HijackThis Log

Working on a PC for a friend, has some sort of virus that disables antivirus, task manager, regedit, and msconfig. Kinda stuck at the moment. Tried scanning over a network, but found out XP home wont let you share the windows folder or program files


Logfile of HijackThis v1.98.2
Scan saved at 9:36:52 PM, on 11/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\msiexec16.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\HNQZOFJN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MSlti32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\YahooMsgr.exe
C:\Documents and Settings\Mary\Application Data\amee.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\KAZAALITE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\m?iexec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\windows\system32\msiexec16.exe
F1 - win.ini: run=C:\windows\system32\msiexec16.exe
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60DF647C-B247-2690-8623-6D557BFB2F1D} - C:\WINDOWS\System32\vpxz.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [Yahoo Instant Messengar] YahooMsgr.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\Run: [Kazaa Lite] KAZAALITE.EXE
O4 - HKLM\..\Run: [AOL Messenger] HNQZOFJN.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\RunServices: [GLSetIT32] C:\windows\system32\msiexec16.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Mary\Application Data\amee.exe
O4 - HKCU\..\Run: [Jfwkww] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [L03ERTYtQ] telmlnka.exe
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\RunOnce: [AOL Messenger] HNQZOFJN.EXE
O4 - HKCU\..\RunOnce: [Kazaa Lite] KAZAALITE.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87FB4181-2016-4915-88AD-5B8F98E762F3}: NameServer = 192.168.0.1

At first glance, I see the computer is infected with the OPTIX PRO series of viruses.

Let's start here:

Download Stinger. Save it to your Desktop. Double-click it to start it. Make sure all of your drives are listed in the "Directories to scan" box (C:\ D:\ E:\, etc.). Click the Scan Now button and let it remove anything it finds.

http://vil.nai.com/vil/stinger/

Next...

Perform an onlne virus scan from this site:

Trend Micro Housecall - Again, select all of your drives to be scanned. Please check "Auto clean" before scanning.

http://housecall.trendmicro.com/

If you can, copy and paste the report logs from the scans into your next post.

Next....

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Perform a "Full system scan" with Adaware. Remove all checked items.

Then...

Download, install and UPDATE Spybot Search and Destroy 1.3. Scan and fix all items checked in RED.

http://www.safer-networking.org/en/download/index.html

Reboot and post a fresh HijackThis log.

Tom

I also see the KazaaLite "virus"

I think it's an epidemic!

Tom