Highjackthis log

Alfonso_Skinarelli

Yes, you got it right that time.

We've had a closer look at the files and you have a file infecting virus which has infected thousands of legitimate files on your machine. At present there are only a few anti-virus programs which detect this exploit and even fewer which can actually "disinfect" the files. The programs which cannot disinfect will delete the files alltogether leaving you with a lot of damaged programs. As such we need to be careful how we deal with it. Luckily, Kaspersky AV is one of the few which WILL disinfect the files (I have Kaspersky myself and have tested it). Once disinfected, the files you uploaded come out clean when rescanned on VirusTotal.com

So we need to install the trial version of Kaspersky Anti-Virus 7.0 to deal with this problem. Before you do though you MUST uninstall Avast AV or conflicts will arise. You also need to uninstall Comodo Firewall as that program isn't compatible with Kaspersky.

Reboot after uninstalling the above.


Copy the next set of instructions to notepad or print them out for easy reference.

Download the Trial version of Kaspersky Anti-Virus 7.0.1.325 to your desktop.

Double-click the Kaspersky installation file on your desktop. Accept the license agreement and select the Express Installation when prompted.

Once installed, the setup wizard will prompt you to "Activate" the program.

Please select "Activate Trial Version" and click Next and Next again once activated.

Click Finish to complete installation and restart the machine.

Upon restart, Kaspersky will prompt you to update the definitions, please do so.

Once updated, double-click the Kaspersky icon near your clock to open the General User Interface (GUI)

Click the green Scan bar on the left and place a check in My Documents, Mailboxes and all available drives.

Now click Settings under the "Start scan" section to configure Kaspersky. This is important as we need to configure Kaspersky to disinfect rather than delete the infected files.

In the middle of the configuration window, select "Do not prompt for action" and remove the check from "Delete if disinfection fails" (leaving "Disinfect" checked). Click Apply then OK.

Now click "Start scan" and the scan will begin.

Please be patient as it may take a long time depending on the size of your hard drive.

When the scan is finished, return to the a General User Interface and click the green "Reports and data files" bar.

Then click Reports, highlight the last scan results and click the Details button.

Now click the Action button and select "Save as" from the context menu which appears.

Save the report to your desktop with a suitable name and email the results as before.

Post a fresh HJT log when done and an update on the machine's performance.

letsbehonest

Hi.
Scan completed, but the report is large, to big to email to you, in brief scanned 261676, detected 2317, untreated 64.

letsbehonest

New HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:28, on 29/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Gizmo5\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Magitime\magitime.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Software by Design\Calendar.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\unzipped\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk
O2 - BHO: Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - !!9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ESigil Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - !!8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Magitime] C:\Program Files\Magitime\magitime.exe
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SplitCam] C:\Program Files\SplitCam\SplitCam.exe /play
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Web Anti-Virus statistics - !!1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: GetMP3 - !!76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINNT\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: !!0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: !!88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo5\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

--
End of file - 8480 bytes

Alfonso_Skinarelli

Open HijackThis and place a check before the following entries:

O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)

Close any open browsers and click Fix Checked on HJT.

I need to see those scan results. Can you zip the txt file up and send it to me via a chat program such as Windows Live Messenger if I pm you my address?

EDIT: Please upload the results here and give me the link:

http://rapidshare.com/

letsbehonest

Hi.
not having a lot of luck Rapidshare loads file but does not send url.
I have zipped file 1.7 meg but it will not email (?) I do not have Live live messenger O/S win 2K

Alfonso_Skinarelli

Try uploading the text file (unzipped). It works for me.

letsbehonest

again many thanks for your help, but in the light of the infections you mentioned I have decided on a clean install this will (should solve ) problems

letsbehonest

could you tell me what the virus was virus was that infected all those files.
regards

Alfonso_Skinarelli

Sometimes a reinstallation is the quickest way forward especially in light of the problems we were having posting the various log files. To be honest, if my machine was that infected I'd have formatted myself. Considering this beastie was new with little 3rd party anti-virus detection, who knows what other damage had been done. The trojan itself was infecting various file extensions such as htm, html and asp. The reason for such widespread infection is at the moment unknown to me but I'm sure someone will pull the files apart which you uploaded and get to the bottom of it. One things for sure, the samples you uploaded have been distributed to a myriad of anti-virus vendors and will help protect others from the same fate as you were ultimately destined for so although it's of little consolation, you have helped others in the future.

I'm glad to see you've opted for Kaspersky anti-virus. A program like this is a must especially for those who dabble in a little file sharing. You have to be so careful these days and in the main, free anti-virus software just doesn't afford the same protection and detection as programs like Kaspersky and NOD32 from Eset. For what it's worth, I occasionally scan with SUPERantispyware, Malwarebytes' Anti-Malware and have SpywareBlaster in the background blocking malicious activeX and cookies.

Stay safe my friend.

AS

letsbehonest

Alfonso.
again my thanks for the additional info, (I have learned,)
live long and prosper.
regards