10 replies to this topic

[Phil B]

Hi all

I have recently started getting redirection from IE (but not in Firefox) as follows:

1. Run a Google search and get the results
2. Click on the required result and get redirected
3. Go back to results page and click the same result and get redirected (sometimes to the same page and sometimes to another page)
4. Go back to resultsapge and click on the same result and go to the correct result page
5. Every other result then goes to the correct page after that until....
6. Click on the 'Next Page' of Google results and the problem starts again as per note 2. above

The results happen with other search engines as well

I have run Spybot, Ad-Aware and then followed the actions shown on http://forum.ccleane...?showtopic=3505 by rridgley. I have also installed and run Microsoft Defender (Beta) v1.1.1051.0 all of which have found a couple of trojans and cookies and the (self installed) InternetSpy software and all have now been cleaned. I have also run HijackThis and cleaned off anything not required but still the problem persists. Can you advise please? I have posted my latest HijackThis log below.

Thanks


Logfile of HijackThis v1.99.1
Scan saved at 13:46:41, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kana Reminder\Reminder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: IEWatch Spy 0.8.0 - {85DDD882-701E-401B-8A7D-D51227048214} - C:\Program Files\Internet Spy\iewatcher.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternetSpy] C:\Program Files\Internet Spy\InternetSpy.exe
O4 - HKCU\..\Run: [Kana Reminder] C:\Program Files\Kana Reminder\Reminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102776193078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photobox....on/uploader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[AndyManchesta]

Hi Phil, Welcome To The Forum

Can you post details on what Windows Defender has removed, I do not have it installed so cannot give exact instructions but you should find the information on the History Tab. I suspect its connected to Trojan.Wareout but there is no signs of that in your current log,

Lets run some scanners and remove the remaining entries from your log and we can take it from there.

If you havent removed InternetSpy from Add/Remove screen, then goto Start Menu > Control Panel > Add or Remove Programs and remove InternetSpy

Run Hijack This and choose Do a system scan then place a check next to these entries:

O2 - BHO: IEWatch Spy 0.8.0 - {85DDD882-701E-401B-8A7D-D51227048214} - C:\Program Files\Internet Spy\iewatcher.dll (file missing)

O4 - HKLM\..\Run: [InternetSpy] C:\Program Files\Internet Spy\InternetSpy.exe

Close all open browser and other windows except Hijack This then press the Fix Checked button.

Delete the Internet Spy folder if it still exists:

C:\Program Files\Internet Spy

• Download Blacklight from Here and save it to your desktop: Double-click blbeta.exe, accept statement > click next then scan.
  You may see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx will be the date and time of the scan). Copy and paste this log in your next reply. Don't choose the rename option yet because legitimate items can also be present there, such as "wbemtest.exe"
  
  
  
• Run Ewido and update the definitions then from the main menu click on 'scanner' and click 'Complete System Scan', If ewido finds something, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" then click on ok.When the scan finishes, click on "Save Report" and save it to your desktop or c:/drive and post the results back
  
  
  
• Finally run Panda Activescan from Here.
  
  Once you are on the Panda site click the Scan your PC button
  - A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send
  - Select either Home User or Company
  - Click the big Scan Now button
  - If it wants to install an ActiveX component allow it
  - It will start downloading the files it requires for the scan
  (Note: It may take a couple of minutes)
  - When the download is complete, click on Local Disks to start the scan
  - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Hopefully with those logs it will make it abit clearer whats causing the problem.

Regards

Andy

[Phil B]

AndyManchesta, on Mar 13 2006, 02:09 AM, said:

Hi Phil, Welcome To The Forum

Can you post details on what Windows Defender has removed, I do not have it installed so cannot give exact instructions but you should find the information on the History Tab. I suspect its connected to Trojan.Wareout but there is no signs of that in your current log,

Lets run some scanners and remove the remaining entries from your log and we can take it from there.

If you havent removed InternetSpy from Add/Remove screen, then goto Start Menu > Control Panel > Add or Remove Programs and remove InternetSpy

Run Hijack This and choose Do a system scan then place a check next to these entries:

O2 - BHO: IEWatch Spy 0.8.0 - {85DDD882-701E-401B-8A7D-D51227048214} - C:\Program Files\Internet Spy\iewatcher.dll (file missing)

O4 - HKLM\..\Run: [InternetSpy] C:\Program Files\Internet Spy\InternetSpy.exe

Close all open browser and other windows except Hijack This then press the Fix Checked button.

Delete the Internet Spy folder if it still exists:

C:\Program Files\Internet Spy

• Download Blacklight from Here and save it to your desktop: Double-click blbeta.exe, accept statement > click next then scan.
  You may see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx will be the date and time of the scan). Copy and paste this log in your next reply. Don't choose the rename option yet because legitimate items can also be present there, such as "wbemtest.exe"
  
• Run Ewido and update the definitions then from the main menu click on 'scanner' and click 'Complete System Scan', If ewido finds something, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" then click on ok.When the scan finishes, click on "Save Report" and save it to your desktop or c:/drive and post the results back
  
• Finally run Panda Activescan from Here.
  
  Once you are on the Panda site click the Scan your PC button
  - A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send
  - Select either Home User or Company
  - Click the big Scan Now button
  - If it wants to install an ActiveX component allow it
  - It will start downloading the files it requires for the scan
  (Note: It may take a couple of minutes)
  - When the download is complete, click on Local Disks to start the scan
  - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Hopefully with those logs it will make it abit clearer whats causing the problem.

Regards

Andy

Andy, thanks for the help

I have added the Windows Defender Histrory as a file with Screenshots in as it does not seem to have a text file log.

I have removed InternetSpy and cleaned it up with HijackThis

Backlight results were

03/18/06 10:36:10 [Info]: BlackLight Engine 1.0.33 initialized
03/18/06 10:36:10 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/18/06 10:36:10 [Note]: 7019 4
03/18/06 10:36:10 [Note]: 7005 0
03/18/06 10:36:26 [Note]: 7006 0
03/18/06 10:36:26 [Note]: 7011 384
03/18/06 10:36:26 [Note]: FSRAW library version 1.7.1015
03/18/06 10:36:53 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
03/18/06 10:36:53 [Note]: 10002 1
03/18/06 10:36:57 [Info]: Hidden file: C:\WINDOWS\system32\dmdlv.exe
03/18/06 10:36:57 [Note]: 7002 32
03/18/06 10:36:57 [Note]: 7003 1
03/18/06 10:36:57 [Note]: 10002 1
03/18/06 10:36:58 [Info]: Hidden file: C:\WINDOWS\system32\filesafer23.exe
03/18/06 10:36:58 [Note]: 10002 1
03/18/06 10:36:59 [Info]: Hidden file: C:\WINDOWS\system32\csjjt.exe
03/18/06 10:36:59 [Note]: 7002 32
03/18/06 10:36:59 [Note]: 7003 1
03/18/06 10:36:59 [Note]: 10002 1
03/18/06 11:05:19 [Note]: 7007 0


ewido results were

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:14:59, 18/03/2006
+ Report-Checksum: D74E854D

+ Scan result:

HKLM\SOFTWARE\KMiNT21 -> Adware.DesktopSpyAgent : Cleaned with backup
[540] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[564] VM_00C70000 -> Downloader.Agent.uj : Error during cleaning
[384] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[1144] VM_00BA0000 -> Downloader.Agent.uj : Error during cleaning
[1168] VM_00910000 -> Downloader.Agent.uj : Error during cleaning
[1220] VM_00960000 -> Downloader.Agent.uj : Error during cleaning
[1364] VM_008D0000 -> Downloader.Agent.uj : Error during cleaning
[1424] VM_008A0000 -> Downloader.Agent.uj : Error during cleaning
[1632] VM_00AF0000 -> Downloader.Agent.uj : Error during cleaning
[1704] VM_008A0000 -> Downloader.Agent.uj : Error during cleaning
[584] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning
[2820] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning
[3692] VM_00860000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\Jo\Cookies\jo@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Phil\Cookies\phil@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Phil\Cookies\phil@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Phil\Cookies\phil@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Phil\Cookies\phil@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP364\A0035266.EXE/btwebcontrol.dll -> Dialer.BT.b : Error during cleaning
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP364\A0035266.EXE/btwebcontrol.dll -> Dialer.BT.b : Error during cleaning
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP364\A0035267.dll -> Not-A-Virus.Monitor.Win32.HomeKeyLogger.170 : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP364\A0035268.dll -> Not-A-Virus.Monitor.Win32.GoldenKeylogger.130 : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP365\A0035287.dll -> Not-A-Virus.Monitor.Win32.IESpy.120 : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP365\A0035288.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP365\A0035317.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0035350.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0035364.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0036364.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0036372.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0036393.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP366\A0036412.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP367\A0036464.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP371\A0036503.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP371\A0036522.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP371\A0036539.exe -> Not-A-Virus.Monitor.Win32.IESpy.120 : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP371\A0036551.dll -> Not-A-Virus.Monitor.Win32.IESpy.120 : Cleaned with backup
C:\System Volume Information\_restore{7228313D-2C9E-40EE-8D4B-74DB05134CB0}\RP371\A0036552.exe -> Downloader.Agent.uj : Cleaned with backup


::Report End

and finally the Panda report was


Incident Status Location
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Phil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4430eec2-3595b594.zip[Dummy.class]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Phil\Cookies\phil@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Phil\Cookies\phil@atwola[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Phil\Cookies\phil@did-it[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Phil\Cookies\phil@realmedia[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Phil\Cookies\phil@xmts[1].txt
Virus:Trj/Agent.BNZ Not disinfected C:\Documents and Settings\Phil\Local Settings\Temp\6258688\AutoSvr.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\Documents and Settings\Phil\Local Settings\Temp\pskill.exe
Adware:adware/winprotect Not disinfected C:\WINDOWS\Help\SPAlert.chm
Adware:adware/sbsoft Not disinfected C:\WINDOWS\rdt.ini
Hopefully you can help from this.

Regards, Phil

[AndyManchesta]

Hi Phil

I can see its Trojan Wareout causing the problems, I'm abit busy now but will check through the results when I get home in a couple of hours and see what else needs removing. I didnt notice the file with the Windows defender screenshots but its probably not needed now I can see what the infection is.

Its clear it's Wareout because it uses Rootkit features to hide itself from view and hide itself from malware scanners, this is why Blacklight is finding some of the files and Ewido is showing 'Downloader.Agent.uj : Error during cleaning' because its detecting it running in memory and detecting the files in System restore but its not able to detect the active malware files that are running.

Please download FixWareout from one of these sites:

FixWareout Link 1
FixWareout Link 2

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

I'll repost abit later when I have time to check the logs in detail

Thanks Andy

[AndyManchesta]

Hi Again,

There's 5 or 6 files that need removing but I will wait to see the Wareout report and a new Hijack This log as its likely it will show itself and possibly some more files after running the Fixwareout tool.

Cheers

Andy

[Phil B]

AndyManchesta, on Mar 19 2006, 01:51 AM, said:

Hi Again,

There's 5 or 6 files that need removing but I will wait to see the Wareout report and a new Hijack This log as its likely it will show itself and possibly some more files after running the Fixwareout tool.

Cheers

Andy

Hi Andy

Fixwareout came up the report as follows:

Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\vldmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmdlv.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSJJT.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


and HijackThis came up with:

Logfile of HijackThis v1.99.1
Scan saved at 15:21:02, on 19/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kana Reminder\Reminder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Kana Reminder] C:\Program Files\Kana Reminder\Reminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102776193078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.photobox....on/uploader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Regards, Phil

[AndyManchesta]

Hi Phil (To reply without quoting my post use the Add Reply button rather than Reply)

Looking good

Can you open Notepad (Start Menu > run > type notepad and press OK)

Then copy and paste the contents of the code box into Notepad:

@echo off
cd %systemroot%\Help

attrib -r -h -s SPAlert.chm
del /q SPAlert.chm 

cls
@echo off
cd %systemroot%

attrib -r -h -s rdt.ini
del /q rdt.ini

cls
@echo off
cd %systemroot%\System32

attrib -r -h -s dmdlv.exe
attrib -r -h -s csjjt.exe
attrib -r -h -s filesafer23.exe
del /q dmdlv.exe
del /q csjjt.exe
del /q filesafer23.exe

EXIT

Goto File on the top bar of notepad and choose Save As, On the Save As Type change it to All Files, name it fix.bat and save it to your desktop

Double click fix.bat, you will just notice cmd screen open and close and its then finished and removed the files.

Next open control panel and double click Java to open the Java control panel, On the Temporary Internet Files area, click Delete Files, place a check next to all three options Downloaded Applets, Downloaded Applications and Other Files then click OK and click OK again on the Java control panel to close the options screen.

Finally clear your system restore points:

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Run Ccleaner and then press the Run Cleaner button to remove any remaining temp files.

Once the above steps are complete scan your system again with Ewido and Panda just to confirm there is no remaining problems and post back the results if they detect any malware

Thanks

Andy

[Phil B]

Andy, thanks again

I only got one alert from ewido as follows whcih I think is cookierelate and was removed:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:11:30, 21/03/2006
+ Report-Checksum: 5BA2643F

+ Scan result:

C:\Documents and Settings\Jo\Cookies\jo@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup


::Report End


Panada scan was clean!


Seems everything is OK now.


How do I stop the Wareout Trojan infecting again?

Phil

[AndyManchesta]

Hi Phil

I cannot give exact instructions on how to prevent Wareout as I'm really not sure what sites are infecting people with it, I will add some standard prevention steps below which should reduce the chances of you getting infected again.

Install Spywareblaster
SpywareBlaster doesn`t scan and clean spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via webpages.
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is excellent; it is much more secure than Internet Explorer & immune to almost all known browser hijackers. If you are interested, Firefox may be downloaded from HERE

More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here

All The Best

Andy

[Phil B]

Andy thanks for the info

I appreciate the help!

Regards, Phil

[AndyManchesta]

Your Welcome Phil,

Happy Surfing

All The Best

Andy