Hi Abeed, WOW you have a lot of bad stuff.
As JackG said; FIRST you must get rid of the W32.Blaster.Worm in addition to his instruction, here is some additional information.
--------------------
You can use either the removal tool from http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
OR
You could try this REALLY easy one click solution…Worm Blaster remover (anti_blaster.zip)
http://www.dslreports.com/forum/remark,7662765~root=security,1~mode=flat
Thread Quote:
“As I designed the cleaner I thought about usability and simplicity. I tried to offer a "one click solution". That’s why the cleaner does things that seem to be illogical. But well ... let’s explain why it does all that things.
Normally you will first clean your system and than install the patch. That means after disinfecting you are still vulnerable. So you have high chance to get infected again. I registered about every half minute a port access to 135. That means it would only take 30 seconds to get infected again. Well ... I guess its impossible to download and install the patch within 30 seconds. That’s why the cleaner stays active after cleaning. It prevents the worm from installing again. Quite simple - isn't it?
The cleaner also adds itself to the auto start so it’s started every time the system boots. That has 2 simple reasons:
1. If the download server of Microsoft is to busy you are still protected until you get the patch - even if you restart your computer.
2. Some of you will install the patch using Windows Update. In fact Windows Update will first install service packs etc. that need a reboot. To stay protected after the reboot the cleaner has to be loaded again. I guess many people will forget this step and while they download the updates they will get infected again. So I decided to let the cleaner start automatically until you uninstall it using the "Add/Remove software" function inside your "Control Panel".”
You must install the Microsoft security patch (I believe anti_blaster.zip will prompt you to do so.) hope you don’t get hit by the variants W32.Blaster.B & C. before you complete the patch.
Additional thoughts:
- If you had a firewall you could block port 135
- I believe most ISP’s are currently filtering or blocking port 135 communication and will continue to do so for the next week or two. (This allows the installation of the patch without worry of the worm attacking, but DON’T count on it!!!)
---------------------
NOW you can continue on….
Run an UPDATED Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
Huntbar - See http://www.doxdesk.com/parasite/HuntBar.html
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
NewDotNet – See http://217.115.153.73/parasite/NewDotNet.html
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\System32\btiein.dll
Huntbar - See http://www.doxdesk.com/parasite/HuntBar.html
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
MediaLoads Enhanced, Network Essentials – See http://217.115.153.73/parasite/DownloadWare.html
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\IEHelper.dll
ShopNavSearch/Srng - See http://www.doxdesk.com/parasite/Srng.html
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
HuntBar – See http://www.doxdesk.com/parasite/HuntBar.html
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINNT\System32\shdocvw.dll
TinyBar/B – See http://www.doxdesk.com/parasite/TinyBar.html
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
Websearch a HuntBar variant – See http://www.doxdesk.com/parasite/HuntBar.html
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
DownloadWare - executes arbitrary code from advertisers and not considered to be adware but is a security risk (see http://and.doxdesk.com/parasite/DownloadWare.html). If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. Installed along with programs such as MovieNetworks, Medialoads and PAgent
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
Adware based media viewer by The Delfin Project
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
Part of Gator advertising spyware - See http://217.115.153.73/parasite/Gator.html
****O4 - HKLM\..\Run: [WinDSNX] C:\WINNT\system32\winaxsb.exe
Backdoor.DSNX is a backdoor Trojan horse that can give a hacker access to your computer– See http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dsnx.html
O4 - HKLM\..\Run: [adaware lptt01] "C:\Program Files\adaware\adaware.exe"
New variant of the RapidBlaster parasite See- http://www.doxdesk.com/parasite/RapidBlaster.html (in a "BelmontSoft" folder in Program Files). It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see http://www.wilderssecurity.net/specialinfo/rapidblaster.html Note! - this is not the valid Lavasoft Adaware
O4 - HKLM\..\Run: [YahooStock] C:\WINNT\ystckAO32.exe
Adtomi adware
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
NewDotNet – See http://217.115.153.73/parasite/NewDotNet.html
****O4 - HKLM\..\Run: [windows auto update] msblast.exe
W32.Blaster.Worm - See http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
O4 - HKCU\..\Run: [winpopup] C:\WINNT\winupie.exe
Adware by Tradeexit.com
O4 - HKCU\..\Run: [AutoUpdater] C:\WINNT\System32\aupdate.exe
Tinybar variant Spyware – See http://www.doxdesk.com/parasite/TinyBar.html
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Gator spyware variant - See http://217.115.153.73/parasite/Gator.html
Do not fix these O10 entries using HijackThis. Spybot S&D should fix these when it removes New.net, if it does not you must repair the Winsock 2 settings using LSPFix from http://www.cexx.org/lspfix.htm
----------------------
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab
After reboot then delete the following if found:
The folder MediaLoads Enhanced at C:\Program Files\MediaLoads Enhanced
The folder BTLINK at C:\PROGRAM Files\COMMON Files\BTLINK
The folder C:\PROGRAM Files\SEARCH~1 (Don’t know what SEARCH~1 stands for, Might mean “Search Toolbar”)
The folder DownloadWare at C:\Program Files\DownloadWare
The folder DelFin at C:\Program Files\DelFin
The folder CMEII at C:\Program Files\Common Files\CMEII
The file winaxsb.exe at C:\WINNT\system32\winaxsb.exe
The folder adaware at C:\Program Files\adaware
The file ystckAO32.exe at C:\WINNT\ystckAO32.exe
The folder NEWDOTNET at C:\PROGRAM Files\NEWDOTNET
The file winupie.exe at C:\WINNT\winupie.exe
The file aupdate.exe at C:\WINNT\System32\aupdate.exe
The folder GMT at C:\Program Files\Common Files\GMT
As you know you have/had more than one active Trojan or Virus (Identified by ****). HijackThis will have rendered them inactive when you did the above. And by removing the files (specified above) they will not be able to execute anymore. You can also use any removal instructions provided with the links to remove any other traces.
You may still have other inactive Viruses/Trojans. Even though Symantec is a good Anti-Virus program (with some Trojan detection) they are not in the Anti-Trojan business. I recommend either Trojanhunter or TDS-3 (both have thirty day trials)
You can also try an online AV scanner such as
- Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp
- Trend Micro Housecall http://housecall.antivirus.com/
Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order. They may detect and remove other Viruses/Trojans also. No one program finds everything.
---------------------------
For a (mostly) spyware free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware.
Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings.
Also install an Anti-Virus Program and a firewall.
Good Luck!
