I need help with this log of HijackThis

[steph]

Hello,

Can somebody help me? This is the first time I use HijackThis.
I try to rescue a computer. The symptoms are:
- The default start page of Internet Explorer is http://24-7-search.com/
- The antivirus found a lot of virus when I connect to internet. Antivirus is OfficeScan - Trend Micro. The virus of this day are: CHM_MINER.A, JAVA_BYTEVER.A, JS_DIALOGARG.A, JS_SMALL.D, REG_PORSEKS.A, TROJ_AGENT.JI, TROJ_HIDEDI.A, TROJ_SMALL.AH, TROJ_SPYRE.B.
- The log is the folowing:

Thanks in advance.

Code:

Logfile of HijackThis v1.99.0
Scan saved at 15:20:40, on 14/01/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Guard.exe
C:\WINNT\winhost.exe
C:\WINNT\winhost.exe
C:\WINNT\winhost.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Y:\Downloaded applications\Anti spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SRV:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [securer] C:\WINNT\System32\securer\syshost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {11111111-1111-1111-1100-000000000000} - file://C:\Program Files\Internet Explorer\iexplorer.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x24.chm::/trs24.exe
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spfmt.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spfmt.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spfmt.corp
O23 - Service: Avertissement - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Gestion d'applications - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Explorateur d'ordinateur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DHCP - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gestionnaire de disque logique - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DNS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Journal des événements - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Service de télécopie - Unknown - C:\WINNT\system32\faxsvc.exe
O23 - Service: Serveur - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Station de travail - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'application d'assistance TCP/IP NetBIOS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Affichage des messages - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINNT\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: Ouverture de session réseau - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Fournisseur de la prise en charge de sécurité LM NT - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Agent de stratégie IPSEC - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: Emplacement protégé - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire de comptes de sécurité - Unknown - C:\WINNT\system32\lsass.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Planificateur de tâches - Unknown - C:\WINNT\system32\MSTask.exe
O23 - Service: Service d'exécution par délégation - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINNT\system32\tlntsvr.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Client de suivi de lien distribué - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire d'utilitaires - Unknown - C:\WINNT\System32\UtilMan.exe
O23 - Service: Horloge Windows - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Infrastructure de gestion Windows - Unknown - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Extensions du pilote WMI - Unknown - C:\WINNT\system32\Services.exe

[White Knight]

Hello steph

Please print out these instructions or save them as a text file since we will be closing the browser window and restarting into Safe Mode at some point.

Reconfigure Windows XP to show hidden files
Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab.

• Under the Hidden files and folders heading select "Show hidden files and folders".
• Uncheck the "Hide protected operating system files (recommended)" option.
• Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK.

Press CTRL+ALT+DEL to bring up the Task Manager. Right-click these processes and "End Task"

• winhost.exe
• winhost.exe
• winhost.exe

Please perform one of these free online scans...

• Panda Software - Active Scan
• Trend Micro - Housecall.

Once all scans are fully complete, open HiackThis and press the "Scan" button. Place a checkmark next these entries that are still listed...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://24-7-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http://SRV:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [tibs3] C:\WINNT\System32\tibs3.exe
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [securer] C:\WINNT\System32\securer\syshost.exe

O16 - DPF: {11111111-1111-1111-1100-000000000000} - file://C:\Program Files\Internet Explorer\iexplorer.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://X:\foo.mht!http://82.179.166.145/x24.chm::/trs24.exe

If these are not your ISP, then have them fixed (Google shows no hits for spfmt.corp)...

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spfmt.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spfmt.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spfmt.corp

Close ALL browsers (including this one) & any other windows or applications that are open. Then proceed to "Fix Checked".

Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Log onto the same account as before.

Navigate to and delete the files and/or folders highlighted in bold...

• C:\WINNT\winhost.exe
• C:\WINNT\System32\tibs3.exe
• C:\WINNT\System32\securer

Please note that this it not the legitimate iexplore.exe...

• C:\Program Files\Internet Explorer\iexplorer.exe

Go to Start Search and locate/delete the following file...

• msupdsrv.exe

Navigate to and remove ALL contents within (copy to address bar)...

Code:

%HOMEDRIVE%\WINDOWS\Temp

Code:

%HOMEDRIVE%%HOMEPATH%\Local Settings\Temp

Also delete all Temporary Internet Files either by opening Internet Explorer > Tools > Internet Options and select the remove files option, or manually at these locations (check for cookies that you might need) ...

Code:

 %HOMEDRIVE%%HOMEPATH%\Local Settings\Temporary Internet Files

Code:

 %HOMEDRIVE%%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5

And finally, empty the recycle bin.

Disable System Restore by right-clicking to My Computer > Properties > System Restore > Turn Off on all Drives

Whilst still in Safe Mode, perform a full system scan with your resident Anti-Virus

Reboot the machine once complete, rescan with HijackThis and post back a fresh Log.

You can also re-enable System Restore.

Please now download Service Filter from [here]. Please post the results into the your next reply to this post.

Regards.