Need Help here - Virus/Trojan

HI,

Following was done. Booted to Safe mode.

Programs run

Adware with VX2
Spbot with DSO
CCleaner
CWshreader
TrendMicro
AVERT

This was all done in SAFE MODE along with show hidden files and unchecked hidden file extentions...

Well here is my HJT log in normal mode.

Logfile of HijackThis v1.99.0
Scan saved at 10:41:12 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Hope we can crush the enemy....
BTW this is one of many attempts on my own. Now I need professional help

Mark

 

Hi Mark,

You didn't say what problems you were having. . . . . .

These lines were the only ones to jump out at me:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xhatyjlbjakyweblfqnsmrya...10pwyJZrApF.asp

O4 - HKCU\..\Run: [THIS SETTINGS] C:\DOCUME~1\Owner\APPLIC~1\BLEHSIGN\sizespamseek.exe --> Doubt this is something you want, need, or even know about! Suggest you DELETE this folder and fix the two lines in HJT. ---> BLEHSIGN

Please attach further logs via the "Manage Attachments" tool when you post.

PP

 

Sorry PP,

My problem is with search2000 from what I can see..

Go Eagles !!

 

I imagine if you fix those 2 lines in HJT and delete that folder, that will do the trick!

PP

 

Looks good so far. I still get a pop up when I start IE...
Also, how do I take a fresh backup with system restore won't that help
in case of re-infection ??

 

If your still getting a popup send another HJT log. Don't turn system restore back on until PP gets you to 100% cured, then turn it on. If your still getting a popup you may still have a problem. Is this a new popup or one that you were getting before?

 

Looks like same popup z1adsaver. Also noticed my IE favorites have changed.
Here is the new log..

Logfile of HijackThis v1.99.0
Scan saved at 8:57:55 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

When we ask you for a HJT log it must not be inline but rather as a .log or .txt attachment. Please make sure all browsers are close including IE.

 

You still have:
O4 - HKCU\..\Run: [THIS SETTINGS] C:\DOCUME~1\Owner\APPLIC~1\BLEHSIGN\sizespamseek.exe
PP asked you to fix this, did you and it came back?

I believe PP would ask you to do the following. Feel free to wait for his advise, he is much more knowledable then me.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

sizespamseek.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hngchernhjremhalgvaswzxc...0pwyJZrApF.html
O4 - HKCU\..\Run: [THIS SETTINGS] C:\DOCUME~1\Owner\APPLIC~1\BLEHSIGN\sizespamseek.exe
O8 - Extra context menu item: RemindU - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm <---This one not absolutely sure about but I don't like it, there is a adaware TOPMOXIE

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\DOCUME~1\Owner\APPLIC~1\BLEHSIGN <---Delete this folder
C:\Program Files\topMoxie <---Delete this folder (once again again not completely sure)

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Agree with Thug's post above. Try that and see how things run.

Also, how many active User Accounts on this machine?

PP

 

Hey Guys,

Did what Thug suggested below. Looks to be OK now but here
is my txt file for you to check out. PP I have multiple
users on the computer should the tools/tutorial be done for
each one ?? When I was in safe mode I used the Admin login.
Any suggestions on keeping clean ??

Thanks for all your help,
Mark

 

To keep clean.

Protect Youself

 

There may be some things in the HJT log, hopefully PP will get a look at it.

Are you running "All-In-One_SPY stealth monitoring software" or some other key logger software? Do you have "Smooth-Surfer?

You can fix this now and resubmit HJT log.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ydovholqlysrjnsrbrqepcm....nQJHDJ/qPb9Hte4A/FMi5Si/jwo8_5l0pwyJZrApF.cgi

Again, make sure All Browser Windows are Closed when you Click FIX.

 

It is a good idea to run through the Cleanup Tutorial for each user account and then submit HJT logs from Normal Windows boot for each user account.
TheOldThug or I will check back as time permits.

PP