Solved: Severely infected XP - Please help

[HansOle]

Hello

My Windows XP machine recently came down with a serious virus attach despite the fact that I run an anti-virus (F-Secure). The virus was Virus.Win32.Nsag.a and the initial problem was that somebody had overwritten my wininet.dll with an infected version.

I replaced this with the authorised version and tried to clean up manually by editing the reg-db. I managed to remove most of the annoying spy- and adware but I was not compåletely succesful. Currently my browser is still hijacked by "oneclicksearches". And maybe there are more.

So I found this forum and decided to try "hijackthis". I would be most thankful if you could help decifer this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:07, on 29-06-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\Program\fspex.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = gsp-xp;<local>;localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDEBD.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BOOKcase 4.0.lnk = C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\AUTHENTIC\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: TDC Kabel TV Sikkerhedspakke (BackWeb Client - 7791805) - Unknown owner - C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

 

[khazars]

hi, welcome to TSG.


Please read these instructions carefully and print them out! Be sure to
follow ALL instructions!



Click here to download smitfraudfix.zip.

http://metallica.geekstogo.com/smitfraud.reg

or here below if not working


Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg



Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php




Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard


Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



do a ctr/alt/del and in taskmanager stop these processes if running.



C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\msole32.exe




IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able
to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg
on your desktop and doubleclick on it. When asked if you want to merge with
the registry click YES. After you receive the prompt "merged successfully",
follow the rest of instructions below.



Doubleclick smitfraud.reg and confirm you want to merge it with the regsitry.





Run HijackThis and put checkmarks in front of the following items.
Close all windows except HijackThis and click Fix checked:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDEBD.tmp


Now boot to safe mode, carry out all these procedures in safe mode..



How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the "Paste Full Path of File to Delete"
box.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\Golden Palace Casino Setup.exe
C:\wp.exe
C:\wp.bmp
C:\bws.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\hookdump.exe
C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\System32\oleadm.dll
C:\WINDOWS\system32\oleadm32.dll
C:\WINDOWS\System32\hpDEBD.tmp

Exit the Killbox.




Make sure you can view hidden files.


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\System32\Services



Reboot into normal mode.

1.) Download the Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

www.funkytoad.com/download/hoster.zip

2.) Download: DelDomains.inf

http://www.mvps.org/winhelp2002/DelDomains.inf

Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) download and run ccleaner.

http://www.ccleaner.com/



Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



Post back with a new Hijack This log when you are done and the active scan log.

 

[HansOle]

Hi khazars

Thank you so much for your recipe which I found extremely lucid and easy to follow.
The reason it took me some time was the penultimate step: Panda ActiveScan.
My machine turned out to have some 3.5 mill files so it took a while.

Im grateful that there are people like you out there to offset all the vandals who are trying to destroy our PCs. Now I hope you can declare my machine out of danger. Perhaps I should there install the XP-updates which I have been neglegling.

Here are the logs from ActiveScan and HijackThis:


Incident Status Location

Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:Adware/Popuper No disinfected C:\!Submit\hhk.dll
Adware:Adware/Popuper No disinfected C:\!Submit\intmon.exe
Virus:Trj/Clicker.GF Disinfected C:\!Submit\msole32.exe
Adware:Adware/Popuper No disinfected C:\!Submit\shnlog.exe
Virus:W32/Disemboweler Disinfected Personal Folders\Inbox\FW: Warning: No addresses survived parsing process!\based upon the \CFGWIZ32.EXE
Virus:W32/Lentin.E Disinfected Personal Folders\Inbox\Fw: Curriculum Vitae01JB\Curriculum Vitae01JB.bmp.scr
Virus:W32/Lentin.E Disinfected Personal Folders\Inbox\Fw: Ur My Best Friend !!\truefriends.scr
Virus:Exploit/iFrame Disinfected Personal Folders\Inbox\[poseidon-forum] RE: datasheet or meranie a regulacia or yack or problem HW\MSG_RTF.TXT
Virus:Exploit/iFrame Disinfected Personal Folders\Inbox\Hello,your password\MSG_RTF.TXT
Virus:W32/Disemboweler Disinfected Personal Folders\Inbox\FW: Warning: No addresses survived parsing process!\based upon the \CFGWIZ32.EXE
Virus:W32/Lentin.E Disinfected Personal Folders\Inbox\Fw: Curriculum Vitae01JB\Curriculum Vitae01JB.bmp.scr
Virus:W32/Lentin.E Disinfected Personal Folders\Inbox\Fw: Ur My Best Friend !!\truefriends.scr
Adware:Adware/Popuper No disinfected C:\WINDOWS\popuper.old
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Virus:Trj/Downloader.DGT Disinfected C:\WINDOWS\system32\MSMSGS.0XE
Adware:Adware/Startpage.ACK No disinfected C:\WINDOWS\system32\OLE32VBS.0XE
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\SHNLOG.0XE
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\UNINSTIU.0XE
-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:14:16, on 30-06-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\Program\fspex.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = gsp-xp;<local>;localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BOOKcase 4.0.lnk = C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\AUTHENTIC\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: TDC Kabel TV Sikkerhedspakke (BackWeb Client - 7791805) - Unknown owner - C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)

------------------

 

[khazars]

your log looks clean. how's your computer running now, any better?


Use the killbox on these below, I think they have all been deleted, but just do so to make sure!


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the "Paste Full Path of File to Delete"
box.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINDOWS\System32\wp.bmp
C:\WINDOWS\screen.html
C:\WINDOWS\popuper.old
C:\WINDOWS\system32\MSMSGS.0XE
C:\WINDOWS\system32\OLE32VBS.0XE
C:\WINDOWS\system32\SHNLOG.0XE
C:\WINDOWS\UNINSTIU.0XE


have you stopped using Norton, have hijack this fix these entries.


O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: NAV Alert - Unknown owner - C:\PROGRA~1\Navnt\alertsvc.exe (file missing)
O23 - Service: NAV Auto-Protect - Unknown owner - C:\PROGRA~1\Navnt\navapsvc.exe (file missing)
O23 - Service: Norton Program Scheduler - Unknown owner - C:\PROGRA~1\Navnt\npssvc.exe (file missing)



post another log

 

[HansOle]

Hi again

Yes my computer seems to be completely virus-free. I have not been using it much yet, because I wanted to be sure it was safe - and I wanted to install XP-updates.

Only one problem now: Now and again I get the message:
db2jds.exe encountered a problem and needs to close
(send/don't send to MicroSoft)
I have been selecting don't send.

I assume this will correct itself if I update XP?

I have a tray icon that says "Stay current with automatic updates" which I (studiply) have not used. I assume that I can doubleclick on this and be guided through the update?

Also I have disabled "SystemRestore" (at MyComputer/Properties) because somebodu adviced me that it would help keep the virusses in check. Is it time to enable that again? Beore or after updating XP?

So many questions. Anyway here is the hijackThis.log:

Logfile of HijackThis v1.99.1
Scan saved at 14:26:36, on 30-06-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\Program\fspex.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\FSGK32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMB32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fssm32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FCH32.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FAMEH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsav32.exe
C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\fsguiexe.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = gsp-xp;<local>;localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\WebSpeed Sikkerhedspakke\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\WebSpeed Sikkerhedspakke\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BOOKcase 4.0.lnk = C:\Program Files\TEXTware\BOOKcase40\BC40CASE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\AUTHENTIC\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\AUTHENTIC\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: TDC Kabel TV Sikkerhedspakke (BackWeb Client - 7791805) - Unknown owner - C:\PROGRA~1\WEBSPE~1\backweb\7791805\Program\SERVIC~1.EXE
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: DB2 Remote Command Server (DB2REMOTECMD) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WebSpeed Sikkerhedspakke\backweb\7791805\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\WebSpeed Sikkerhedspakke\Common\FSMA32.EXE

 

[khazars]

clean log.



you should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




you can turn on windows automatic updates by

Click Start > Run > and type in:

services.msc

Click OK.


scroll down to automatic updates and click start, then right click it, choose properties and change to automatic.

db2jds.exe this has something to do with IBM.


http://castlecops.com/o23list-657.html

ah, read this, it's been linked to a DNS threat by Microsoft, so there should be a patch for it seeing as it was reported in 2001.

http://xforce.iss.net/xforce/xfdb/6833



yes you really need to get all patches asap. That might fix the error your getting.
This link is for Xp SP1, you would then need to get all the Xpsp2 patches if you don't want to get SP2.


However, it's advised to make sure you system is clean and stable before installing SP2 just in case, some advise to install SP2 only after a clean install of XP Operating system. However, you can always make a restore point before trying to install XpSp2.


You need to get Xp SP1 asap and all other patches, you are open to
multiple threats!

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

http://search.microsoft.com/search/results.aspx?st=b&na=90&View=en-us&qu=Service+Pack+2



here's some free tools to keep you from getting infected in the future.


to stop reinfection get these two tools, spywareguard and spywareblaster
from

www.javacoolsoftware.com


get the hosts file from here.

put it into :


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

http://www.mvps.org/winhelp2002/hosts.htm


ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm



http://www.winpatrol.com/winpatrol.html


prevX: it stops spyware

http://www.prevx.com/prevxhome.asp


Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it. Plus you can also turn on spybot's tea timer
for added protection against pests.

I would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

http://www.mozilla.org/


Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html


A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm