need help in removing malware

Viruses and worms
1

hi,

My PC got affected with virus, too many popups, explorer closes automatically saying some error occurred.

ran a hijackthis scan . here is the log
please help me in fixing

Logfile of HijackThis v1.98.2
Scan saved at 1:33:38 PM, on 12/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\notes\ntmulti.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\SUSS.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\system32\bxofsu.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Lotus\Sametime Client\activmon.srv
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\apps\Pfe32.exe
C:\oracle\ora92\bin\sqlplusw.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
T:\FS800\bin\client\winx86\PSIDE.EXE
T:\FS800\bin\client\winx86\PSDBGBRKR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\MDM.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.Begin2Search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://frontier.uhc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://frontier.uhc.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Begin2Search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Begin2Search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UNITEDHealth Group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cww.uhc.com/proxy.pac
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\system32\dsktrf.dll
O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM..\Run: [ADInfo] C:\Program Files\PowerCensus\ADInfo.exe /l “C:\Program Files\PowerCensus”
/d “C:\Program Files\PowerCensus”
O4 - HKLM..\Run: [qnbxvsraxz] C:\WINNT\system32\bxofsu.exe
O4 - HKLM..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://frontier.uhc.com/
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\authware\awswaxf.cab
O16 - DPF: {3C8141FB-4BEA-48E6-AFBF-EEA658EA4F12} (InvCheck.ucInvCheck) - http://aps00079/CADPUHG/cab/InvCheck.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://aps80014/tdbin/Spider.ocx
O17 - HKLM\System\CCS\Services\Tcpip..{2C4FA34E-C7B4-482D-9913-ED2B4E991B18}: Domain = uhc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uhc.com
O17 - HKLM\System\CS1\Services\Tcpip..{2C4FA34E-C7B4-482D-9913-ED2B4E991B18}: Domain = uhc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uhc.com
O17 - HKLM\System\CS2\Services\Tcpip..{2C4FA34E-C7B4-482D-9913-ED2B4E991B18}: Domain = uhc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uhc.com

thanks
-katakam

2

Some good places to start, Advice & Tools for virus/trojan/malware Removal & Prevention and Eddy’s Website and click the “HiJackThis Section” also see the “Malware removal instructions and applications” section.

There is a later version of HiJackThis just released and you could run your hijackthis log through Eddy’s Analyser or you want to try an on-line scan of your Hijackthis log file try here [b]http://hijackthis.de/index.php[/b]

3

The latest version of my analyzer does not only have updates for the databases, but also has the latest HJT version.

4

This is the result of my HJT analyzer:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using a old version of Hijackthis, please update.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\winnt\system32\bxofsu.exe
r1 - hkcu\software\microsoft\internet explorer,searchurl = http://www.begin2search.com/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.begin2search.com/search.html
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://www.begin2search.com/search.html
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://www.begin2search.com/search.html
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.begin2search.com/search.html
r3 - default urlsearchhook is missing
o1 - hosts: 216.130.185.143 websearch.com
o1 - hosts: 216.130.185.143 www.adwave.com
o1 - hosts: 216.130.185.143 adwave.com
o1 - hosts: 216.130.185.143 www.xzoomy.com
o1 - hosts: 216.130.185.143 xzoomy.com
o1 - hosts: 216.130.185.143 www.advnt01.com
o1 - hosts: 216.130.185.143 advnt01.com
o1 - hosts: 216.130.185.143 websearch.com
o1 - hosts: 216.130.185.143 www.adwave.com
o1 - hosts: 216.130.185.143 adwave.com
o1 - hosts: 216.130.185.143 www.xzoomy.com
o1 - hosts: 216.130.185.143 xzoomy.com
o1 - hosts: 216.130.185.143 www.advnt01.com
o1 - hosts: 216.130.185.143 advnt01.com
o1 - hosts: 216.130.185.143 websearch.com
o1 - hosts: 216.130.185.143 websearch.com
o1 - hosts: 216.130.185.143 www.adwave.com
o1 - hosts: 216.130.185.143 www.adwave.com
o1 - hosts: 216.130.185.143 adwave.com
o1 - hosts: 216.130.185.143 adwave.com
o1 - hosts: 216.130.185.143 www.xzoomy.com
o1 - hosts: 216.130.185.143 www.xzoomy.com
o1 - hosts: 216.130.185.143 xzoomy.com
o1 - hosts: 216.130.185.143 xzoomy.com
o1 - hosts: 216.130.185.143 www.advnt01.com
o1 - hosts: 216.130.185.143 www.advnt01.com
o1 - hosts: 216.130.185.143 advnt01.com
o1 - hosts: 216.130.185.143 advnt01.com
o2 - bho: multimppobj class - {002eb272-2590-4693-b166-fbd5d9b6fea6} - c:\winnt\multimpp.dll
o2 - bho: ohb - {4d568f0f-8ac9-40ab-88b7-415134c78777} - c:\winnt\system32\winb2s32.dll
o2 - bho: xbrowse class - {83dc91db-7896-43e3-b34d-a7d043f16bb1} - c:\documents and settings\all users\application data\rdsa\rdsa.dll
o2 - bho: ohb - {cb5b2bc6-f957-4d8a-be67-83f3ec58ba01} - c:\winnt\system32\dsktrf.dll
o2 - bho: xbrowse class - {ce7ef827-47cc-48eb-b570-c367f1e1277e} - c:\documents and settings\all users\application data\x1ff\x1ff.dll
o3 - toolbar: begin2search.com bar - {52fe5233-367c-4efb-bdd7-0be4d212c107} - c:\winnt\system32\winb2s32.dll
o4 - hklm..\run: [qnbxvsraxz] c:\winnt\system32\bxofsu.exe
o4 - hklm..\run: [win server updt] c:\winnt\wupdt.exe
o9 - extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
o9 - extra button: (no name) - {6685509e-b47b-4f47-8e16-9a5f3a62f683} - file://c:\program files\ebates_moemoneymaker\sy350\tp350\scri350a.htm (file missing) (hkcu)
o16 - dpf: {15b782af-55d8-11d1-b477-006097098764} (macromedia authorware web player control) - file://d:\authware\awswaxf.cab
o16 - dpf: {3c8141fb-4bea-48e6-afbf-eea658ea4f12} (invcheck.ucinvcheck) - http://aps00079/cadpuhg/cab/invcheck.cab
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
o16 - dpf: {cdbd9968-7bf1-11d4-9d36-0001029debeb} (loader class) - http://aps80014/tdbin/spider.ocx