Help With Virus Please !!!

Browntoa

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

seems to suggest

Troj/Zlob-JO

http://www.sophos.com/virusinfo/analyses/trojzlobjo.html

under advanced tab

Troj/Zlob-JO is a Trojan for the Windows platform.
When Troj/Zlob-JO is installed the following files are created:
<System>\hp[random].tmp
<System>\simpole.tlb
<System>\stdole3.tlb
The file hp[random].tmp is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(b0398eca-0bcd-4645-8261-5e9dc70248d0)
HKCR\CLSID\(B0398ECA-0BCD-4645-8261-5E9DC70248D0)
Troj/Zlob-JO changes Start Page and search settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\(b0398eca-0bcd-4645-8261-5e9dc70248d0)\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\(b0398eca-0bcd-4645-8261-5e9dc70248d0)\(default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
dcomcfg.exe
dcomcfg.exe

have you run Nortons in safe mode yet ??

pchelpman

That 017 entry looks OK. I've done a little more investigating. It's from Energis in Leeds, one of the companies linked to wanadoo but routed through RIPE. No need to change anything there but I am surprised wanadoo didn't know and were unable to help you!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are not running HijackThis from a permanent location. Please move the folder to a permanent place on your hard drive such as C:\HJT. This will ensure that any backups made are not lost.

---

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

---

I can't see an about:blank infection but, nevertheless, download CWShredder here…..

http://downloads.subratam.org/CWShredder.exe.

Run it and instruct it to “fix” anything it finds.

---

Download AboutBuster here….. http://www.malwarebytes.org/AboutBuster.zip ... and unzip it to a folder on your the Desktop. Do not run it yet.

---

Download CleanUp! here….. http://www.cleanup.stevengould.org/ .......

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System (unlikely) do NOT run Cleanup and let me know as we will use another utility

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

---

Reboot your system in Safe Mode (by repeatedly tapping the F8 key until the menu appears).

---

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time)..........

C:\WINDOWS\system32\atmclk.exe

C:\WINDOWS\system32\dcomcfg.exe

---

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any):

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE186.tmp

O3 - Toolbar: (no name) - !!014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [gCac] C:\WINDOWS\gcac.exe

Please remember to close all other windows, including browsers, before clicking “Fix checked”.

---

Delete the following Files indicated in bold IF they still exist:

C:\WINDOWS\system32\atmclk.exe

C:\WINDOWS\system32\dcomcfg.exe

C:\WINDOWS\system32\hpE186.tmp

C:\WINDOWS\gcac.exe

If you get an error when deleting a file right click on the file and click once on properties.

Then check to see if the Read Only attribute is checked/ticked. If it is uncheck/untick it and try deleting the file again.

---

Run AboutBuster and follow the screen prompts to scan……..

>Start it and press the OK button.
This program is updated often so you should always use the built in update feature before you scan.
>Hit the update button and a new screen will appear.
>On that screen press the Check for Updates button.
>If it says it found an update press Download Updates.
>Otherwise the program will automatically tell you that it could not find an update. It will exit the update screen.

Press the Start button to scan your machine then press OK. The program should start scanning. When it is done press the exit button and reboot. Once rebooted run AboutBuster one more time.

Save the logs and post them both in your next post here.

---

Reboot your System in normal mode.

If you have a fast internet connection (Broadband) run online scans here….

http://www.pandasoftware.com/activescan/

…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

Once it has finished save the Activescan log. Then post that log in your next post.

Please run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread.

Please post the following (perhaps in separate posts) .....

> aboutbuster logs

> details of anything Panda Activescan or Housecall didn't clean

> a fresh HijackThis log so that we can check if your system is clean.

MOST IMPORTANTLY…..

Please also give us an update on how your system is operating now.

notasdaftasilook

i have done a scan with norton in safe mode. i am not at all sure how to do some of the things you ask sorry. Putting hijack this into a permanent place?? how do i do this. i have downloaded and ran the shredder but the step about 64 bit and deleted files kinda makes me nervous as i am again not sure what that means, i appologise for my ignorance.

pchelpman

Don't apologise for anything. We'll do all we can to help.

notasdaftasilook wrote:

i have done a scan with norton in safe mode.

Hopefully it went OK, yes?

notasdaftasilook wrote:

Putting hijack this into a permanent place?? how do i do this.

Go to where your HJT folder is at the moment ... here ... Desktop\Unzipped files\HijackThis.exe.

Just left click on the folder and HOLD the mouse button down. Drag the folder over to the C: drive and "drop" it there (i.e. let go the mouse button). That will put the folder on the C: drive and keep it safe.

notasdaftasilook wrote:

i have downloaded and ran the shredder but the step about 64 bit and deleted files kinda makes me nervous as i am again not sure what that means, i appologise for my ignorance.

Shredder is nothing to do with the "64 bit" issues. They are two separate tasks.

Run CWShredder first and have it fix all it finds.

It's CleanUp! that's affected by 64 bit systems but don't worry about this over much.

Unless you spent over £300 for the processor alone and it was within the last 6 months you are running a 32 bit system. 64 bit systems are rare and expensive at this point in time. Additionally they have limitations. However, if you want to be sure then check your version of Windows in "System Properties". If doesn't say windows XP64 bit edition then you are running 32 bit.

To sum it up I would guess you are almost definitely running a 32 bit system.

If there are any other steps you don't know how to run just ask but I have laid out the procedure in (hopefully) an easy-to-follow style. Print it out and work through it steadily and carefully. Take your time. Don't worry ... you will get there in the end.

notasdaftasilook

i have followed your steps and am stuck, when i open the hijack this file in safe mode and open process manager the files that show are as follows
C:\windows\system32\sms.exe 136
C:\windows\system32\winlogon.exe 208
C:\windows\system32\explorer.exe 776
C:\windows\system32\services.exe 252
C:\windows\system32\isass.exe 264
C:\windows\system32\svchost.exe 412
C:\windows\system32\svchost exe 516
C:\programfiles\microsoftoffice\office\wincard.exe 920
C:\documentsandsettings\desktop\unzipwizzard\hijackthis.exe 1104

which one's do i delete ??? as they are not on your thread.

pchelpman

Please read my advice carefully.

I did not say to delete anything with HJT process manager. The process manager is only there to stop processes running (in a special way).

If the two processes I mention are not in the list then you don't need to "stop" them. Only stop/delete files/folders I mention IF they are present. Booting to safe mode does stop some bad processes running.

However, you have referred to C:\windows\system32\sms.exe and C:\windows\system32\isass.exe. Did you retype these manually or use "copy & paste"?

If the files definitely have those exact names then you may need to stop them. The first could be a trojan and the second a virus.

BUT BEFORE you do anything else please go to each of these files, right click on them and check "Properties". If they are bad they will not say !"Microsoft". Let me know what they say and the "creation date" of each.

Lob_Rockster

pchelpman wrote:

That address goes back to the RIPE organisation in Holland. As anyone here will tell you I don't like RIPE but there may not be anything wrong with it. It needs to be checked out.

Who is your ISP? Have you anything to do with RIPE? If not, you should check with your ISP to see if this address means anything to them. Let me know what they say.

The IP address is actually in a range for MCI Deutschland aka www.verizonbusiness.com/de - as it's been mentioned before, RIPE is not an ISP, it is a European technical party for internet, including address ranges: http://en.wikipedia.org/wiki/RIPE

With regards to the cleanup, you seem to be doing ok - but see this as a testament to windows running with administrator rights by default. The HJT log is upsetting me and that's without the malware entries! :eek:

notasdaftasilook

sorry pchelpman i didnt mean delete i meant kill. i am following your instructions carefully,i am not doing bad for a girl!! Those programs come back as follows.

smss.exe was created on 31/3/03 modified 04/8/04 copyright microsoft corp.
its description is windows NT session manager.

isass.exe was created and m odified as above and same copyright its
desciption is LSA SHELL (export version)

pchelpman

Fair enough.;) And don't let your gender get in the way. I know plenty of girls much more expert than me in "things IT".

Don't stop either of those processes at the moment and, as neither of those other two processes were running either, then you don't need to try and "stop" them.


Please go back to my post 23 and work through the steps but IGNORING this "kill processes" section ....

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time)..........

C:\WINDOWS\system32\atmclk.exe

C:\WINDOWS\system32\dcomcfg.exe


Post back results as asked previously.

notasdaftasilook

I could not run theaboutbuster scan as it is zipped and i cant unzip it. Will i have to cancel my online activities with e-bay and a poker site? i am worried now that people can see and access my accounts. here are the results of panda scan,
Incident Status Location

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\ldE280.tmp
Adware:adware/emediacodec Not disinfected c:\windows\system32\atmclk.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ldD166.tmp
Potentially unwanted tool:application/winantispyware2006 Not disinfected c:\program files\WinAntiSpyware 2006 Scanner
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\MySearchToolbar.MyWayPluginNetscapeStartup
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\******\Cookies\****[email]******@as-us.falkag[1].txt[/email]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\******\Cookies\**** [email]******@questionmarket[2].txt[/email]
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\1024\ldF34C.tmp
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\hpE186.tmp
Adware:Adware/Puper Not disinfected C:\WINDOWS\system32\regperf.exe

housecall found and deleted some viruses but could'nt delete the following
TROJ_SE.137523
BHO_SE.122216

ASP.NET PATH VALIDATION VULNERABILITY(887219)



***Boardguide comment***
Poster's name removed