BHOs trojans help ..hijackThis posted

[iinfi]

yesterday i downloaded something funny n got trojans in my PC.
i cud remove some with Avast and my anti-spyware but some still remain in my system.
i get occational pop-ups when u surf the net.

this is my hijackThis

Logfile of HijackThis v1.99.1
Scan saved at 3:43:29 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Go!Zilla Downloads\hijack this\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{97E32D08-80C1-429E-8911-22192C847086}: NameServer = 202.54.1.18,203.197.12.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BB7DC7-2428-456B-84ED-C3FDA03FB0E3}: NameServer = 203.197.12.30 202.54.1.18
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

cud u help me guys?
also i m thinking of going in for a paid anti-virus.
sud i go for Nod32 or kaspersky or macafee or quickHeal??
best solution wud be to stick with avast and not download anything funny i know !!

thanks

 

[Kiran.dks]

The report has no sign of infections. The pop-ups may be the browser missed pop-up manager.

Regarding Antivirus, I would rather suggest AOL Active Virus Shield, which uses Kaspersky engine and hourly updates. Moreover it's completely free for personal use.

 

[iinfi]

thnaks for ur reply ... i didnt get wats meant by

The pop-ups may be the browser missed pop-up manager.

btw when i was in THIS page
suddenly THIS page opened up in a new FireFox tab.
is this not a spyware at work?..
i will download AOL AV now.

 

[Kiran.dks]

My pleasure.

Sorry for grammatical error. What I meant was that the pop-ups may be due to browsers inefficiency of blocking it.

But the link you have given should not open the other malicious link. h**p://www.winantiviruspro.com/ is a malicious website. Now since it has opened, there is always a chance of browser being infected.

In Firefox, Go to Tools> Clear Private Data and close FireFox.

Now download Ccleaner and clean including Browser options as shown in pic below:

*www.MyOnlineImages.com/serveFile.aspx?af=11574

Now start Firefox and open the same link you have given.

 

[iinfi]

these are the two windows which keep popping up
*img530.imageshack.us/img530/7703/popuphb3.th.jpg

and after i click on OK .. below one pops up ..

*img201.imageshack.us/img201/5502/popup1bp3.th.jpg

is it legal to register in AOL ?? or is it only for US residents. i have registered though.

 

[Kiran.dks]

This is surely a browser hijack. h**p://www.systemdoctor.com/ is another malicious website. Did you do what I said above?

There is no problem in registration. Use this link *www.activevirusshield.com/antivirus/freeav/index.adp? .

 

[rakeshishere]

SystemDoctor 2006 is a rogue anti-spyware application that gets installed by Spyware/malware without asking for permission. This infection can also be accompanied by other malware that changes your desktop background to a fake warning or by Trojans that issue fake taskbar security alerts. These are all used as a scare tactic to have you purchase their commercial software. A screenshot of this program can be seen below.

It indicates that its a spyware which is affecting ur PC.Reboot your computer into SAFE MODE.Clean ur PC Junk with CCleaner and use Spybot and Scan ur PC to remove it completely.

 

[iinfi]

thanks for all ur replies...
the problem is i v already done the above troubleshooting steps b4 posting here.

only then i posted the hijackThis. i always use CCleaner ... lemme try again ...

 

[anandk]

use Rogue Remover to clean it up; shudnt be a problem.

but once cleared do this...ur browser wont get hijacked again !

download a 'good' Hosts file from *www.mvps.org/winhelp2002/hosts.htm and replace ur original hosts file situated in C:\Windows\System32\drivers\etc with this one and then lock it or make it a read-only file. HostMan is a good freeware Host manager. *hostsman.abelhadigital.com/

also use ZonedOut utility from *www.funkytoad.com/content/view/15/33/ to Add, Delete, Import, Export, Build a Black/WhiteList and do More. it now includes Restricted, Trusted and Intranet Zones". it is an excellent too just 185kb. Then download IE-SpyAd For ZonedOut *www.spywarewarrior.com/uiuc/resource.htm . Its is a simple registry patch that adds a long list of known porn-sites, cracksites, advertisers, marketers, and malware pushers to the restricted sites zone of IE. Using ZonedOut you can add this list easily.

 

[iinfi]

thanks dude ..
RR did not find any threats.
i put another host file in the location C:\WINDOWS\SYSTEM32\DRIVERS\ETC

and made it read-only...
hmmm... now wat?? install AVShield ??
in fact i got myself to blame for this mess ...dratttt!!! downloaded a crappy s/w frm the net to create PDFs ..

 

[Kiran.dks]

Is it happening only with Firefox or with all browsers? If with firefox only, then first uninstall it, run Ccleaner in "Safe mode" and reinstall Firefox. That might solve the problem.

 

[iinfi]

running anti-spyware in safe mode helped finally... thanks all

no pop ups now. i v installed active virus shield and removed avast... hope its better than Avast.
thanks everyone again ...

 

[Kiran.dks]

Glad to see that your problem is solved.