Solved: Help! I have infestation of viruses,spybots, and adwares!!

[ORM]

Hiya and boy am I glad to have found you ! Though you may not have been so glad I have

My symptoms are virtually identical to Wasper but I bet it has been driving me more crazy than him. I am semi-computer literate but an intermediate skill may be a tad optimistic !!!

I don't know how much info you need but I have Norton Internet Security 2005, fully up to date with virus definitions and regularly scanned, operating on an ME system on a PC which I performed a full restore about a month back. I have next to nothing on the thing except the net, a photo-imager a CD burner and the usual Windows and Office programs.

I've been tearing my hair out trying to follow the advice of symantec and others.

Should I start by following the advice you offered Wasp on 8th July (ewido and hijack) and posting logs here ?

Many thanks

Tony

PS Am I being really stupid if I ask how these things get through Norton Internet Security when I have high custom level controls ?

PS2 - after 6 unsuccesful hours tonight I am going to bed - I may not be on the PC tomorrow night but I definitely will be on Thursday.

 

[MFDnNC]

Orm your post will be split on its own, do not jump on others threads

Then get HiJack This V1.99.1 http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file and click unzip letting it extract to its default folder C:\Program FIles\HiJackThis, run it from there, DO NOT fix anything, post the log here.

Ewido does not run on ME

 

[JohnWill]

I've split you into a separate thread, please don't hijack other folks problem threads.

 

[ORM]

I've split you into a separate thread, please don't hijack other folks problem threads.

Apols to everybody, newbie alert ! That'll teach me to panic about the virus rather than concentrate on forum rules.

Now following steps recommended by MFDnSC and will report shortly

 

[ORM]

OK logfile is as follows: If I am not around when you respond please don't think I'm being rude. I'm from the UK, it's been a long day and I have an early start tomorrow.

Editing to post as an attachment !!!!

 

[MFDnNC]

Download CWShredder http://www.intermute.com/products/cwshredder.html

Close all browser windows,
Open cwshredder.exe then click "Fix" and let it run.

Download About:Buster from:
http://www.majorgeeks.com/download4289.html
Double click aboutbuster.exe, click Update, click OK, click Start, then click OK.


Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your desktop
This will take some time to run!
Post that log and a new HiJack log

 

[ORM]

Dayem that was quick Sir !

Will try all that now and post results as an edit to this message. Just one thing - I thought Ewido wouldn't run with ME ?

 

[MFDnNC]

Oooops you are correct - Do the others and then we'll see where to go

 

[MFDnNC]

Leave the log as a post vs. an attachment

Logfile of HijackThis v1.99.1
Scan saved at 23:19:03, on 20/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\WINDS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\WINDOWS\SYSTEM\HPHMON05.EXE
C:\WINDOWS\SYSTEM\APIVO32.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smimu.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smimu.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\smimu.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smimu.dll/sp.html#83556
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smimu.dll/sp.html#83556
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\smimu.dll/sp.html#83556
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {548455C7-8C77-692F-0904-1B35B4C01430} - C:\WINDOWS\ADDRM32.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [APIVO32.EXE] C:\WINDOWS\SYSTEM\APIVO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [WINDS.EXE] C:\WINDOWS\WINDS.EXE /s
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

 

[MFDnNC]

Fix these with HJT – mark them, close IE, click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smimu.dll/sp.html#83556

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smimu.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\smimu.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\smimu.dll/sp.html#83556

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\smimu.dll/sp.html#83556

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\smimu.dll/sp.html#83556

O2 - BHO: Class - {548455C7-8C77-692F-0904-1B35B4C01430} - C:\WINDOWS\ADDRM32.DLL

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\Run: [APIVO32.EXE] C:\WINDOWS\SYSTEM\APIVO32.EXE

O4 - HKLM\..\RunServices: [WINDS.EXE] C:\WINDOWS\WINDS.EXE /s

DL http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\ADDRM32.DLL
C:\WINDOWS\SYSTEM\APIVO32.EXE
C:\WINDOWS\WINDS.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot

Run ActiveScan online virus scan

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan


Please give feedback on what worked/didn’t work and the current status of your system

 

[ORM]

Everything from CWS Shredder comes up as Not Present

About Buster had the following

AboutBuster 5.0 reference file 28
Scan started on [20/07/2005] at [23:47:38]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\plzvx.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 23:47:40

Now working on HJT Fix etc - we'll see how much longer I can go tonight - may have to do this tomorrow night after work

 

[MFDnNC]

Tomorrow is fine, I'll see it - it is very late there and the Pubs are closed!!!!!!!!

 

[ORM]

Nope, I'm sticking with this tonight (or this morning !!!)

Ran, HJT fix, Ran Killbox in safe mode and it let me delete all 3 files. Rebooted and currently running Panda - I assume I'll get a report at the end of it . 2 infected files found so far and counting. Will post results of this and new HJ log shortly

I should add that so far it looks very encouraging. No dodgy IE homepage, no dodgy links added to favourites, no automatic request to connect to IE when I boot up PC and no red dot in bottom right of screen containing dodgy your computer may be infected bubbles.

 

[MFDnNC]

I'll be gone at 1:00 am - my pubs are still open

 

[ORM]

No problem - I've just about had it for the night anyway

Here is the result of ActiveScan

Incident Status Location

Adware:adware/cws.homesearchasisstantNo disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HSA
Adware:adware/searchaid No disinfected HKEY_CLASSES_ROOT\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\jaizlf.txt
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\sdeyz.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\Program Files\HijackThis\backups\backup-20050721-001127-709.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\!Submit\ADDRM32.DLL I'm assuming you now wish me to delete these six files myself. The top two via REGEDIT if I'm not mistaken.

I'll await your response before trying this tonight and then I'll run another HJ scan.

I'm amazed & gobsmacked by all this.

I still would love to know how this managed to infiltrate my system but I'll leave that until the end.

Thanks for now and damn !!! Less than four hours kip for me now but 2-1/2 very valuable hours well spent.