here and other posts
Good smart move on that system restore..do you want to now post another highjack this log and let us see if it is clean now..and are you having any other problems you think has occured because of some of those infections ?
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

Here is the HJT new log, the fuc@#$ is back. it is in the windows/ime file, when i go to delete it it tells me it is write protected. I ran scans on each folder in the ime folder and nothing is detected. when i scan the whole ime folder it detects it. I'm getting jacked.

Logfile of HijackThis v1.98.2
Scan saved at 4:05:27 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DAVE\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.0.0.0.0
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
daveyz

daveyz

Member

any input would be gr8

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 recommendation

John2g to daveyz

Premium Member

to daveyz
I'm not sure what scans you are referring to, but have you thought to scan in Safe Mode?
daveyz
Nobody Owes You A Living
join:2002-03-28
Monaca, PA

daveyz

Member

i have scanned in safe mode. thats how i found out it returned.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

1 edit

John2g

Premium Member

I can only repeat my previous advice: Buy BOClean. In the unlikely event it does not remove your trojan, their support will help you until it is finally eradicated.