Internet Explorer 6 problem after Malaware/Spyware !

[Broni]

No problem. Judging from HJT log, a lot of crap was removed by SAS.

[maxmix]

Hi Guys....

Have left this latest full scan running over night.... Another long one etc....

Will post log and new Hijack log tomorrow....

Still Cannot display web page, gave it a quick try with the modem plugged in.... Before starting scan etc....

Do you think I will get this connecting again ?

maxmix

[Broni]

It's hard to say before HJT log is posted, and we can see what's there.

[maxmix]

Sill a load of craf found.... Thank goodness for my little Asus EEE

OK Next 3 logs posteed.... And still wont connect

BTW I remember the file now (I see it in one of the logs) that triggered/caused all this grief last Saturday.....

17PHolmes572.exe (I remember seeing it in a fash then it bypassed my AV SW and killed my connection)

maxmix

[file cleanup - saving space - attachment deleted by admin]

[maxmix]

New Hijackthis log.....

Thanks

maxmix

[file cleanup - saving space - attachment deleted by admin]

[Broni]

Both logs are not readable.
How did you save them?

[maxmix]

Just as txt, But here we go.....

Malwarebytes' Anti-Malware 1.03
Database version: 337

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 731782
Time elapsed: 3 hour(s), 18 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e180f496-8a4b-44e2-9fe0-0364e345db7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e180f496-8a4b-44e2-9fe0-0364e345db7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000000-0000-0000-0000-100005000004} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e180f496-8a4b-44e2-9fe0-0364e345db7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{6780a29e-6a18-0c70-1dff-1610dde00108} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
D:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\msgid_2513758_Norton_Anti_Virus_2007_(Vista)\Norton Anti Virus 2007 (Vista)\Keygen.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7F83E266-DCC3-4172-A8B1-12821784669D}\RP5\A0000873.exe (Adware.Zango) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7F83E266-DCC3-4172-A8B1-12821784669D}\RP5\A0000874.exe (Adware.Zango) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(2)(3).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(4)(2).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(3)(2).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(2)(2).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(3)(3).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(4)(3).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(3)(4).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wsnpoem\audio(2)(4).dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\1_exception.nls (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Microsoft User.MICROSOF-D1AB79\~tmp74.exe (Heuristic.Malware) -> Quarantined and deleted successfully.

maxmix

[maxmix]

and.... Log of Trend Micro HijackThis

To big to copy and paste....

maxmix

PS Still cant connect

[file cleanup - saving space - attachment deleted by admin]

[Broni]

Still cant connect

We'll worry about it, when your computer is clean.
I'm also concerned about SP3, you installed. It's still in beta. Where did you get it from?

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\ntos.exe,
- O2 - BHO: (no name) - {3E8F7140-F3D1-42B9-BD02-420E662CABD3} - (no file)
- *O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
- *O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
- O4 - HKCU\..\Run: [userinit] D:\WINDOWS\system32\ntos.exe
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- O4 - HKUS\S-1-5-18\..\Run: [userinit] D:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
- O20 - Winlogon Notify: bqxztdsw - bqxztdsw.dll (file missing)
- O20 - Winlogon Notify: p2k32reg - D:\Documents and Settings\All Users.WINDOWS\Documents\Settings\p2k32.dll (file missing)
- O20 - Winlogon Notify: xxyayay - xxyayay.dll (file missing)
- O23 - Service: COM+ Messages - Unknown owner - -e,mc-110-12-0000272, (file missing)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- ntos.exe file from D:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Post new HijackThis log.

[maxmix]

Thanks Broni

Here we go....

Got to stage 7 NP.... (No ntos.exe file or folder) closest in the System32 Dir was a Kernal file (ntoskrnl @ 2.09MB)

Got to stage 11 NP.... Log attached now.... (Tried a quick connect still nothing) Fair enough....

**** Update... While I was connected to my ISP at 7.6MB in the Systray etc (Bottom right) I tried clicking on home (www.yahoo.com) etc.... The error is displayed for a millisecond down the bottom left of IE

I tried clicking as fast as I could for a bit and managed eventually to write down the error that IE briefly displays before 404 not found etc....

''d:\Windows\System32\xpsp3res.dll\dnserror.htm (I wonder if this is to do with the Beta SP3 I downloaded to try and update my settings before I came to you guys for help....

Anyway.... At the ready tomorrow

maxmix

[file cleanup - saving space - attachment deleted by admin]

[Broni]

OK. The log is clean. We still have long way to go.

What do you mean by:

While I was connected to my ISP

Were you able to connect briefly?

xpsp3res.dll is Service Pack 3 Messages service.
Said that, I want you to completely uninstall SP3, and we'll go from there.

[maxmix]

My USB Voyager (ADSL) Modem has always connected from the start and still will if I plug it in....

But IE Cannot open any pages (From the start) I tried IE7 SP3 Reinstall XP everything but no www can be displayed....

I will try and uninstall SP3 tomorrow and LYK how I get on.... Any tips about this....

I used an XP Pro CD (Hmmm) with SP3 intregrated (All I could lay my hands on at the time)

I may have to install XP again (I have since found my original XP Pro CD) with SP1 or 2 (Original etc)

maxmix

PS Late one tonight.... 3:30am here lol (NN)

[patio]

If you have an XPPro CD with SP3 integrated then it is a bootleg and all bets are off...

[Broni]

I will try and uninstall SP3 tomorrow and LYK how I get on.... Any tips about this....

I have no clue, since I didn't play with it.

[maxmix]

Right new news.... I could not remove SP3 manually so I installed the XP Pro CD again (Sorry it's SP2 integrated) SP3 came form here 330MB I download (Full version)

So Installed a fresh XP this time into my d:\windows folder all went well obviously I have had to reinstall all my drivers and progs again etc (Still at that) but I have net access again....

But getting a lot of .dll erros popping up.... and a new 'Windows Messenger' spyware box that I cant get rid off...

Once I have all my progs installed again, what AV and Spyware should I reinstall and run.... I'll post up logs as before and then re run Hijack this etc....

Thanks

maxmix