Help please - Trojan Downloader.agent.br problem

Discussion in 'adware, spyware & hijack cleaning' started by shahinian, Jul 3, 2004.

Thread Status:
Not open for further replies.
  1. shahinian

    shahinian Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    My pc has been infected by a virus called trojan downloader.agent.br.

    I have already tried:
    1) disable system restore
    2) reboot under save mode - tried to run AVG - failed
    3) reboot under normal mode
    4) rerun AVG - cleaned all virus
    5) reset homepage to www.yahoo.co.uk
    5) reboot again
    6) connect to internet
    7) VIRUS ALERTS APPEAR AGAIN FROM AVG

    It seems that either (a) the virus was not totally cleaned or (b) MS I.E is an open floodgate that hackers can just come in and out without permission. I was told to submit a hijackthis log file (see below). any help will be greatly appreciated:
    p.s. will be nice to know which website is the culprit
    **************************
    My Hijacklog file is as follow:
    ***************************
    Logfile of HijackThis v1.97.7
    Scan saved at 01:16:28, on 04/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
    C:\EPDOA\OAHotkey.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Documents and Settings\CHEN LIM\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qzwdo.dll/index.html#27063
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qzwdo.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qzwdo.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0B3E8744-11C9-4484-C99F-819E5E8818C9} - C:\WINDOWS\apiho32.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\JCCATCH.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [javage.exe] C:\WINDOWS\system32\javage.exe
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: OAhotkey.lnk = C:\EPDOA\OAHotkey.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37579.2776041667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. CalamityJane

    CalamityJane Registered Member

    Joined:
    Sep 29, 2002
    Posts:
    126
    Location:
    Central Florida
    Hi shahinian,

    This is a new Coolwebsearch hijacker and AVG doesn't handle it very well.

    First, Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

    1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. If you already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R326 01.07.2004 or higher listed. If you do not have Adaware installed, do that now:

    Download Adaware (get the free edition)
    http://www.lavasoft.de/software/adaware/
    (choose download from the lefthand menu)

    Go to: Select Full Install and choose the download location of your choice (1.7mb)
    Choose Download from
    http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

    Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

    Also download and install the Vx2 Cleaner Plugin. Download it here:
    http://www.lavasoft.de/software/plugins/vx2cleaner.shtml

    After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R326 01.07.2004 or higher listed.

    In Ad-aware click the Gear icon to go to the Settings area.

    The following items should be on a green check, not on a red X.

    Under the Scanning button:

    Scan within archives

    Under Memory & Registry, Check EVERYTHING

    In Check Drives & Folders, make sure all of your hard drives are selected

    Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

    Under the Tweak button...

    Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

    In Scanning Engine:

    Unload recognized processes during scanning


    Include info about ignored objects in logfile, if detected in scan

    Include basic Ad-aware settings in logfile

    Include additional Ad-aware settings in logfile

    Include used command line parameters in logfile

    In Cleaning Engine:

    XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

    Let Windows remove files in use at next reboot

    UNCHECK: Automatically try to unregister objects prior to deletion

    Click Proceed to save these settings.

    Again, don't scan yet as we will do that in SAFE MODE later in these steps.

    3. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

    4. Make sure your PC is configured to show hidden files

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

    Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    6. Reboot to Safe Mode
    How to start the computer in Safe mode
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qzwdo.dll/index.html#27063

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qzwdo.dll/index.html#27063

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qzwdo.dll/index.html#27063

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qzwdo.dll/sp.html#27063

    O2 - BHO: (no name) - {0B3E8744-11C9-4484-C99F-819E5E8818C9} - C:\WINDOWS\apiho32.dll

    O4 - HKLM\..\Run: [javage.exe] C:\WINDOWS\system32\javage.exe

    and delete the following files if present.

    C:\WINDOWS\system32\qzwdo.dll

    C:\WINDOWS\apiho32.dll

    C:\WINDOWS\system32\javage.exe

    8. Stay in SAFE MODE. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report and post a copy back here when you are done with all the steps.

    9. Scan with Adaware (Press Scan and then put a dot in *custom mode* and press *next*. Let it remove any bad files found.

    10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    11. Reboot to normal mode, scan again with Hijack This and post a new log here.

    12. NOTE: Two, possibly 3, files were also deleted from your computer and need to be replaced.

    Control.exe
    hosts (with no extension)
    SDHelper.dll (if you are using Spybot Search & Destroy)

    If control. exe is missing
    Go here: http://www.spywareinfoforum.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

    Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
    Press 'Restore Original Hosts' and press 'OK'
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    URL=http://www.spywareinfoforum.com/~merijn/winfiles.html#sdhelper]http://www.spywareinfoforum.com/~merijn/winfiles.html#sdhelper[/URL] and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
    ........................................................
    13. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

    14. Finally, do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-cillin) - Free on-line Scan
    http://housecall.antivirus.com

    Post a fresh HijackThis log and the AboutBuster report back here please.
     
  3. shahinian

    shahinian Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    thanks for your help.

    I have not tried your method yet in case I cannot replace the files that you mentioned was going to be deleted:

    the following web-link (on your point 12) does not work, is there another link where I can download control.exe?
    ***** your original message************
    If control. exe is missing
    Go here: http://www.spywareinfoforum.com/~merijn/...es.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    ********************************
    also what is a hosts file? how do I know mine is of a custom nature?

    cheers once again for your help.

    shahinian
    p.s. I am using window xp
     
  4. shahinian

    shahinian Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    5
    Dear CalamityJane:

    You are a genius! I tried your method and managed to clean my pc. So far (10 minutes online) AVG has not flagged up any CWS virus warning... Let's hope it continues this way....

    Here's my log files from AboutBuster and Hijackthis:
    ________________________________
    Buster Version 1.24
    Removed! : C:\WINDOWS\apiho32.dll
    Removed! : C:\WINDOWS\mfcqk32.exe
    Removed! : C:\WINDOWS\netaa.exe
    Removed! : C:\WINDOWS\netdw.exe
    Removed! : C:\WINDOWS\appal.exe
    Removed! : C:\WINDOWS\d3zi32.exe
    Removed! : C:\WINDOWS\System32\odymr.dat
    Removed! : C:\WINDOWS\System32\pomgb.dat
    Removed! : C:\WINDOWS\System32\atlbx.exe
    Attempted Clean Of Temp folder.
    Removed LEGACY___NS_Service_3 Key
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!
    -----------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 22:35:21, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
    C:\EPDOA\OAHotkey.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\JCCATCH.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: OAhotkey.lnk = C:\EPDOA\OAHotkey.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37579.2776041667
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    --------------------------------------------------------------------

    I still have some questions which you may know the answer:

    1) during clean-up, i skipped the bit on "network security service" in your instruction because i could not find it on my services window. does it matter?

    2) you said i was going to lose the control.exe and hosts files, but so far my pc did not ask me for them during start-up, shall I just do what you said?

    3) i keep my system restore disabled during clean-up. can i switch it on now?

    4) lastly, what's the best way to keep my pc clean from future CWS /virus attack? I have installed Sygate personal firewall, will this help? or should i need something else.

    Once again, thank you for your help. You are a real genius!
    shahinian
     
  5. CalamityJane

    CalamityJane Registered Member

    Joined:
    Sep 29, 2002
    Posts:
    126
    Location:
    Central Florida
    Hi shahinian,

    My apologies for the delay in a response. I rely on automatic email notifications from the board that a reply has been posted to the thread here and my ISP had a backlog of email I only just now got.

    First, your log looks clean :)

    Now to answer your questions:

    That's ok - a prior cleaning step may have fixed it. I can see that it was taken care of in the AboutBuster log.

    It is possible files were deleted by the hijacker, however, not all PCs have had this problem. Do a seach on your computer for: control.exe If it is there, you do not need to worry about replacing it.

    Yes, this would be a good time to do that so you have a good restore point created.

    Glad you asked! ;) We have some recommendations right here:'
    Why did I get infected in the first place
    https://www.wilderssecurity.com/showthread.php?t=27971

    I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

    MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
    Microsoft Baseline Security Analyzer
    http://www.microsoft.com/technet/security/tools/mbsahome.mspx

    You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online AV scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.

    Firefox
    http://www.mozilla.org/products/firefox/
     
Thread Status:
Not open for further replies.