gen0cide?

[biffbacon]

i went to visit my parents, and found their computer to be in complete disarray. it had more spyware, and viruses than i could have ever imagined. so i installed ad-aware SE plus, spybot 1.3, and symantec antivirus 9. after i ran all of these, i found an unbeleivable amount of spyware, and 9 viruses. i was able to remove all of these, and now all three scans come up clean, but, and its a big fat BUT, when i connect to their dial up, i get some popups from "gen0cide". ive searched google for a fix, and the norton database, but cant find anything. has anyone had a problem similar to this?

here is my hijack this log file (also, this log file was reported after is gave me an error as soon as i tried to run hijack this):

Logfile of HijackThis v1.98.2
Scan saved at 12:15:15 AM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\windows\system32\winabsmod.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
C:\Program Files\Win Comm\WinLock.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dan Spoljor\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {43DE395E-B861-54E4-8452-64550DF2794F} - C:\WINDOWS\System32\wkvqt.dll (file missing)
O2 - BHO: (no name) - {4ADF3A06-BB69-55EA-8052-64550DF12A4D} - C:\WINDOWS\System32\vhvgtlz.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\Run: [WIN3S2SNDS] C:\windows\system32\winabsmod.exe
O4 - HKLM\..\Run: [REGRUNNT] C:\w.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\Run: [Graphic Loader] ntvdm32.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [msconfig] wins.exe
O4 - HKLM\..\RunServices: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\RunServices: [Graphic Loader] ntvdm32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Ueeo] C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
O4 - HKCU\..\Run: [Btjp] C:\WINDOWS\System32\??plorer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...6498d88431998986b85d10
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16AC927-9FDF-4E6F-A2FB-007F53F70A80}: NameServer = 206.221.229.3 206.221.229.4

 

[styrafoam]

O4 - HKCU\..\Run: [Ueeo] C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
O4 - HKCU\..\Run: [Btjp] C:\WINDOWS\System32\??plorer.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...6498d88431998986b85d10
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16AC927-9FDF-4E6F-A2FB-007F53F70A80}: NameServer = 206.221.229.3 206.221.229.4

These don't look like anything I recognize. There are a couple others that are suspect but those 4 should give you a start.

 

[Schadenfroh]

Hello ,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

• R3 - Default URLSearchHook is missing
• O2 - BHO: (no name) - {43DE395E-B861-54E4-8452-64550DF2794F} - C:\WINDOWS\System32\wkvqt.dll (file missing)
• O2 - BHO: (no name) - {4ADF3A06-BB69-55EA-8052-64550DF12A4D} - C:\WINDOWS\System32\vhvgtlz.dll (file missing)
• O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
• O4 - HKLM\..\Run: [WIN3S2SNDS] C:\windows\system32\winabsmod.exe
• O4 - HKLM\..\Run: [REGRUNNT] C:\w.exe
• O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
• O4 - HKLM\..\RunServices: [Graphic Loader] ntvdm32.exe
• O4 - HKCU\..\Run: [Ueeo] C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
• O4 - HKCU\..\Run: [Btjp] C:\WINDOWS\System32\??plorer.exe
• O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/...6498d88431998986b85d10

Additional Steps

1. Please copy and place all of the following files together and "zip" them up into a single package and email them to me at schadenfroh@gmail.com for research purposes.

• C:\index.exe
• C:\windows\system32\winabsmod.exe
• C:\w.exe
• C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
• C:\WINDOWS\System32\??plorer.exe
• C:\Program Files\Win Comm\WinComm.exe

2. Clear your Temporary Files
3. Delete the following files:

• C:\index.exe
• C:\windows\system32\winabsmod.exe
• C:\w.exe
• C:\Documents and Settings\Dan Spoljor\Application Data\eteu.exe
• C:\WINDOWS\System32\??plorer.exe
• C:\Program Files\Win Comm\WinComm.exe

4.Restart into normal windows

 

[AnyMal]

You may also want to download FireFox and tell your parents not to use IE.