InetGet2

Tesla

Tesla

Tesla

Soldato
Joined
19 Jan 2003
Posts
17,597
Location
Bristol, UK
I am having real difficulty removing InetGet2 virus from my computer.

I have used various programs which Google searches have ended up recommending (on other forums) - The virus is pretty dormant, it keeps downloading (attempting to but Avast is stopping them) Trojan Horses and then dumping the .exe in a folder in Program Files titled "InetGet2".

I fix Virus'd up PC's for a living but this is the first time I have come across this particular bad boy, is it "new"?

All help much appreciated.

Hope I won't have to do a clean install for this one.

Cheers,

Chris
 
The_KiD said:
Post a HiJackThis log (www.merijn.org) and I will take a look for you.
Click to expand...
Sure, I was going to post one anyway:

Code: 
Logfile of HijackThis v1.99.1
Scan saved at 21:28:37, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\{2C1D449C-08A3-2057-0421-05102804002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Microsoft Office\OFFICE11\outlook.exe
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christopher\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=33171&LegitCheckError=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab50997.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab50997.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I know IPWINS is bad, have come across it before but it keeps returning.
Also, whats that checkers class thing, MSN Messenger game related?
 
Hi again Tesla, sorry I didnt reply last night, but couldnt get back on my machine (bloody women).

Anyways lets get things going.

Download, install, but dont run scans with Spybot Search & Destroy & Ewido

Now restart in to safe mode, run scans with Spybot, then Ewido and then your own security products.

Now run HiJackThis again and put a check next to the following:

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
Click to expand...

Now browse to the c:\program files\ipwins folder and delete it and all it's contents.

Restart back in to normal windows and create a new HJT log for me to see.
 
That's OK- I really appreciate your time.

I had already ran those programs you suggest as I have them in my arsenal for fixing customers PC's.

I think the problem was I missed the IPWins this first time round as since deleting that the InetGet2 folder has not resurfaced and Avast has not blocked any trojan related issues.

Fingers crossed it's all ok now.

Ever thought of going self employed?

Cheers!
 
Nice one :)

I have thought about going out on my own, but I lack confidence I think.

I even have my own site and everything set up and company name etc, but just making that actual step into self employment.

If I could balance my job and working for myself for a few months to get it going then that would be great, problem is most people like their IT support 9-5 monday to Friday. :(
 
I have been going a year Self Employed doing this sort of thing (I set out to do AV installations, TV's and the like- The PC work just makes up the hours).

I was impressed at the structure of your post, you obviously know what you are talking about. If you stuck a few flyers up in local shops and the like I am sure you would get a bit of work maybe 2-3 evenings a week.

I charge around £30 an hour but always quote for a job as I like to be seen as honest and upfront- It goes a long way!

I worked in retail P/T when at college and that gave me a lot of confidence when dealing with customers. I was quite a good salesman, often outselling the full time staff who worked 4x as many hours as me. I had to be confident to do that and earn lots of comission, I never lied, decieved or was directly pushy with anyone though. I think thats why I sold so much.

As soon as you get over this people dealing hurdle you will be flying. It will click one day that everyone of your customers is just a person and if things go wrong or you are late or and cannot make it then they will understand.

I am just starting to get a decent level of work now, if you lived around here I would have even suggested sorting out some arrangement between us.

Go for it, don't jack your FT job in just yet though- Hopefully you can in a few months time. Also, the flexibility is ace. I am not working until 3pm today! However, I am working tomorrow morning on a custom AV install. The flexibility is the best thing about the job imo.
 
Cheers Tesla I appreciate the encouragement and it may just spur me into getting my act together.

I have worked in IT for about 10 years, but I resent working for other a company where they dont appreciate what work goes into just keeping the systems running on a day to day basis.

I have been expecially active though in the malware and virus side of things for some years and have had some specialist training with analysing HJT logs and the like, plus run a tech help site which keeps me up to date witht latest virii/malware variants :)

Right thats it, I am getting some flyers done and going posting them this weekend.

Tomorrow truly could be another day :)
 
Good for you. Drop me an email or MSN or something to let me know how it;s going or if you get a few queries.

Could be handy for me having a virus expert on tap too :p
 
You must log in or register to reply here.
Back
Top Bottom