Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log - Please help


  • Please log in to reply
19 replies to this topic

#1 lorenzo_CA

lorenzo_CA

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 01 March 2005 - 02:04 PM

I've been living with this browser hijack as long as I can. I have not seen my own homepage selection in months. Most recently I have memory problems (computer memory problems that is), Windows (XP Prof.) is always attempting to increase virtual memory. Outlook barely has enough memory to run and I often cannot open attachments because of it. My Symantic AntiVirus LiveUpdate has quit working, Auto-protect quit working. Also, my Windows Media Player doesn't work and won't let me update it.

There are probably other problems that I didn't mention or even realized yet that they are related, but you get the idea.

I have repeatedly tried Ad-Aware 6.0 Prof., SpyBot and HiJackThis. Most recently, HijackThis is complaining that my Hosts file has an improper line-break and does not even give me the whole Hijack log file. I have read about all these problems in this forum, and I'm hoping someone can help me.

Here is my Hijack log. Many thanks in advance for those that have advice for me.


-----



Logfile of HijackThis v1.99.1
Scan saved at 9:54:40 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\d3pe32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wauctlxp3.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Lorenzo\My Documents\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp3.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://apexlogin.agc.com/apex/javaplugin/j...indows-i586.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.healthnet.com/eservices/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_4.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: x-ottp - {07158288-C7F9-11D2-A742-0080C8129F3E} - C:\Program Files\Onstream Trapeze\trpzurl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: eplrr - {21FDA8AC-A4AC-4326-B987-E22D00D38E09} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINDOWS\system32\d3pe32.exe



Thanks again!

Lorenzo_CA

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 02 March 2005 - 02:11 AM

Hello Lorenzo and welcome to the BC forums. I am presently reviewing your log and will respond back to you as quickly as I can.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 03 March 2005 - 02:01 PM

Hello again Lorenzo. After reviewing your log I see a few items that need our attention. Please print these directions because I will be having you disconnect from the internet in a later step. Then, proceed with the following steps in order.

Step #1

Please download the following tools:About:Buster.zip
Cwshredder.exe
cwsserviceremove.zip
DelDomains.zip
AdAware SE
Step #2

Prepare the tools for use.

Unzip AboutBuster to its own folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Unzip cwsserviceremove.zip to the desktop.

Unzip deldomains.zip to the desktop.

Create a folder for CWShredder (like c:\cwshredder) and move the Cwshredder.exe file into that folder.

Double-click the aawsepersonal.exe file to install AdAware SE. When the install is complete follow the directions at this link to set the correct options and update the program (do not run a scan yet):AdAware Tutorial
We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Step #3

Start HijackThis and follow these steps:* Click on Config button
* Click on the Open the Misc Tools section button
* Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:Workstation NetLogon Service
Step #4

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp3.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O21 - SSODL: eplrr - {21FDA8AC-A4AC-4326-B987-E22D00D38E09} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: Workstation NetLogon Service (%AF) - Unknown owner - C:\WINDOWS\system32\d3pe32.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\perfcl.exe
C:\WINDOWS\System32\wauctlxp3.exe
C:\WINDOWS\System32\eplrr3.dll
C:\WINDOWS\system32\d3pe32.exe

Step #5

Run AboutBuster. This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Step #6

Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select all items shown and click the OK button.
Step #7

Double click on the cwsserviceremove.reg file that you unzipped to the desktop and when asked to merge say yes.

Double click on the deldomains.inf file that you unzipped to the desktop and when asked to install say yes.

Step #8

Run CWShredder

Please download CWShredder from the following link:CWShredder
Start CWShredder and choose FIX. Let it run and fix whatever it finds.

Reboot your computer normally.

Step #9

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #10

Run AdAware SE and perform a full system scan. When the scan is complete, right-click on the page of items found and click Select All. Click the Next button and finish the fix.

Step #11

Start Internet Explorer, click the Tools menu and then click the Options item. On the General Tab reset your home page to whatever you want. Click on the Programs tab and then click on the Restore Defaults button. This will change everything back to the default settings.

Step #12

Ok. Almost done and since you have made it this far you should be feeling pretty good. Next, I would like you to go to the following site:Jotti's malware scan
and follow the directions to submit this file:C:\WINDOWS\System32\rpcss_pl.exe
I could find no information regarding this file and it makes me suspicious. Post the results of the scan with your next log.

OK. We've reached the end! Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button along with the AboutBuster log and I will review them when they come in.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 04 March 2005 - 01:32 PM

Thank you very much for that detailed solution. I went through all of the steps, but many of them were not succesful. Here is a synopsis of what happened:

Step 1:

I had no problem downloading all everything, except Adaware SE. It seemed that the site may have been having problems becasue the download dialog never showed that the download had begun. I basically just sat there and never gave me a location for downloading, and never finished.

I figured I could always do that later, so I continued through the steps and successfully installed the other programs.

Step 2:

Unhide files. Actually it was alredy done on my system.

COuld not install Ad Aware since I had download problems.


Step 3: Open Process Manager (not completed)

Maybe I did something wrong here. When I opened the Process Manager, I could not find any process called Workstation NetLogon Service. Was that suppoesed to be one entry or three? All entries were in a long string like a path name and not listed like you showed it:

Workstation NetLoghon Service.

Can you please clarify this. Thanks.


Step 4:

Run HiJack. Even in Safe Mode, HiJack complained about my hosts file linebreaks and said it could not generate some entries, but it looked like the majority of the entries were created.

All of the entries you asked me to fix were present and I had no problem fixing them.

I was able to find the .exe files in Windows\System32 and delete them.


Step 5: AboutBuster

I had no prblem running AboutBuster.


Step 6: Did not work

My DiskCleanup program would not run. The status indicator would go about 10% and then the program just hung up. I waited a long time, just to make sure, but it never finished running and never listed areas to delete.


Step 7: cwsserviceremove.reg (Unsuccessful)

When I ran cwsserviceremove.reg it gave me the following error:

"Cannot import C:\Documen~1\lorenzo\Desktop\cwsserv~1.reg
Error Accessing the registry"


Regarding deldomains.inf... (Unsuccessful)

When I double clicked on this file it just opened a wordpad session with the text contained in the .inf file. SO I rightclicked the file name and selected "install", but nothing seemed to happen, so I just continued on to the next step./


Step 8:

I ran CWShredder with no problems two times.


Step 9: Online Virus protection (Unsuccesful)

I tried all three online services, but none of them ran successfully. The first one (Trend Micro) gave me a broken image whne I tried to excute the virus check and it never even started.

The second one (BitDefender) falied with the following error message:

"Failed to execute live update. Cannot create a file when that file already exists"

That is basically what happens when I try to run my Semantic AntiVirus Live Update. Something is blocking my ability to run a live update, even on the online virus checker. That's totally bazaar to me. Any ideas what's going on there??????


Step 10:

Could not run adaware SE since the download failed.

Step 11:

When I started IE, first of all it started with the same ugly hijacked search page. I tried to change it to MSN.com, but it did not take the change. Then when I went to the Internet Options tab and clicked Restore Web Settings, it gave me the error message:

"Unable to reset web settings"

There must be some fundamental problem with my system that we have not found yet.


Step 12: JOtti's malware site

When I went to this site, the browse facility was extremely sluggish and I was never able to navigate to the c:\windws\System32\rpcss_pl.exe file.

Note: When I googled that file name a couple of weeks ago, I remember reading that that file is definitely a virus. Please note that it is still running and shown in my task manager process view. Seems like I need to get rid of that process somehow. Any ideas on that?


Well, that's what happened. In the beginning it looked like things were progressing nicely for a while, but then I started running into various hickups along the way.

Any ideas where to go from here?


Thanks very much.

Lorenzo


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 04 March 2005 - 02:05 PM

Hi Lorenzo. Can you post a new HijackThis log please? We'll get this figured out!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 05 March 2005 - 12:49 PM

Thanks again!

Here is the latest Log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:49 AM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lorenzo\My Documents\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [eFax Messenger 3.4 Clnup] "C:\Documents and Settings\Lorenzo\Local Settings\Temporary Internet Files\Content.IE5\OX2Z0567\msgrplus[1].exe" _clnup_ "C:\Program Files\eFax Messenger Plus 3.3\Uninstall.exe" "C:\Program Files\eFax Messenger Plus 3.3\J2GInstall.log" -_uninstall_ _once_ 1 /S
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://apexlogin.agc.com/apex/javaplugin/j...indows-i586.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.healthnet.com/eservices/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_4.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: x-ottp - {07158288-C7F9-11D2-A742-0080C8129F3E} - C:\Program Files\Onstream Trapeze\trpzurl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: eplrr - {21FDA8AC-A4AC-4326-B987-E22D00D38E09} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Let me know what you think.

Thanks!

Lorenzo

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 06 March 2005 - 10:54 AM

Hello again Lorenzo. It looks like you have a nasty one here. Let's do this. Please print off these directions to use as we proceed. Then perform the following steps in order.

Step #1

Start HijackThis and follow these steps:* Click on Open the Misc Tools Section button
* Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\WINDOWS\System32\rpcss_pl.exe
Now click Start, then click Run and type services.msc into the Open dialog and click the Ok button. This will open the Services console. In the right-hand pane look for the following service and double-click on it to open the Properties dialog:RPC+ Service Provider (RPCSS+)
Now click on the Stop button. Then in the Startup Type drop-down choose Disabled. When done click the Apply and then the Ok buttons. Close the Services console.

Step #2

Start Notepad and Copy/Paste the text from the quotebox below into the document:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"DependOnService"=-

[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}]
@="Microsoft HTML About Pluggable Protocol"

[HKEY_CLASSES_ROOT\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,
65,6d,33,32,5c,6d,\
  73,68,74,6d,6c,2e,64,6c,6c,00
"ThreadingModel"="Apartment"


Save the document to your desktop and name it FixRP.reg, then close Notepad. Locate the FixRP.reg file on your Desktop and double-click on it. Click on the Ok button when asked if you want to merge it into your registry.

Now click Start and then click Run. Type cmd into the Open dialog and click the Ok button. This will open a command prompt. Type SC delete "RPC+ Service Provider (RPCSS+)" (quotes included) and press the Enter key. This will remove the service from the registry to prevent it from starting up again.

Step #3

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunOnce: [eFax Messenger 3.4 Clnup] "C:\Documents and Settings\Lorenzo\Local Settings\Temporary Internet Files\Content.IE5\OX2Z0567\msgrplus[1].exe" _clnup_ "C:\Program Files\eFax Messenger Plus 3.3\Uninstall.exe" "C:\Program Files\eFax Messenger Plus 3.3\J2GInstall.log" -_uninstall_ _once_ 1 /S
O21 - SSODL: eplrr - {21FDA8AC-A4AC-4326-B987-E22D00D38E09} - (no file)
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\qcwsn.dll
C:\WINDOWS\System32\rpcss_pl.exe

Now let's use a different method to clean the Temporary folders. Open Windows Explorer and navigate to:C:\Documents and Settings\Lorenzo\Local Settings\Temp
Click in the right-hand pane and then press Ctrl-A to select all files. Now press the Del key to delete all the files selected. If you cannot delete a file then skip that file and delete the rest.

Step #4

Run AboutBuster. This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Step #5

Double click on the cwsserviceremove.reg file that you unzipped to the desktop and when asked to merge say yes.

Right-click on the deldomains.inf file that you unzipped to the desktop and when asked to install say yes.

Step #6

Start CWShredder and choose FIX. Let it run and fix whatever it finds.

Reboot your computer normally.

Step #7

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #8

Try to download AdAware SE again from the link below:AdAware SE download
Follow the instructions in the links below to make sure that you have the most current updates and the proper settings to run each one.AdAware Tutorial
Run AdAware SE and perform a full system scan. When the scan is complete, right-click on the page of items found and click Select All. Click the Next button and finish the fix.

Step #9

Start Internet Explorer, click the Tools menu and then click the Options item. On the General Tab reset your home page to whatever you want. Click on the Programs tab and then click on the Restore Defaults button. This will change everything back to the default settings.

Step #10

OK. It appears that this log was made from Safe Mode. When booting to Safe Mode not everything gets loaded and if it's not loaded I can't see it to fix it so reboot your computer normally. Start HijackThis and perform a new scan. Post your new log file back here as a reply to this topic and I will review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 07 March 2005 - 04:07 AM

Well, step 1 failed. It said I could not kill the process (rpcss_pl) becasue it may be protected by Windows, or may have already shutdown. It did not shut down, so presumably it is protected by Windows.

Any ideas??

Thanks again.

Lorenzo

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 07 March 2005 - 06:06 AM

Hi Lorenzo. Try the procedure in Safe Mode:

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
Then follow the steps in the previous post.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 09 March 2005 - 05:03 PM

Safe Mode didn't work. Still would not let me remove the process. SAid the same thing, "In use" or "Protected by Windows"

Things are getting really nasty now. Now my computer browser will not even let me access common sites like Yahoo, eBay, MSN, etc.

It comes back with an address something like: http:///?/%20www.yahoo.com/
for example.

I had to use a different computer just to reach this site.

Any ideas???

Thanks.

Lorenzo

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 09 March 2005 - 07:12 PM

Hi Lorenzo. Ok, let's do this:* Click Start
* Click Run
* Type services.msc
* Locate RPC+ Service Provider (RPCSS+) and double-click on it
* Click the Stop button
* In the Start-up Type drop down choose Disabled
* Click the Apply button and then the Ok button
* While you're there also do the same for Workstation NetLogon Service if it is present
Again, if the above doesn't work try it in Safe Mode also.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

Chin up :thumbsup:

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 10 March 2005 - 03:47 AM

OK. We're getting somewhere here. You may want to make note of this. In the Management Console, I was not able to stop the (RPCSS+) service because all of the controls (including stop) were grayed out (in safe mode and regular mode). In fact it looked like I would not be able to change anything related to that service. Finally I noted that I was able to disable the service in both the docked and undocked hardware modes. Then when I restarted Windows, the service did not start up.

Also, I never did see a service called Workstation NetLogon Service. Are you sure that is running on my machine?

Also when I started the Management Console, it complained with the following message: "Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly." Is that normal or did one of the viruses chgange a security setting prohibiting ActiveX controls somewhere? Please advise.

By the way... since disabling that RPCS service, my browser is much much more responsive. Do you remember that I could not even load Yahoo. No problem now, so we are on a roll here.

Here is my HiJackThis Log. Please advise.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:24 AM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hpnra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wauctlxp4.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.4\J2GTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lorenzo\My Documents\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\RunOnce: [eFax Messenger 3.4 Clnup] "C:\Documents and Settings\Lorenzo\Local Settings\Temporary Internet Files\Content.IE5\OX2Z0567\msgrplus[1].exe" _clnup_ "C:\Program Files\eFax Messenger Plus 3.3\Uninstall.exe" "C:\Program Files\eFax Messenger Plus 3.3\J2GInstall.log" -_uninstall_ _once_ 1 /S
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://www.healthnet.com/eservices/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_4.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: x-ottp - {07158288-C7F9-11D2-A742-0080C8129F3E} - C:\Program Files\Onstream Trapeze\trpzurl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: eplrr - {21FDA8AC-A4AC-4326-B987-E22D00D38E09} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks OT!

Lorenzo

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 10 March 2005 - 11:39 AM

Well that certainly is good news! Ok, now we are going to run a special tool to do some searching on your machine for the specific variant of the infection. At this point it will not remove it yet but will tell us what type and where the files are.
  • Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.
In your previous log it is Ok that you didn't find the Workstation NetLogon Service. I was just checking to see if it was still hanging around and you confirmed that is was not. That's good by the way. As to the ActiveX error message you got, no, that is not normal. It could be due to the service that you stopped trying to prevent you from stopping it. Keep me posted if you have any more of those messgages and what you were doing when you get them.

It won't be long now :thumbsup:

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 11 March 2005 - 01:18 AM

Here it is.

Thanks.

Lorenzo

By the way... most of the problems started in February, so this log makes sense if you think the files listed in Feb are viruses.


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\logkmc.dll Sun Jun 20 2004 12:55:42a A...R 57,344 56.00 K
C:\WINDOWS\SYSTEM32\msasmsn6.dll Thu Mar 3 2005 1:23:44p A..H. 44,544 43.50 K
C:\WINDOWS\SYSTEM32\msasmsn7.dll Fri Dec 31 2004 11:56:40p A..H. 43,520 42.50 K
C:\WINDOWS\SYSTEM32\msxxabt1.dll Wed Feb 23 2005 8:15:10a A..H. 45,568 44.50 K
C:\WINDOWS\SYSTEM32\msxxabt2.dll Fri Feb 25 2005 7:22:22p A..H. 44,032 43.00 K
C:\WINDOWS\SYSTEM32\msxxabt3.dll Thu Mar 3 2005 1:23:42p A..H. 44,032 43.00 K
C:\WINDOWS\SYSTEM32\msxxabt4.dll Fri Dec 31 2004 11:56:34p A..H. 44,032 43.00 K
C:\WINDOWS\SYSTEM32\msxxxabt.dll Tue Feb 22 2005 12:09:18p A..H. 46,592 45.50 K
________________________________________________

1,788 items found: 1,788 files (7 H/S), 0 directories.
Total of file sizes: 325,298,931 bytes 310.23 M

Administrator Account = True

--------------------End log---------------------

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:19 PM

Posted 11 March 2005 - 03:14 PM

Hi Lorenzo. Please print these directions and then proceed with the following steps.

Download the following tools and save them to a convenient location:
  • FxAgentB Removal Tool::
    • Double-click FxAgentB.exe to start the removal tool.
    • Click "OK" at the prompt.
    • Click "Start" to begin the process, and then allow the tool to run.
    • Once the tool has completed, restart your computer.
    • Run the tool once more to ensure that the infection was removed.
    • Post the contents of FxAgentB.log that should be on your desktop.
  • Pocket Killbox:
    • Unzip the contents of KillBox.zip to a convenient location.
    • Double-click on KillBox.exe.
    • Click "Delete on Reboot".
    • Paste this file into the top "Full Path of File to Delete" box.
      • C:\WINDOWS\SYSTEM32\msasmsn6.dll
    • Click the "Delete File" button which looks like a stop sign.
    • Click "Yes" at the Delete on Reboot prompt.
    • Click No at the Pending Operations prompt.
    • Repeat the above steps for each of the following files. The only difference is that you will be substituting the file listed in the first step with each of the files below.
      • C:\WINDOWS\SYSTEM32\msasmsn7.dll
      • C:\WINDOWS\SYSTEM32\msxxabt1.dll
      • C:\WINDOWS\SYSTEM32\msxxabt2.dll
      • C:\WINDOWS\SYSTEM32\msxxabt3.dll
      • C:\WINDOWS\SYSTEM32\msxxabt4.dll
      • C:\WINDOWS\SYSTEM32\msxxabtt.dll
        C:\WINDOWS\system32\qcwsn.dll
    • After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so.
    • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • CWShredder 2.13:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
Alright. Now start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qcwsn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


OK. Reboot your computer normally and post a new DLLCompare log and a new HijackThis lo back here using the Add Reply button and I will review it when it comes in. Include any information regarding problems or concerns you had with performing these directions.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users