Jump to content


Photo

.IST Removal HJT Log


  • This topic is locked This topic is locked
19 replies to this topic

#1 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 04 October 2005 - 05:15 AM

Hi

I have been having trouble with the .IST virus. I have removed it using the Microsoft Spyware Beta 1 program. Each time it says that it has removed it and I reboot. However it then constantly tries to re-install itself.

Also when I connect to the internet the homepage loads with a porn site. I have changed the default in IE but it still loads this page.

Also an Office 2000 install keeps popping up which I would like to get ride of.

My log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:46, on 04/10/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\steam.exe
C:\dsonic.exe
C:\luxor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\lsevyin.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\180searchassistant\sais.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\System32\updates.pif

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
R3 - Default URLSearchHook is missing
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [steam] steam.exe
O4 - HKLM\..\Run: [REGRUN] C:\dsonic.exe
O4 - HKLM\..\Run: [lux] C:\luxor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [System Updates Service] updates.pif
O4 - HKLM\..\Run: [M7Bhp56G3] C:\WINNT\lsevyin.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [ghkvkd] C:\WINNT\ghkvkd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [steam] steam.exe
O4 - HKLM\..\RunServices: [System Updates Service] updates.pif
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [System Updates Service] updates.pif
O4 - HKCU\..\RunServices: [System Updates Service] updates.pif
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE



Any help is greatly appreciated !!

#2 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 05 October 2005 - 08:44 AM

Hello and welcome to the forum. You have a pretty good mess on this computer and it is going to take some time and effort to clean it up. If you wish to do this them follow my directions in the posted order.

1) Move HJT off the Desktop, I suggest here: C:\HJT\HijackThis.exe. If you need more information then use this link: http://russelltexas....tehjtfolder.htm Please do this before you proceed.

2) Download, update and run Stinger from here: http://vil.nai.com/vil/stinger/ Please post the names of any worms Stinger removes.

3) Read, download and run this removal tool: http://securityrespo...valinstructions

4) Read, download and run this removal tool: http://securityrespo...valinstructions

5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

6) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

7) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

8) MAS will block the HJT fix, do this:
Open Microsoft AntiSpyware Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

9) Look in Add Remove programs and uninstall any of these that are there: SurfAccuracy, 180searchassistant, ISTsvc
Now open your Task Manager and end task on the above three and these if there:

C:\dsonic.exe
C:\luxor.exe
C:\WINNT\lsevyin.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\180searchassistant\sais.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\System32\updates.pif


Some items may no longer be there after the tools where run, just don't miss any

10) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [steam] steam.exe
O4 - HKLM\..\Run: [REGRUN] C:\dsonic.exe
O4 - HKLM\..\Run: [lux] C:\luxor.exe
O4 - HKLM\..\Run: [System Updates Service] updates.pif
O4 - HKLM\..\Run: [M7Bhp56G3] C:\WINNT\lsevyin.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [ghkvkd] C:\WINNT\ghkvkd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [steam] steam.exe
O4 - HKLM\..\RunServices: [System Updates Service] updates.pif
O4 - HKCU\..\Run: [System Updates Service] updates.pif
O4 - HKCU\..\RunServices: [System Updates Service] updates.pif
(next two, if you don't use the Alexa toolbar, remove these resource wasters)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
(if you don't want this as your Startpage check and remove it)
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

11) SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

steam.exe >>> file (search for and delete this item)

C:\dsonic.exe >>> file

C:\luxor.exe >>> file

C:\Program Files\ISTsvc\ >>> folder

C:\Program Files\Power Scan\ >>> folder

c:\program files\180searchassistant\ >>> folder

C:\Program Files\SurfAccuracy\ >>> folder

C:\WINNT\System32\updates.pif >>> file

C:\WINNT\ghkvkd.exe >>> file

C:\WINNT\lsevyin.exe >>> file

C:\Windows\Prefetch: Locate this folder and delete all of the contents (NOT THE FOLDER) This information will tell you more about Prefetch:
http://www.windowsne...refetch-XP.html


12) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. Please include any information I asked for above, and we will see where we are.

Thanks...pskelley
Trusted HJT Advisor
PCPitStop forum

#3 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 05 October 2005 - 12:33 PM

Hi Thank you for taking the time to give me this advice. I am going to follow each step and will post a new log once I have completed it. Just wanted to let you know I will post asap when it is all done !!!

#4 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 05 October 2005 - 12:42 PM

OK...as I said there is a lot of bad stuff to remove. This is not something you should rush. Do the steps in order and post questions if you have them. You can also send me a PM at the bottom of the page if you have a question. These steps will remove most if not all of the bad stuff. When you finish I will need two logs:

a new HJT log and the Ewido scan results


Thanks...Phil

#5 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 06 October 2005 - 05:42 AM

Hi

OK here is what the results of the scans were and the new HJT log.

I will try and keep it as neat as possible.



McAfee AVERT Stinger Version 2.5.6 built on Aug 16 2005

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Aug 16 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Wed Oct 05 18:47:12 2005

C:\WINNT\System32\steam.exe

Found the W32/Sdbot.worm.gen.h virus !!!

C:\WINNT\System32\steam.exe could not be repaired.

C:\WINNT\system32\i

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINNT\system32\i has been deleted.

C:\WINNT\system32\steam.exe

Found the W32/Sdbot.worm.gen.h virus !!!

C:\WINNT\system32\steam.exe could not be repaired.

C:\WINNT\system32\TFTP1076

Found the W32/Sdbot.worm.gen.h virus !!!

C:\WINNT\system32\TFTP1076 has been deleted.

C:\WINNT\system32\TFTP2500

Found the W32/Sdbot.worm.gen.h virus !!!

C:\WINNT\system32\TFTP2500 has been deleted.

Number of clean files: 117617

Number of infected files: 5

Number of files deleted: 3

################################################

Symantec Adware.180Search and Adware.NCase Removal Tool 1.0.5

Adware.180Search and Adware.NCase have not been found on your computer.

################################################

Symantec Adware.Istbar / Trojan.ISTsvc Removal Tool 1.1.0


registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Policies\Avenue Media (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media (key deleted)
registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping: {10E42047-DEB9-4535-A118-B3F6EC39B807} (value deleted)
registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Main: BandRest (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: BandRest (value deleted)

process: IEXPLORE.EXE (terminated)

C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\istactivex.dll: (deleted)
C:\Program Files\Microsoft AntiSpyware\Quarantine\EF451443-B69A-4016-ABA0-302878\3E6B0D64-1E6A-40BD-AC68-021817: (deleted)
C:\System Volume Information: (not scanned)

registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main: Start Page (value set to "about:blank")
registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Main: Start Page (value set to "about:blank")
Adware.Istbar has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 27601
The number of deleted files: 2
The number of threat processes terminated: 0
The number of other processes terminated: 1
The number of registry entries fixed: 11

#################################################

Ad-Aware SE Build 1.06r1
Logfile Created on:05 October 2005 21:41:42
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R68 28.09.2005


References detected during the scan:

180Solutions(TAC index:6):2 total references
Alexa(TAC index:5):9 total references
ClickSpring(TAC index:6):4 total references
Hijacker.TopConverting(TAC index:5):1 total references
istbar(TAC index:7):6 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Tracking Cookie(TAC index:3):6 total references
Zango(TAC index:6):4 total references
ZyncosMark(TAC index:3):2 total references


Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R68 28.09.2005
Internal build : 80
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 526954 Bytes
Total size : 1581029 Bytes
Signature data size : 1547745 Bytes
Reference data size : 32772 Bytes
Signatures total : 43961
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 753

###############################################

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:13:39, 06/10/2005
+ Report-Checksum: F3F0BE43

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
[972] C:\luxor.exe -> Backdoor.Agent.jo : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\4gNZcv.exe -> TrojanDownloader.IstBar.kp : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Del8.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\installer.exe -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\res9.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4VSFO5AX\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPAJOTER\0006_regular[1].cab/istactivex.dll -> TrojanDownloader.IstBar : Error during cleaning
C:\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\27B5CEB8-8C7E-4D8C-B0A8-4B345F -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\69198BE1-A055-4FF5-A5C2-DF161E -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\ABF7EC96-E142-49E3-9195-F0AB54 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\DBDEC2DA-D008-47CE-B956-D41898 -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\WINNT\system32\TFTP1056 -> Backdoor.Codbot.at : Cleaned with backup


::Report End


###################################

Logfile of HijackThis v1.99.1
Scan saved at 11:31:06, on 06/10/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\internat.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE


Well thats all of it. I hope that it all makes sense. I followed each step as you listed it and did not encounter any problems that I was aware of.

Thank you again for taking the time to help me !!

#6 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 06:41 AM

I first want to say that you did an excellant job of following and executing what were complex instructions :geezer: These worms sometimes cause changes on your computer that need to be repaired and the links may give you insite into how they got to you. Here are the ones you had, with the name Sophos calls them (others like Mcafee may call them something else)
http://www.sophos.co...w32rbotajt.html
http://www.trendmicr...ROJ_LOWZONES.BW or
http://www.trendmicr...e=TROJ_AGENT.RD
http://www.sophos.co...w32rbotama.html The others were either adware installed by the trojans or would not identify. I hope this information helps you.

Here: C:\Program Files\Microsoft AntiSpyware\Quarantine\ check MAS to make sure the quarantine area is empty, delete anything in there.

C:\Documents and Settings\Administrator\Local Settings\Temp\ Don't forget bad cookies can hide here, you can delete anything in that TEMP folder (not the folder)

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPAJOTER\0006_regular[1].cab/istactivex.dll -> TrojanDownloader.IstBar : Error during cleaning Chjeck those TIF files and make sure nothing is in that folder.

Logfile of HijackThis v1.99.1 Scan saved at 11:31:06, on 06/10/2005

The first five lines that are R1/R0...any you don't use you can remove with HJT not bad, just clutter.
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) old SpywareDoctor line that is also clutter and doing nothing. Remove with HJT

Log is clean :woot: here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-in...?showtopic=3051
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Once again, great job and you should be running well. If you still have any malware issues, let me know othewise make sure you review the info from the experts about how to prevent this from happening again.

Cheers...Phil :)

Thanks...pskelley
Trusted HJT Advisor
PCPitStop forum
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

#7 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 06 October 2005 - 10:51 AM

Hi I have just done the little clear up from your last post and all seems to be fine !! Thank you so much Phil. I really really appreciate the time and effort that you have put in for me. I will read the information using the links you provided and hope to keep clean and free of any bugs !!! Thank you !!!!

#8 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 10:56 AM

Sounds good, I'll leave your post open for a day or so in case you have a question. Safe surfing to you...Phil :woot:

#9 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 06 October 2005 - 01:55 PM

Hi I am not sure if this is related but since making all the changes I can no longer log-in to Hotmail using this computer. From any other machine I can. I simply get re-directed to the log-in screen. I was wondering if it might be one of the programs I downloaded ??

#10 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 02:20 PM

Hi mabbutt, Nothing you downloaded would effect hotmail, but you did have two sign in links that should have been just clutter. I said this:

The first five lines that are R1/R0...any you don't use you can remove with HJT not bad, just clutter.

and you said this:

I have just done the little clear up from your last post and all seems to be fine !!

So we will return those lines to the log to see if it makes a difference, but I also have hotmail and you should be able to sign in at hotmail.com When I enter that (hotmail.com) into google and search, it take me right to the hotmail account or to the sign in page if I am not signed in. Here is how to return those lines to your log.

Open HJT > Click on View the list of backups > put a check in these boxes, and let's return all four in case one of the others is needed. Later you can try taking them out one or two at a time if you wish or just leave them there, they are not malware, just clutter:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/

Then click on restore, be careful not to return any of the bad stuff. Later, after a few weeks when you are sure all is well, you can return to here and delete the balance of those backups. Let me know if this takes care of the problem.

Thanks...Phil

#11 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 06 October 2005 - 03:22 PM

Hi Phil I restored those files but it has not fixed it. Hotmail redirects 4 times and ends back at the sign in page.

#12 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 03:27 PM

Got me on this one, I'll look for information but nothing we did would have effected hotmail. If I find anything I will post a PM to you. Thanks...Phil

#13 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 06 October 2005 - 03:30 PM

OK, Thank you again. I really appreciate the help.

#14 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 04:02 PM

OK, let's chat just a moment. I want you to know that this was a badly infected computer. I posted as much information as I could about what the trojan worms could have done to your computer. If you have not reviewed that information yet, you should do so and it is very possible this problem could have been caused by changes made by these worms. Here is some more information about how to troubleshoot hotmail sign in problems, but prior to viewing this information I would look closely at that information about the trojans. If they did damage to your firewall, that could be what is stopping you from being able to sign in.

http://support.micro...om/?kbid=316659
http://ask-leo.com/h...n_problems.html
http://www.handypass...-problems.shtml
http://businessknowl...ems_011678.html
http://www.geekstogo...ems-t66633.html

If you cannot find the answer to your problem through Help, e-mail for support at the following e-mail address:
support@hotmail.com (mailto:support@hotmail.com)

Edited by pskelley, 06 October 2005 - 04:02 PM.


#15 pacman123

pacman123

    Supervised HJT Helper

  • Malware Classroom Trainee
  • PipPipPip
  • 1,522 posts
  • Location:Sheffield.uk


Posted 06 October 2005 - 04:05 PM

Sorry to but in phil but what about a re-install of msn might this not solve the problem.....

#16 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 06 October 2005 - 04:07 PM

I would have to defer to Microsoft about that question. :)

#17 pacman123

pacman123

    Supervised HJT Helper

  • Malware Classroom Trainee
  • PipPipPip
  • 1,522 posts
  • Location:Sheffield.uk


Posted 06 October 2005 - 04:09 PM

ok just a thought........

#18 mabbutt

mabbutt

    Member

  • Members
  • 22 posts

Posted 07 October 2005 - 04:48 AM

Hi Guys I have re-installed MSN and now all is working fine. Thank you both very much and keep up the good work !!! Phil you are a legend !!!

#19 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 07 October 2005 - 04:56 AM

Glad to hear you have it worked out. Hotmail is so easy, I use it myself via MSN email but it can be a pain when it gets corrupted. Cheers...Phil

#20 pskelley

pskelley

    In Remembrance ..Rest in Peace Phil

  • Trusted Malware Techs
  • 1,767 posts
  • Location:Clearwater, Florida


Posted 08 October 2005 - 07:45 AM

This issue is resolved :) Thanks...pskelley Trusted HJT Advisor PCPitStop forum If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users