Hacktool.Rootkit virus, round 2!

Hi all. I came to this forum having the same problem. norton is continuosly displaying virus alert in system32\msdirectx.sys file with the hacktool virus. a then downloaded avg antivirus. it detected the virus and i thought that it removed it as when i rebooted the norton alert was off and avg scan was clean (that was yesterday). then today i downloaded adware and spybot s&D and they removed many undesirable items and after i thought that i conquered the virus, i found its back again and avg nor norton can quarantine, or delete it. what can i do apart from reinstalling windows XP

Hi sshohdi,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

MadDave123- welcome to you also. :)

Components of infections are evident in your HijackThis log. Please do the following:

You will want to print out these directions, as you will need to close all instances of your web browser while performing the fixes

1. Disable XP's System Restore feature. As explantion of how to do that (and why) can be found here.

2. Run HijackThis again, put a check in the boxes to the left of the following entries, and then clicck the "Fix checked" button:

F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
sysmon32.exe
pingppac.exe
wuampkd.exe
C:\WINDOWS\System32\vbsys2.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Run a full scan with Norton.

- Reboot normally.

4. Run hijackThis again, post a new log, and tell us if Norton was able to find and/or fix anything when you ran it in Safe Mode.

Right. Firstly, thankyou very much for the warm welcome and more so for the help. ;)

I did as per the instructions and all was going well and good. I finished removing everything and ran Norton in safe mode. It found 4 viruses at the end of the scan (none of which were the Hacktool.rootkit fortunately). It successfully fixed 2 of those and wanted to quarrantine the remaining 2.
I located the offending files, deleted them and ran Norton once again. It finished and showed no problems! Huzzahhh! :D

Alas, I rebooted normally and after about 5 minutes Norton starts spamming the PC with Virus messages again (again, none of which were the Hacktool.rootkit fortunately). :mad: The info Norton gave on the virus was this:

File: C:\WINDOWNS\SYSTEM32\ESMXE.DLL
Virus: Trojan.StartPage

and a malicious script warning with the following info:

Object: File System Object
Activity: Create text file
File: C:\Windows\System32\-Embedding

I checked for the virus (ESMXE.DLL) but couldn't find it anywhere. As for the malicious script I have no idea what to do, I tried locating the file but again had no luck.

I did run HJT again but I had no way of saving the file so I could post it on the forums (as I'm now using a work PC). I didn't want to access the internet on the infected PC incase I opened the floodgates for more problems.

So, thanks very much for helping get rid of the Hacktool.Rootkit, but now can you help deal with the 2 remaining atrocities?

As always, any and all help is much appreciated. :)

Cheers,

Dave.

In terms of posting a HijackThis log:

I definitely agree that leaving the infected computer offline is a good idea; some of these nasties will "phone home" to redownload themselves if they aren't entirely removed from your system. To get around this, you can save the HJT log as a text file in Notepad, copy it to a floppy/CD/whatever, take it to another computer, and post it from there. Please do that when you can; the log might give us some info on the new infection(s) you have.

If you haven't installed Microsoft's AntiSpyware beta yet, you might want to do so; it's a good compliment to SpyBot, ewido, Ad Aware, etc. If you don't want to download it directly onto the infected computer, download it elsewhere, burn it to CD, and install it on the infected comupter that way.

Right, apologies for taking ages to reply. Work has been hectic as always and overtime has just started up again so I've not had a chance to visit my dad's PC for some time.

Until now, that is...

So, here's the HJT log after I did all the cleaning detailed in my previous post:-

Logfile of HijackThis v1.99.1
Scan saved at 21:05:02, on 10/07/2005
Platform: Windows XP SP1, v.1050 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1037)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R3 - URLSearchHook: (no name) - {D1AB6420-E125-3AA9-47D7-DE8FB557B8D0} - MsNetHelper.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Internet Explorer Hot Fix - {58D90D72-A99E-4D42-8307-62F86E1F8EDE} - C:\WINDOWS\System32\esmxe.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [qwe] slamm.exe
O4 - HKLM\..\Run: [zantu] avpmondll.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [zantu] sysconf16.exe
O4 - HKCU\..\Run: [msag] trycrt.exe
O4 - HKCU\..\Run: [pizda] ms-its.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/ri32XjLzTeAxSXVDcpU.chm::/on-line.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/5/s1//q.chm::/file.exe
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DCA6142-D558-4473-8C00-5F8B53B3821C}: NameServer = 69.50.184.84 195.225.176.37
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Any and all help is much appreciated. :)

Dave.

No problem concerning the time lag; we all have "real life" happenings that can keep us away from here.

1. Uninstall the WareOut program through your Add/Remove Programs control panel. WareOut is a bogus program; you can read more about it, and other disreputable "anti-spyware" programs at this site.

2. Run HJT and have it fix:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
R3 - URLSearchHook: (no name) - {D1AB6420-E125-3AA9-47D7-DE8FB557B8D0} - MsNetHelper.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O2 - BHO: Internet Explorer Hot Fix - {58D90D72-A99E-4D42-8307-62F86E1F8EDE} - C:\WINDOWS\System32\esmxe.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\snzug.dll
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [qwe] slamm.exe
O4 - HKLM\..\Run: [zantu] avpmondll.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [zantu] sysconf16.exe
O4 - HKCU\..\Run: [msag] trycrt.exe
O4 - HKCU\..\Run: [pizda] ms-its.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/ri32XjLzTeAxSX...m::/on-line.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110/5/s1//q.chm::/file.exe
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DCA6142-D558-4473-8C00-5F8B53B3821C}: NameServer = 69.50.184.84 195.225.176.37

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:

C:\WINDOWS\System32\snzug.dll
C:\WINDOWS\System32\esmxe.dll
iau.exe
stisvsq.exe
svshost.exe <- !! Note that there is a valid Windows system file named svchost.exe. Do not delete that file; only delete the file named svshost.exe!
msqdevl.exe
lssas.exe <- !! Note that there is a valid Windows system file named lsass.exe. Do not delete that file; only delete the file named lssas.exe!
mservice.exe
C:\WINDOWS\System32\msmsgs.exe
slamm.exe
avpmondll.exe
sysconf16.exe
trycrt.exe
ms-its.exe
C:\foo.mht!
C:tsk.mht!

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

3. Run HJT again and post a new log. If you were unable to find or delete any of the infected files I listed above, tell us the names of those files.

Excellent. Thanks for the help.

I shall post all relevant info as soon as I've been round my dads again.

Cheers.

Post whenever you can; we're not going anywhere... :mrgreen:

Well, you dared me, so I did it. It's only gone and taken me a month and a half to get back here :cool:

Lets start with the good news shall we. It seems that everything has finally been obliterated. :mrgreen: No more messages from Norton or anything.
There were a few viruses needless to say but norton sorted them out in safe mode.
Also, quite a few of the files you told me to delete directly weren't there at all anyway. I don't know if this is because HJT did a thorough job or because the files are too well hidden (I'm quite proficient at finding evil files on PC's so I'm hoping it's the former explanation).
I'll post the final HJT log at the end of this reply for those that want to check it over :)

So, overall, thanks very much (again) for all the help people. My dad is now safely tucked away in Italy enjoying cold beers and football so his mind is very much off of anything to do with PC's...

However, (and here is the bad news) there is still one problem occurring on the PC that has me dumbfounded. I don't know whether this is the correct place to ask about it but since it may be related to the previous problems I'll ask and let you have the honour of either providing the solution or redirecting me to another thread area.

Here goes. Basically, I.E. doesn't work. You can type in all the addresses under the sun but they all either just sit there loading for a century, or it shows an error 404 straight away.
Unfortunately it's not as simple as not having the net plugged in (if only)! - this is the weird part - If after a bazillion attempts a page finally does load, you can set it as the home page. After doing this the page will load everytime when a new I.E. window is opened. It also increases the chances of I.E. loading new pages via links from the now current homepage.

I hope this is all making sense? :rolleyes:

Anyways, that's about it. Internet no work -> unless a page is set to homepage -> then it works a little more often.

Any thoughts?

Well, as always mucho gracias for the help so far. Here's the HJT log I promised y'all.

Cheers,

Dave...

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:07:24, on 10/08/2005
Platform: Windows XP SP1, v.1050 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1037)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

P.S. Man, I do seem to waffle a bit in my posts. Oh well... :p

Well, you dared me...

Yeah; I'm just a sucker for a good challenge. :cheesy:

OK-

There are still a couple of unwanted entries in your HJT log. Please do the following:

1. Run a HJT scan and have it fix the following two entries:

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Locate and delete the c:\eied_s7.cab file, and then empty your Recycle Bin.

3. Download and run the free trial version of the ewido Security Suite utility; it should detect and clean up any hidden loose ends left behind by the infections you had. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates.

4. Reboot after ewido finishes its scan, run HJT again, and post the new HJT log as well as the scan report log that ewido generated.

5. For the IE browsing problems:

* Download and run the IEFix utility. I've seen it fix more IE problems than those explicitly described on the program's download site, so it might help.

* Let's see if this a possible DNS issue:

Open IE, type the following in the address/location bar, and then hit Enter:

http://66.102.7.147

That should take you to Google.com; let us know if it does or doesn't.

Well, after my dad returned from Italy the other day I finally got a chance to test my new found knowledge on his PC (thanks to you guys) ;)

So, I ran HJT, had it fix the 2 items and then tried to locate the file
c:\eied_s7.cab . Unfortunately I couldn't locate it. Ewido did however find and delete a file called c:\ex.cab because there was malware embedded within it.

Initially Ewido wouldn't update (probably due to the internet problem), it just wouldn't connect to the update server; so I ran IEfix and tried Ewido again. Still nothing. I restarted and hey presto, Ewido was now able to update

correctly. After that I did a full scan with Ewido and it successfully fixed 20 problems.

Hopefully that's the last of the virus / spyware problems. Although there is still the case of pop-up system messages. I.E. as soon as the pc connects to the net a generic system message pop-up will appear about once every few mins.

Looking a bit like this:

Messenger Service
-----------------
Message from SECURITY to ALERT on 31/08/2005
Warning (blah blah, about corrupt files and spyware)
Click OK to download this uber program that can fix your PC
etc

Other than that. The PC is running fine, no virus pop-ups, norton warnings or stupid adverts etc. :D

The new HJT / Ewido logs are at the end of this post.

Now we get to the fun part. The internet itself...

I ran IEfix (as I said earlier) and am afraid it's a no go. The web pages still won't load up. They won't even load after setting the home page to specific sites either. One thing I have noticed is the current addres info on the bottom left panel of the IE window will display lots of names like it's searching for alternates.
E.G If i type www.hotmail.com in, the botom panel will wizz through www.hotmail.co.uk, www.hotmail.org, www.hotmail.edu etc etc. After that I get the normal Page 404 error and sometimes an error window which says: "The search page could not be found".

I also tried http://66.102.7.147, but no luck there either.

sigh :(

So, without further delay, I present the logs:

HJT:


Logfile of HijackThis v1.99.1
Scan saved at 23:28:36, on 31/08/2005
Platform: Windows XP SP1, v.1050 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1037)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\oipxkxke.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Telnet24] oipxkxke.exe
O4 - HKLM\..\RunServices: [Telnet24] oipxkxke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Ewido:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           23:14:49, 31/08/2005
+ Report-Checksum:      F0DABA17


+ Scan result:


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-776561741-152049171-854245398-1003\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-776561741-152049171-854245398-1003\Software\WareOut\FirstRun -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-776561741-152049171-854245398-1003\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-776561741-152049171-854245398-1003\Software\WareOut\Registration -> TrojanDownloader.Wareout : Cleaned with backup
C:\ex.cab/epl.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\csrss.dll -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\lssas.exe -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\msiau.dll -> TrojanProxy.Symbab.ar : Cleaned with backup
C:\WINDOWS\msqdevl.exe -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\smssa.dll -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\system32\atixvdm.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\drv2cltr.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\WINDOWS\system32\eid.exe -> TrojanDownloader.Mediket.au : Cleaned with backup
C:\WINDOWS\system32\hybsys32.dll -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\msgame32.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP3088 -> Backdoor.Codbot.ae : Cleaned with backup
C:\WINDOWS\taskmgr.dll -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\uvchost.dll -> Trojan.Liewar.p : Cleaned with backup
C:\WINDOWS\winlogon.dll -> Trojan.Liewar.p : Cleaned with backup



::Report End

Cheers,

Dave.

Bumpity bump....

Just incase this got overlooked. ;)