Browser hijacked

abwsco

here is my Panda scan details:


Incident Status Location

Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/igetnet Not disinfected C:\WINDOWS\SYSTEM\rules.dat
Adware:adware/secure32 Not disinfected C:\WINDOWS\country.exe
Adware:adware/isearch Not disinfected C:\WINDOWS\tool2.exe
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\!!014DA6C9-189F-421A-88CD-07CFE51CFF10}
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Anne1\Cookies\anne1@com[2].txt
Adware:Adware/Lop Not disinfected C:\Program Files\free one junk\STARTBASH.exe
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@realmedia[1].txt]
Spyware:Cookie/Xmts Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@xmts[1].txt]
Spyware:Cookie/go Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@go[1].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@realmedia[1].txt]
Virus:Trj/DNSChanger.ED Disinfected C:\WINDOWS\system32\hgqhp.exe
Couldn't get rid of these on Housecall:

MS01-028 - RTF Document linked to template can run macros without warning

MS00-034 Office 200 UA Control Vunerabilty

Not sure if I've run all the free scans on Housecall, could only seem to find one.

New HJT log
Logfile of HijackThis v1.99.1
Scan saved at 17:03:04, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anne1\Desktop\DO NOT DELETE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thedibb.co.uk
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: !!193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136714814380
O16 - DPF: !!6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: !!90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A59F2033-0BE0-405F-983A-EFA1E725720C}: NameServer = 85.255.113.148,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F8263C-E238-4394-973D-F59D47C84F7C}: NameServer = 85.255.113.148,85.255.112.20
O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Can see Panda is still showing Startbash but I can't seem to find it to get rid of it.

The PC is running soooooooo much better thank you and am so grateful for all your help. Is there still other stuff I can get rid of as well though?

Edited to add no idea how there are smilies in the middle of some of the text as i haven't inserted them.

Browntoa

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM32\paytime.exe

Adware:adware/isearch Not disinfected C:\WINDOWS\tool2.exe

Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\!!014DA6C9-189F-421A-88CD-07CFE51CFF10}

Virus:Trj/DNSChanger.ED Disinfected C:\WINDOWS\system32\hgqhp.exe

are all things that still need sorting but i'll leave it to PChelpman to sort you out as he's the expert on these

abwsco

Have realised that some of the things are showing in Spybot Search and Destroy 1.1 but I use 1.4 now, so am I right in thinking I need to uninstall all of 1.1 version. if I can.

Browntoa

wait for PCHelpman....

but like you say

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@realmedia[1].txt]
Spyware:Cookie/Xmts Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer24.zip[anne1@xmts[1].txt]
Spyware:Cookie/go Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@go[1].txt]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer27.zip[anne1@realmedia[1].txt]

can go so I would delete spybot 1.1 (it should be on "Add/Remove programs" under "control Panel" ) if there is only one listing then unistall the one thats there and if need be manually delete those folders above, then reinstall spybot if it's gone totally

I also missed this "LOP" infection

Adware:Adware/Lop Not disinfected C:\Program Files\free one junk\STARTBASH.exe

Toxteth_OGrady

Excellent LOP removal instructions here

Just noticed you have Messenger Plus which is the usual source of infection for LOP.

Just uninstall Messenger Plus in the normal way (Add/Remove Programs) then re-install. Read the install options very carefully. It will ask you whether or not you want to install the Adware. Click on 'NO'

Paytime removal here.

Also download and run CWS Shredder

TOG

Browntoa

doh....forgot to mention that one, saw it and meant to add to post

me stupid

pchelpman

Glad things are improving for you. That HJT log is clean.

However, the other scans have revealed malware that may not be effective any longer but we should try and reove as much of it as possible.

In your travels around the online scans I hope you found the CoolWebShredder scan/remover. That was one of the main scans I needed you to run as it helps remove the LOP infection you had.

If you didn't manage to run CWShredder let me know.

Print this out so it is easier to follow the recommendations.

Before you do anything else go to this file...

C:\WINDOWS\tool2.exe

....and delete it IMMEDIATELY. Then empty your recycle bin.

This is the "Paymite-B Trojan". It lets attackers access your computer, steal passwords, internet banking and personal data.

Next .... check with all your online financial institutions by phone (not online) to ensure your money is safe.

CHANGE ALL SECURITY DETAILS, PASSWORDS ETC. IMMEDIATELY

---

Now at this point delete/purge all previous system restore points and create a new one. Just in case you need something to fall back on if it all goes awry again.

---

Update all MS from Windows Update……

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

---

Update your Spybot S&D. Scan with it and get it to fix any problems it finds.

---

Download Ad-aware SE here…

http://www.lavasoftusa.com/

Install it if you don't have it already. Make sure it's the newest version and check for any updates before running it.

……. & VX2 Cleaner…….

Go here… http://www.lavasoftusa.com/ to get the plug-in for fixing VX2 variants. To run this tool choose Software > Add-ons (left navigation bar) then select VX2 Cleaner.

Follow the instructions to run it. If your system is clean it will say “Status System Clean”. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

Also make sure to customize the settings in Ad-aware for better scan results by reading the article here… http://www.greyknight17.com/spyware.htm#adware

Run the scan and fix everything that it finds.

---

This one...

C:\WINDOWS\SYSTEM32\ot.ico

....is related to the SpyAxe intruder.

Go here....

http://www.bleepingcomputer.com/forums/topic36868.html

…and run the initial short SpyAxe fix NOT the full Smitfraud fix.

---

IF still present go to these 4 files and carefully delete them (clean out your recycle bin after this list)...

C:\WINDOWS\SYSTEM32\paytime.exe

C:\WINDOWS\SYSTEM\rules.dat

C:\WINDOWS\country.exe

C:\WINDOWS\system32\hgqhp.exe

---

Try again to delete this folder now we have it's full name (it's related to the LOP infection)...

C:\Program Files\free one junk

Go to Add/Remove Programs and see it it's still there. If so then uninstall it.

---

Clean out cookies by going to this folder....

C:\Documents and Settings\Anne1\Cookies\

...and deleting all the contents

---

Housecall detections:

Both relate to much older versions of MS Office programs. Are you using any? Check out these articles and install patches as necessary.

MS01-028 - RTF Document linked to template can run macros without warning
http://www.microsoft.com/technet/security/bulletin/MS01-028.mspx

MS00-034 Office 200 UA Control Vunerabilty
http://www.microsoft.com/technet/security/bulletin/ms00-034.mspx

---

Again, run both Panda Activescan and TM's Housecall scans again. Post the results of the scans AND a new HJT log.

ALSO ... as always ... please update us on how your PC is behaving now.

EDIT Forgot one thing. Please go here….

http://virusscan.jotti.org/

....click the "browse" button and browse to……

C:\WINDOWS\notepad.exe

….then click the "submit" button to upload the file.

Post back the results to this thread.

abwsco

pchelpman wrote:

Before you do anything else go to this file...

C:\WINDOWS\tool2.exe....and delete it IMMEDIATELY

How do I do this? I've also run CWShredder and it's all clear.

Browntoa

use windows explorer to navigate to the file and delete it manually

if it will not let you then download Killbox
http://www.softpedia.com/get/Security/Secure-cleaning/Pocket-Killbox.shtml

and copy the path into killbox and let it deal with it

abwsco

I manually found toolbar.exe and tool1.exe through to tool5.exe all installed on the same date. Have put all in the recycle bin but wanted to check before deleting.