I Need help!! Removed files before using HJT

Unknown

I had a feeling that my computer had a virus when certain IE windows would close after i opened them. After doin a little research, I found that my comp had been hit with the worm thats travelling through msn messenger.

I downloaded Ad-Aware SE and Spybot and went about removing infected files from my computer. After reading a post in the forum, i think that maybe i should have consulted someone first and downloaded HJT.

I have the log anyway but want to know how to remove the virus's (don't know the correct plural term) and check if my system is still intact without damage. Would really appreciate help.

qtkyle

qtkyle wrote:

Logfile of HijackThis v1.99.1
Scan saved at 02:08:46, on 16/03/2005
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ccmsetup\ccmsetup.exe
C:\WINNT\System32\svchost.exe
C:\Apps\Microsoft Firewall Client 2004\FwcAgent.exe
c:\apps\highpoint technologies, inc\HighPoint Storage Management Software\service\hptsvr.exe
c:\apps\highpoint technologies, inc\HighPoint Storage Management Software\service\drvinst.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\pds.exe
C:\Apps\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\Apps\Microsoft Virtual Server\vmh.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Apps\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Apps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardUser.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mtv.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O1 - Hosts: 64.233.167.104 www.symantec.com
O1 - Hosts: 64.233.167.104 www.sophos.com
O1 - Hosts: 64.233.167.104 www.mcafee.com
O1 - Hosts: 64.233.167.104 www.viruslist.com
O1 - Hosts: 64.233.167.104 www.f-secure.com
O1 - Hosts: 64.233.167.104 www.avp.com
O1 - Hosts: 64.233.167.104 www.kaspersky.com
O1 - Hosts: 64.233.167.104 www.networkassociates.com
O1 - Hosts: 64.233.167.104 www.ca.com
O1 - Hosts: 64.233.167.104 www.my-etrust.com
O1 - Hosts: 64.233.167.104 www.nai.com
O1 - Hosts: 64.233.167.104 www.trendmicro.com
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 sophos.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 www.pandasoftware.com
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] D:\Apps\sav\vptray.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Apps\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avnort] C:\WINNT\msmbw.exe
O4 - HKLM\..\Run: [serpe] C:\WINNT\system32\serbw.exe
O4 - HKLM\..\Run: [ltwob] C:\WINNT\system32\formatsys.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [avnort] C:\WINNT\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINNT\system32\serbw.exe
O4 - HKLM\..\RunServices: [ltwob] C:\WINNT\system32\formatsys.exe
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Bginfo.exe
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Apps\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Apps\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\apps\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\apps\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\apps\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\apps\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\apps\microsoft firewall client 2004\fwcwsp.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09567f27a877870dca01/netzip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rugood4it.net
O17 - HKLM\Software\..\Telephony: DomainName = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FE7B026-C3BA-40F7-ADDC-4643D3917B58}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FE7B026-C3BA-40F7-ADDC-4643D3917B58}: NameServer = 172.16.100.5,172.16.109.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D1940FE-0184-4A46-9A9C-1EA2B67830DF}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D1940FE-0184-4A46-9A9C-1EA2B67830DF}: NameServer = 172.16.100.5,172.16.109.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8CD1BA-0BCC-4502-BB13-0E1F9E83E17C}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D8CD1BA-0BCC-4502-BB13-0E1F9E83E17C}: NameServer = 192.168.0.1,158.43.240.4,158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{851A5651-2A45-4236-9DA4-3DBE743C6474}: NameServer = 172.16.100.5,172.16.109.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D16482B4-0A75-4202-AD7C-79A4CDEE4838}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{D16482B4-0A75-4202-AD7C-79A4CDEE4838}: NameServer = 172.16.100.5,172.16.109.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{F439477E-0A0C-48B9-9D1B-25DC56F16787}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F439477E-0A0C-48B9-9D1B-25DC56F16787}: NameServer = 172.16.100.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DA08A2-7143-4844-A0E9-7489448D58EF}: Domain = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DA08A2-7143-4844-A0E9-7489448D58EF}: NameServer = 172.16.1.7,172.16.1.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rugood4it.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rugood4it.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rugood4it.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rugood4it.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rugood4it.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\\NavLogon.dll
O23 - Service: ccmsetup - Unknown owner - C:\WINNT\system32\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf (file missing)
O23 - Service: DefWatch - Unknown owner - D:\Apps\sav\DefWatch.exe (file missing)
O23 - Service: HighPoint Storage Management Service (hptsvr) - Unknown owner - c:\apps\highpoint technologies, inc\HighPoint Storage Management Software\service\hptsvr.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Microsoft Exchange Management (MSExchangeMGMT) - Unknown owner - C:\Apps\Exchsrvr\bin\exmgmt.exe (file missing)
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Unknown owner - D:\Apps\sav\Rtvscan.exe (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Apps\Symantec\SYMANT~1\NSCTOP.EXE

qtkyle

sum assistance plz. i know everyones busy, just gettin a lil worried about da state of my comp

Buckeye_Sam

1. Download the attached file and extract it to your desktop.

2. Disable your system restore.

3. Disconnect from the Internet.

4. Run the removal tool, reboot, and run it again.

5. Post a new hijackthis log.