HijackThis log - Spyware/virus

[woody]

So this is on my friend's Packard Bell. I followed all the instructions on Byteman's Basic Spyware/Virus Removal post except i couldn't get the Panda online scan to work. But still there are loads of annoying pop-ups and performance is not great. Here's the log. I'm pretty new to this stuff so be gentle. Let me know if there's any more info needed.

Logfile of HijackThis v1.99.1
Scan saved at 17:02:16, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F3 - REG:win.ini: run=C:\WINDOWS\System32\msoffice.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126784260890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126864506093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63625FE7-4CDD-44EE-A4D2-6059FE50558C}: NameServer = 69.50.176.156,195.225.176.31
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ktl4l73q1.dll (file missing)
O20 - Winlogon Notify: style32 - c:\windows\q3638390_disk.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\g0402ahmgd4a2.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

It's driving me nuts not being able to sort this out so any help would be hugely appreciated.

 

[Byteman]

woody,

Lets start off with this, download CWshredder. Run it and click the fix button.

Open Hijackthis and scan, then check the following items if they still exist:

F3 - REG:win.ini: run=C:\WINDOWS\System32\msoffice.exe
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ktl4l73q1.dll (file missing)
O20 - Winlogon Notify: style32 - c:\windows\q3638390_disk.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\g0402ahmgd4a2.dll

Then reboot to safemode (F8 key while rebooting) and try to delete the following files, (if unable to do so, note which ones..):

C:\WINDOWS\System32\msoffice.exe
C:\WINDOWS\system32\ktl4l73q1.dll
c:\windows\q3638390_disk.dll
C:\WINDOWS\system32\g0402ahmgd4a2.dll

Boot normal and post back with a fresh Hijackthis log and status on the file deletions.

 

[woody]

I could not locate any of the 4 files for deletion. Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 18:33:01, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126784260890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126864506093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63625FE7-4CDD-44EE-A4D2-6059FE50558C}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


Thanks for the help. I really appreciate it

 

[Byteman]

woody,

How is the machine running now? Do you have any popups?

 

[woody]

Yeah it seems to be fine. It's running a lot smoother and there are no popups! Thanks. That was easier than i expected. I was hoping it would put up a bit more of a struggle! So what exactly did we do there? If you've got a minute at some point to run me through it that'd be great, i'd like to learn about this stuff.

There is one thing puzzling me still though. I can't turn on automatic updates, it's all greyed out, if you see what i mean, and i can't select any of the options. It's not a big deal it'd just mean i wouldn't have to rely on my friend to update himself.

Thanks so much for your help mate!

 

[Byteman]

the msoffice line was a ADWARELOADER.trojan
the 020 lines where part of an Look2Me infection, which was apparently partially dealt with went you went thru the sticky steps... we just had to clean things up a bit.

Not sure about the updates, you may want to post that problem in the software section.

 

[woody]

Well thanks a lot! That's great.