Hijack thislog

[nicklieb]

I have got some spyware on my home pc that I've been trying to get rid of for the past 3 days..

I have already ran quite a few different apps but none of them seem to clear them

could you take alook at the latest HijAckthis log please and indicate what may still be resident on my system.


Logfile of HijackThis v1.98.2
Scan saved at 18:34:50, on 19/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\winsys.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Microsoft Update] winsys.exe
O4 - HKLM\..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\RunServices: [Microsoft Update] winsys.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8B87F7DC-9E54-42AC-B849-A9A16F77B57E}: NameServer = 212.158.192.3 212.158.192.2


i'm getting really fed up with it, I have already deleted some files and reg keys with HiJackthis, and it looks fines util i next switch on my pc and it returns...

please please help! as it's driving me bonkers..

 

[dyarwood]

Turn off your system restore. The problem could be lying in there. I'm assuming you've run a virus scan with up to date definitions.

 

[jbrackett]

I'm assuming that you've already updated and run Spybot S&D and AdAware.

Proceding from there, and adding the standard caveat that I am NOT an expert, and if you want to take my advice, it is with that understanding, then the only thing I see is the line:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

This is listed as a component of Flingstone Bridge spyware.


First disable your system restore.
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

Then back up your registry.

Kill these running processes with Task Manager:"bridge.exe" "bridgew.exe"

Have HiJackThis fix the line:
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

If this works, great. If not, there is a more in depth registry fix from PestPatrol as follows:


Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rundll, delete it and reboot the machine immediately.

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\downloaded program files\conflict.1\bridge.dll
systemroot+\downloaded program files\jao.dll
systemroot+\downloaded program files\rntx.dll
systemroot+\system\bridge.dll
systemroot+\system32\bridge.dll

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
HKEY_CLASSES_ROOT\typelib\{ddaf2479-6f00-4599-998a-3ed75686c6d0}
HKEY_CLASSES_ROOT\typelib\{ddaf2479-6f00-4599-998a-3ed75686c6d0}\1.0\flags
HKEY_LOCAL_MACHINE\clsid\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
HKEY_LOCAL_MACHINE\software\classes\clsid\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\rundll

Remove these files (if present) with Windows Explorer:
bridge.exe
bridgew.exe
systemroot+\downloaded program files\conflict.1\bridge.dll
systemroot+\downloaded program files\jao.dll
systemroot+\downloaded program files\rntx.dll
systemroot+\downloaded program files\rntx.inf
systemroot+\system\bridge.dll
systemroot+\system32\bridge.dll


Best of luck to you.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[jrbarnett]

C:\WINDOWS\System32\winsys.exe is a monitoring application; if your PC is in a corporate domain then it could be legitimate as part of a network install/monitoring, if not, terminate it with task manager and remove it and all instances of it from Hijackthis, run a full a-v and spyware check with several checkers - and change all of your passwords just to be on the safe side.

John

 

[nicklieb]

ok I stil have this problem.

terminating winsys.exe from the task manager prevents the pops up from occurring.

but I still cannot sweep my system clean.

I've tried in saf mode, but nothing gets picked up by adaware and nothing that I can make out from the Hijackthis Log.

it's coming to point where I'm just going to do a reformat and reinstall....

 

[Kesser]

Ok,

winsys.exe when entered into google is reported to be down to the RBOT worm but a search in various anti-virus sites relates to several trojans also - I would download sysclean and the latest pattern file from trend micro

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

and run it in safe mode ensuring that you have turned off system restore first....

following this run spybot, adaware etc and post log here...

Hope this is helpful

Kes

 

[nicklieb]

just to follow up... everything I tried did not work,

so I reformatted and re-installed...

the spy/malware mongers have won again...

 

[diogenes10]

Having done the reinstall, I'd recommend consideration of an imaging program to image your install and make this process easier the next time it becomes necessary.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?