Jump to content
Sign in to follow this  
mabbutt

.IST Removal HJT Log

Recommended Posts

mabbutt   

Hi

 

I have been having trouble with the .IST virus. I have removed it using the Microsoft Spyware Beta 1 program. Each time it says that it has removed it and I reboot. However it then constantly tries to re-install itself.

 

Also when I connect to the internet the homepage loads with a porn site. I have changed the default in IE but it still loads this page.

 

Also an Office 2000 install keeps popping up which I would like to get ride of.

 

My log is as follows:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:07:46, on 04/10/2005

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

C:\WINNT\MWW32\MANAGER\MWSSW32.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\tp4mon.exe

C:\WINNT\System32\steam.exe

C:\dsonic.exe

C:\luxor.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINNT\System32\internat.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINNT\lsevyin.exe

C:\Program Files\SurfAccuracy\SAcc.exe

C:\Program Files\180searchassistant\sais.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

C:\WINNT\System32\updates.pif

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access

R3 - Default URLSearchHook is missing

O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)

O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [steam] steam.exe

O4 - HKLM\..\Run: [REGRUN] C:\dsonic.exe

O4 - HKLM\..\Run: [lux] C:\luxor.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [system Updates Service] updates.pif

O4 - HKLM\..\Run: [M7Bhp56G3] C:\WINNT\lsevyin.exe

O4 - HKLM\..\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe

O4 - HKLM\..\Run: [ghkvkd] C:\WINNT\ghkvkd.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\RunServices: [steam] steam.exe

O4 - HKLM\..\RunServices: [system Updates Service] updates.pif

O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [system Updates Service] updates.pif

O4 - HKCU\..\RunServices: [system Updates Service] updates.pif

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

 

 

 

Any help is greatly appreciated !!

Share this post


Link to post
Share on other sites
pskelley   

Hello and welcome to the forum. You have a pretty good mess on this computer and it is going to take some time and effort to clean it up. If you wish to do this them follow my directions in the posted order.

 

1) Move HJT off the Desktop, I suggest here: C:\HJT\HijackThis.exe. If you need more information then use this link: http://russelltexas.com/malware/createhjtfolder.htm Please do this before you proceed.

 

2) Download, update and run Stinger from here: http://vil.nai.com/vil/stinger/ Please post the names of any worms Stinger removes.

 

3) Read, download and run this removal tool: http://securityresponse.symantec.com/avcen...valinstructions

 

4) Read, download and run this removal tool: http://securityresponse.symantec.com/avcen...valinstructions

 

5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

 

6) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php

The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

 

7) Ewido scan:

Please download Ewido Security Suite it is a trial version of the program.

  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido.

Ewido manual updates

 

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

 

8) MAS will block the HJT fix, do this:

Open Microsoft AntiSpyware Click on Tools, Settings.

In the left pane, click on Real-time Protection.

Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).

After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

 

9) Look in Add Remove programs and uninstall any of these that are there: SurfAccuracy, 180searchassistant, ISTsvc

Now open your Task Manager and end task on the above three and these if there:

 

C:\dsonic.exe

C:\luxor.exe

C:\WINNT\lsevyin.exe

C:\Program Files\SurfAccuracy\SAcc.exe

C:\Program Files\180searchassistant\sais.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\WINNT\System32\updates.pif

 

 

Some items may no longer be there after the tools where run, just don't miss any

 

10) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll

O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)

O4 - HKLM\..\Run: [steam] steam.exe

O4 - HKLM\..\Run: [REGRUN] C:\dsonic.exe

O4 - HKLM\..\Run: [lux] C:\luxor.exe

O4 - HKLM\..\Run: [system Updates Service] updates.pif

O4 - HKLM\..\Run: [M7Bhp56G3] C:\WINNT\lsevyin.exe

O4 - HKLM\..\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe

O4 - HKLM\..\Run: [ghkvkd] C:\WINNT\ghkvkd.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\RunServices: [steam] steam.exe

O4 - HKLM\..\RunServices: [system Updates Service] updates.pif

O4 - HKCU\..\Run: [system Updates Service] updates.pif

O4 - HKCU\..\RunServices: [system Updates Service] updates.pif

(next two, if you don't use the Alexa toolbar, remove these resource wasters)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

(if you don't want this as your Startpage check and remove it)

O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

 

Close all programs but HJT and all browser windows, then click on "Fix Checked"

 

11) SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.

You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

RIGHT Click on Start then click on Explore. Locate and delete these items:

 

steam.exe >>> file (search for and delete this item)

 

C:\dsonic.exe >>> file

 

C:\luxor.exe >>> file

 

C:\Program Files\ISTsvc\ >>> folder

 

C:\Program Files\Power Scan\ >>> folder

 

c:\program files\180searchassistant\ >>> folder

 

C:\Program Files\SurfAccuracy\ >>> folder

 

C:\WINNT\System32\updates.pif >>> file

 

C:\WINNT\ghkvkd.exe >>> file

 

C:\WINNT\lsevyin.exe >>> file

 

C:\Windows\Prefetch: Locate this folder and delete all of the contents (NOT THE FOLDER) This information will tell you more about Prefetch:

http://www.windowsnetworking.com/articles_...refetch-XP.html

 

 

12) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. Please include any information I asked for above, and we will see where we are.

 

Thanks...pskelley

Trusted HJT Advisor

PCPitStop forum

Share this post


Link to post
Share on other sites
mabbutt   

Hi

 

Thank you for taking the time to give me this advice. I am going to follow each step and will post a new log once I have completed it.

 

Just wanted to let you know I will post asap when it is all done !!!

Share this post


Link to post
Share on other sites
pskelley   

OK...as I said there is a lot of bad stuff to remove. This is not something you should rush. Do the steps in order and post questions if you have them. You can also send me a PM at the bottom of the page if you have a question. These steps will remove most if not all of the bad stuff. When you finish I will need two logs:

 

a new HJT log and the Ewido scan results

 

 

Thanks...Phil

Share this post


Link to post
Share on other sites
mabbutt   

Hi

 

OK here is what the results of the scans were and the new HJT log.

 

I will try and keep it as neat as possible.

 

 

 

McAfee AVERT Stinger Version 2.5.6 built on Aug 16 2005

 

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

 

Virus data file v1000 created on Aug 16 2005.

 

Ready to scan for 54 viruses, trojans and variants.

 

 

 

Scan initiated on Wed Oct 05 18:47:12 2005

 

C:\WINNT\System32\steam.exe

 

Found the W32/Sdbot.worm.gen.h virus !!!

 

C:\WINNT\System32\steam.exe could not be repaired.

 

C:\WINNT\system32\i

 

Found the W32/Sdbot.worm!ftp virus !!!

 

C:\WINNT\system32\i has been deleted.

 

C:\WINNT\system32\steam.exe

 

Found the W32/Sdbot.worm.gen.h virus !!!

 

C:\WINNT\system32\steam.exe could not be repaired.

 

C:\WINNT\system32\TFTP1076

 

Found the W32/Sdbot.worm.gen.h virus !!!

 

C:\WINNT\system32\TFTP1076 has been deleted.

 

C:\WINNT\system32\TFTP2500

 

Found the W32/Sdbot.worm.gen.h virus !!!

 

C:\WINNT\system32\TFTP2500 has been deleted.

 

Number of clean files: 117617

 

Number of infected files: 5

 

Number of files deleted: 3

 

################################################

 

Symantec Adware.180Search and Adware.NCase Removal Tool 1.0.5

 

Adware.180Search and Adware.NCase have not been found on your computer.

 

################################################

 

Symantec Adware.Istbar / Trojan.ISTsvc Removal Tool 1.1.0

 

 

registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Policies\Avenue Media (key deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} (key deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} (key deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} (key deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} (key deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media (key deleted)

registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping: {10E42047-DEB9-4535-A118-B3F6EC39B807} (value deleted)

registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Main: BandRest (value deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: BandRest (value deleted)

 

process: IEXPLORE.EXE (terminated)

 

C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\istactivex.dll: (deleted)

C:\Program Files\Microsoft AntiSpyware\Quarantine\EF451443-B69A-4016-ABA0-302878\3E6B0D64-1E6A-40BD-AC68-021817: (deleted)

C:\System Volume Information: (not scanned)

 

registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main: Start Page (value set to "about:blank")

registry: HKEY_USERS\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Internet Explorer\Main: Start Page (value set to "about:blank")

Adware.Istbar has been successfully removed from your computer!

 

Here is the report:

 

The total number of the scanned files: 27601

The number of deleted files: 2

The number of threat processes terminated: 0

The number of other processes terminated: 1

The number of registry entries fixed: 11

 

#################################################

 

Ad-Aware SE Build 1.06r1

Logfile Created on:05 October 2005 21:41:42

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R68 28.09.2005

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions(TAC index:6):2 total references

Alexa(TAC index:5):9 total references

ClickSpring(TAC index:6):4 total references

Hijacker.TopConverting(TAC index:5):1 total references

istbar(TAC index:7):6 total references

Possible Browser Hijack attempt(TAC index:3):2 total references

Tracking Cookie(TAC index:3):6 total references

Zango(TAC index:6):4 total references

ZyncosMark(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Definition File:

=========================

Definitions File Loaded:

Reference Number : SE1R68 28.09.2005

Internal build : 80

File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref

File size : 526954 Bytes

Total size : 1581029 Bytes

Signature data size : 1547745 Bytes

Reference data size : 32772 Bytes

Signatures total : 43961

CSI Fingerprints total : 1047

CSI data size : 37307 Bytes

Target categories : 15

Target families : 753

 

###############################################

 

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

 

+ Created on: 10:13:39, 06/10/2005

+ Report-Checksum: F3F0BE43

 

+ Scan result:

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup

HKU\S-1-5-21-854245398-1708537768-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup

[972] C:\luxor.exe -> Backdoor.Agent.jo : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup

C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Administrator\Local Settings\Temp\4gNZcv.exe -> TrojanDownloader.IstBar.kp : Cleaned with backup

C:\Documents and Settings\Administrator\Local Settings\Temp\Del8.tmp -> TrojanDownloader.Small.asf : Cleaned with backup

C:\Documents and Settings\Administrator\Local Settings\Temp\installer.exe -> Spyware.PurityScan : Cleaned with backup

C:\Documents and Settings\Administrator\Local Settings\Temp\res9.tmp -> Spyware.180Solutions : Cleaned with backup

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4VSFO5AX\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPAJOTER\0006_regular[1].cab/istactivex.dll -> TrojanDownloader.IstBar : Error during cleaning

C:\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\27B5CEB8-8C7E-4D8C-B0A8-4B345F -> Spyware.SideFind : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\69198BE1-A055-4FF5-A5C2-DF161E -> TrojanDownloader.IstBar.jm : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\ABF7EC96-E142-49E3-9195-F0AB54 -> Spyware.SideFind : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\Quarantine\D4B92E46-382A-4DA0-B9E8-0847E3\DBDEC2DA-D008-47CE-B956-D41898 -> TrojanDownloader.IstBar.jm : Cleaned with backup

C:\WINNT\system32\TFTP1056 -> Backdoor.Codbot.at : Cleaned with backup

 

 

::Report End

 

 

###################################

 

Logfile of HijackThis v1.99.1

Scan saved at 11:31:06, on 06/10/2005

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

C:\WINNT\MWW32\MANAGER\MWSSW32.EXE

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\tp4mon.exe

C:\WINNT\System32\internat.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

 

 

Well thats all of it. I hope that it all makes sense. I followed each step as you listed it and did not encounter any problems that I was aware of.

 

Thank you again for taking the time to help me !!

Share this post


Link to post
Share on other sites
pskelley   

I first want to say that you did an excellant job of following and executing what were complex instructions :geezer: These worms sometimes cause changes on your computer that need to be repaired and the links may give you insite into how they got to you. Here are the ones you had, with the name Sophos calls them (others like Mcafee may call them something else)

http://www.sophos.com/virusinfo/analyses/w32rbotajt.html

http://www.trendmicro.com/vinfo/virusencyc...ROJ_LOWZONES.BW or

http://www.trendmicro.com/vinfo/virusencyc...e=TROJ_AGENT.RD

http://www.sophos.com/virusinfo/analyses/w32rbotama.html The others were either adware installed by the trojans or would not identify. I hope this information helps you.

 

Here: C:\Program Files\Microsoft AntiSpyware\Quarantine\ check MAS to make sure the quarantine area is empty, delete anything in there.

 

C:\Documents and Settings\Administrator\Local Settings\Temp\ Don't forget bad cookies can hide here, you can delete anything in that TEMP folder (not the folder)

 

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KPAJOTER\0006_regular[1].cab/istactivex.dll -> TrojanDownloader.IstBar : Error during cleaning Chjeck those TIF files and make sure nothing is in that folder.

 

Logfile of HijackThis v1.99.1 Scan saved at 11:31:06, on 06/10/2005

 

The first five lines that are R1/R0...any you don't use you can remove with HJT not bad, just clutter.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) old SpywareDoctor line that is also clutter and doing nothing. Remove with HJT

 

Log is clean :woot: here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:

http://forums.net-integration.net/index.php?showtopic=3051

http://russelltexas.com/malware/allclear.htm

http://forum.malwareremoval.com/viewtopic.php?t=14

http://www.bleepingcomputer.com/forums/topict2520.html

 

Once again, great job and you should be running well. If you still have any malware issues, let me know othewise make sure you review the info from the experts about how to prevent this from happening again.

 

Cheers...Phil :)

 

Thanks...pskelley

Trusted HJT Advisor

PCPitStop forum

If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Share this post


Link to post
Share on other sites
mabbutt   

Hi

 

I have just done the little clear up from your last post and all seems to be fine !!

 

Thank you so much Phil. I really really appreciate the time and effort that you have put in for me.

 

I will read the information using the links you provided and hope to keep clean and free of any bugs !!!

 

Thank you !!!!

Share this post


Link to post
Share on other sites
pskelley   

Sounds good, I'll leave your post open for a day or so in case you have a question. Safe surfing to you...Phil :woot:

Share this post


Link to post
Share on other sites
mabbutt   

Hi

 

I am not sure if this is related but since making all the changes I can no longer log-in to Hotmail using this computer.

 

From any other machine I can.

 

I simply get re-directed to the log-in screen.

 

I was wondering if it might be one of the programs I downloaded ??

Share this post


Link to post
Share on other sites
pskelley   

Hi mabbutt, Nothing you downloaded would effect hotmail, but you did have two sign in links that should have been just clutter. I said this:

The first five lines that are R1/R0...any you don't use you can remove with HJT not bad, just clutter.

and you said this:

I have just done the little clear up from your last post and all seems to be fine !!

So we will return those lines to the log to see if it makes a difference, but I also have hotmail and you should be able to sign in at hotmail.com When I enter that (hotmail.com) into google and search, it take me right to the hotmail account or to the sign in page if I am not signed in. Here is how to return those lines to your log.

 

Open HJT > Click on View the list of backups > put a check in these boxes, and let's return all four in case one of the others is needed. Later you can try taking them out one or two at a time if you wish or just leave them there, they are not malware, just clutter:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/

 

Then click on restore, be careful not to return any of the bad stuff. Later, after a few weeks when you are sure all is well, you can return to here and delete the balance of those backups. Let me know if this takes care of the problem.

 

Thanks...Phil

Share this post


Link to post
Share on other sites
pskelley   

Got me on this one, I'll look for information but nothing we did would have effected hotmail. If I find anything I will post a PM to you.

 

Thanks...Phil

Share this post


Link to post
Share on other sites
pskelley   

OK, let's chat just a moment. I want you to know that this was a badly infected computer. I posted as much information as I could about what the trojan worms could have done to your computer. If you have not reviewed that information yet, you should do so and it is very possible this problem could have been caused by changes made by these worms. Here is some more information about how to troubleshoot hotmail sign in problems, but prior to viewing this information I would look closely at that information about the trojans. If they did damage to your firewall, that could be what is stopping you from being able to sign in.

 

http://support.microsoft.com/?kbid=316659

http://ask-leo.com/how_do_i_resolve_my_msn...n_problems.html

http://www.handypassword.com/personal-comp...-problems.shtml

http://businessknowledgesource.com/technol...ems_011678.html

http://www.geekstogo.com/forum/MSN_Hotmail...ems-t66633.html

 

If you cannot find the answer to your problem through Help, e-mail for support at the following e-mail address:

support@hotmail.com (mailto:support@hotmail.com)

Edited by pskelley

Share this post


Link to post
Share on other sites
pskelley   

Glad to hear you have it worked out. Hotmail is so easy, I use it myself via MSN email but it can be a pain when it gets corrupted.

 

Cheers...Phil

Share this post


Link to post
Share on other sites
pskelley   

This issue is resolved :)

 

Thanks...pskelley

Trusted HJT Advisor

PCPitStop forum

If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×