Hijackthis logs

[Mr. tech]

My sisters pc has been picking up the Win32.Tibick.F worm (I think thats the correct name) virus for the past couple of days. My virus software (vet antivirus) says its been deleted but it keeps appearing as another filename...

I did all the online and offline spyware scans, virus scans, cwsshredder... EVERYTHING. They didn't pick up anything but the virus keeps coming back...

This is what came up in the logs:

2005/03/18 08:01:23.061 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014628.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 12:28:57.210 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014629.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 12:50:41.506 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014630.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 13:40:46.487 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014631.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 14:39:41.470 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014632.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 15:39:41.477 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014633.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 16:45:21.622 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014634.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 18:17:35.409 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014635.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 18:39:41.566 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014636.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 07:07:04.112 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014637.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 07:42:26.474 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014638.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 09:00:24.400 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014639.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 10:44:56.739 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014640.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 13:43:20.119 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014641.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 14:42:15.122 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014642.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 15:43:20.002 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014643.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 16:43:20.028 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014644.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 17:42:14.981 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014645.exe is Win32.Tibick.F worm. Deleted.

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:17 PM, on 22/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\AceLogix\StartupGuard\sg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
\Network\ben\Software\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/gmail
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [Startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107332110673
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

 

[Lobos]

Hi Mr. tech

you need to clear out your systems restore . you are safe as long as they stay in there but if you do a systm restore then the viruses will come back .

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

this should clear them out do another scan and see if it gets detected again.

your log looks clean by the way.

Lobos

 

[Mr. tech]

Thanks mate, will do

 

[Osiris]

Remove entries at your own risk

Not to bad


R3 - Default URLSearchHook is missing Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.