Results 1 to 9 of 9

Thread: User's Computer infected

  1. #1
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142

    Angry User's Computer infected

    Can somebody shed any light on a major problem I have. I have a Windows XP machine with SP1 installed. The problem is some idiot had been looking at a porn site and somehow managed to infect the machine with two viruses and a load of spyware (The User hadn't locked his pc). One virus is called Win32: Startpage -006. I have tried cleaning the machine with the following programs.

    Old version of Sophos Anti-Virus was installed I removed this.
    Webroot Spy Sweeper
    Avast Cleaner 1.0.3 and Avast 4 Home Edition
    Lavasoft Ad-aware 6
    and below HJT

    The problem I have, is that I thought I had eradicated all the crap i.e. the viruses and spyware. I performed a virus cleanup and spy sweep through safe mode and I thought everything was clean. However once I rebooted the computer the registry was infected again and the programs and pop came flooding back. I have disconnected the computer from the internet to prevent further infection or remote control.

    There seems to be a program called Winad that keeps reappearing. I was told to check the registry and fine 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ and keys that exist within this structure I should delete. The CLSID folder does not exist. I have been deleting all entries that I fine suspicious however once I reboot or run hjt again they have regenerated.

    I would appreciate any advice that may help remove this crap, could any one identify the correct name of the virus I mentioned as this would help me remove it. Alternatively does any one know what registry keys I need to remove or I should check?

    Further info I tried connecting to the internet once and i.e. must be infected loads of hc porn popups appeared and windows update failed.

    Thanks in adv

    Logfile of HijackThis v1.98.2
    Scan saved at 16:15:35, on 16/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\mnmsrvc.exe
    C:\WINDOWS\winxe32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\WINDOWS\System32\twink64.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\d3ro.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iyudb.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iyudb.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://***********:8080/vcproxy.pac (I have blanked this info on purpose.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {A66A7703-9E5D-D32F-B86A-2B0EE436B436} - C:\WINDOWS\msvn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
    O4 - HKLM\..\Run: [d3ro.exe] C:\WINDOWS\d3ro.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095324986234

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    First: Get Adaware SE and get it updated
    Also Spybot S&D 1.3 and get it updated as well..

    Run each in turn.. clear the crap from each..
    then Re scan with HJT.. check if the following to see if they are still there..(lsit at end of post..)

    Post back the new log before you remove anything else

    Cheers

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iyudb.dll

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iy

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

    O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe

    O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.d
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.blazefind.com
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I think that your infected with a coolweb search variant that is particularly nasty:

    If you follow the advice given by Groovicus on the link below you should be able to manualy rid your self of this pest. I don't no wether the latest Adaware that undertaker has linked you to can effectivly deal with the problem, i no that the previous version couldn't. If you are still having problems after running Adaware SE go here and follow the instructions to the letter.
    http://www.antionline.com/showthread...374#post781374
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Yep that's definately the nasty CWS. That link will help you clean it up. As for the WinAd - go to Add/Remove programs and uninstall it. Then fix it with HijackThis. After, go delete the file if it's still about. Although, I don't see it in this log.......

    Also, delete this folder as well: C:\WINDOWS\System32\golumm

    But, in order of importance, I would deal with the CWS before trying to kill anything else.

    Good luck!

  5. #5
    my points don't count so I'll just publicly clap jinxy on the back for being first to recognise..

    undies started out good but left us hanging.. <grin>

  6. #6
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    mine do, just not too much yet. Good job Jinxy.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Wot get it right on the first go...Me???? never!!!..

    Give all the info first time... never..

    But how is zorolord getting on?

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142
    I know that it has taken a long time for me to return to this forum, but I would like to thank you all for your help I managed to get rid this cws spyware virus demon last Friday. I tried some new tools that Und3ertak3r and jinxy suggested (Thx alot). I basically ran the computer in safe mode ran search and destroy, webroot spy sweeper and ran the virus check again. Checked Windows XP in normal mode and ran scanners again to confirm that the machine was clean. Also found some new entries in registry refering to WinAD and Golumn service.exe

    Once again I appologies for not let you guys know what happening. Cheers

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    You came back to let us know.. That we are greatful for

    jinxy identified the family of the pest..

    And your now "el Geeko Supremo" to your friend.. that is best (oh and I hope he greased the palm of your hand with a red back or two (that is aussie speak.. for 20bills )


    Cheers..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •