Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! I HAVE HOMESEARCH ASSISTANT!


  • This topic is locked This topic is locked
9 replies to this topic

#1 oblaxican

oblaxican

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 04 March 2005 - 08:01 PM

Hi, My Family Computer has been flooded with spyware. I got rid of most of it using spyware nuker, but the trial has run out and all it would do for this HOMESEARCH ASSISTANT, was tell me that it was changing values and not do anything about it. Here is my log. HELP PLEASE!! :thumbsup:

Thanks,
Bryce


Logfile of HijackThis v1.99.1
Scan saved at 4:33:42 PM, on 3/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atldz.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ntkl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bryce\Desktop\Spyware Killing\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F02E3B9E-91EA-F259-A3AA-78801E4D5744} - C:\WINDOWS\system32\atljn.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ntkl.exe] C:\WINDOWS\ntkl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Network Security Service (Ć 6Qď§'¬┤Ăđ8) - Unknown owner - C:\WINDOWS\system32\atldz.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 05 March 2005 - 01:06 PM

Hi,

░Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download hsafix.
Unzip hsafix to your desktop..inside there's a regfile, but don't click on it yet.

* Download CWShredder. Don't let it run yet!

*It's better to print out these instructions out, because you have a lot of steps to take, so you have a better look on it and this page wouldn't be available all the time.

░First, we will make your hidden files and folders visible.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide file extensions for known file types.
* Click Yes to confirm.
* Click OK.

*Please reboot your system into SAFE MODE.
░To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dzehm.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F02E3B9E-91EA-F259-A3AA-78801E4D5744} - C:\WINDOWS\system32\atljn.dll
O4 - HKLM\..\Run: [ntkl.exe] C:\WINDOWS\ntkl.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O23 - Service: Network Security Service (Ć 6Qď§'¬┤Ăđ8) - Unknown owner - C:\WINDOWS\system32\atldz.exe


*Close all open windows except hijackthis and click 'Fix Checked'.

*Navigate to and delete the following files if still present:

C:\WINDOWS\system32\atldz.exe
C:\WINDOWS\ntkl.exe
C:\WINDOWS\system32\dzehm.dll
C:\WINDOWS\system32\atljn.dll

*Doubleclick the hsafix.reg file you downloaded at the beginning.
*Answer Yes when prompted to add the contents to the registry.

*Start Aboutbuster and let it scan. Click Ok/yes for every instruction that aboutbuster is giving you.
Let it scan a second time to make sure it can get rid of everything.
When finished, click 'save log'

*Start Cwshredder and click FIX

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

*Reboot your PC back to normal.

*Do an online virusscan:TrendMicro Housecall.

*Post a new hijackthis-log + log aboutbuster
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 oblaxican

oblaxican
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 06 March 2005 - 10:23 PM

Hi, I did what you said and I think it worked, except when i did the TrendMicro Housecall virus scan, it fixed 17 out of 17 spywares but was unable to fix like 12 viruses. I Have norton antivirus but i heard that its not good enough. Anyways, heres my new log. I no longer have that anoying home page thing which is good. Do I need to fix anything else?

Thanks,
Bryce

#4 oblaxican

oblaxican
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 06 March 2005 - 10:27 PM

whoops i posted and forgot my results, here they are:
ABOUT BUSTER:
Scanned at: 1:19:47 PM on: 3/6/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\Coffee Bean.bmp:nyxjk
C:\WINDOWS\control.ini:gzhon
C:\WINDOWS\vb.ini:zfpej


Removed 4 Random Key Entries
Removed! : C:\WINDOWS\addkq32.exe
Removed! : C:\WINDOWS\addvn.exe
Removed! : C:\WINDOWS\appvn.exe
Removed! : C:\WINDOWS\appye32.exe
Removed! : C:\WINDOWS\crbh32.exe
Removed! : C:\WINDOWS\crej32.exe
Removed! : C:\WINDOWS\crhg32.exe
Removed! : C:\WINDOWS\cril32.exe
Removed! : C:\WINDOWS\crwr32.exe
Removed! : C:\WINDOWS\d3lg32.exe
Removed! : C:\WINDOWS\d3qs32.exe
Removed! : C:\WINDOWS\d3vb32.exe
Removed! : C:\WINDOWS\ieff32.exe
Removed! : C:\WINDOWS\ipcw.exe
Removed! : C:\WINDOWS\ipdr32.exe
Removed! : C:\WINDOWS\ipxc.exe
Removed! : C:\WINDOWS\javaif.exe
Removed! : C:\WINDOWS\javaou32.exe
Removed! : C:\WINDOWS\javaqm32.exe
Removed! : C:\WINDOWS\javauu.exe
Removed! : C:\WINDOWS\mfctf32.exe
Removed! : C:\WINDOWS\mfcuu32.exe
Removed! : C:\WINDOWS\mfcvq.exe
Removed! : C:\WINDOWS\msbj32.exe
Removed! : C:\WINDOWS\msgh32.exe
Removed! : C:\WINDOWS\msmb.exe
Removed! : C:\WINDOWS\msyu32.exe
Removed! : C:\WINDOWS\netfh.exe
Removed! : C:\WINDOWS\netjg32.exe
Removed! : C:\WINDOWS\nthl.exe
Removed! : C:\WINDOWS\sysyp.exe.bak
Removed! : C:\WINDOWS\winwa.exe
Removed! : C:\WINDOWS\winyp.exe
Removed! : C:\WINDOWS\System32\adddr32.exe
Removed! : C:\WINDOWS\System32\addnk32.exe
Removed! : C:\WINDOWS\System32\apici.exe
Removed! : C:\WINDOWS\System32\appqq32.exe
Removed! : C:\WINDOWS\System32\atljn.exe
Removed! : C:\WINDOWS\System32\atluf32.exe
Removed! : C:\WINDOWS\System32\crve32.exe
Removed! : C:\WINDOWS\System32\cryu.exe
Removed! : C:\WINDOWS\System32\javahu32.exe
Removed! : C:\WINDOWS\System32\javaog32.exe
Removed! : C:\WINDOWS\System32\mfcao.exe
Removed! : C:\WINDOWS\System32\mfcrv32.exe
Removed! : C:\WINDOWS\System32\msdw.exe
Removed! : C:\WINDOWS\System32\netpd.exe
Removed! : C:\WINDOWS\System32\netta.exe
Removed! : C:\WINDOWS\System32\ntns32.exe
Removed! : C:\WINDOWS\System32\nttq32.exe
Removed! : C:\WINDOWS\System32\ntuj.exe
Removed! : C:\WINDOWS\System32\sdkvr32.exe
Removed! : C:\WINDOWS\System32\sdkwb.exe
Removed! : C:\WINDOWS\System32\sysis32.exe
Removed! : C:\WINDOWS\System32\syslc.exe
Removed! : C:\WINDOWS\System32\winwi.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25


Removed Data Streams:
C:\WINDOWS\Coffee Bean.bmp:nyxjk
C:\WINDOWS\control.ini:gzhon
C:\WINDOWS\vb.ini:zfpej


Attempted Clean Of Temp folder.
Pages Reset... Done!



HIJACK THIS LOG:


Logfile of HijackThis v1.98.2
Scan saved at 7:17:31 PM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\Bryce\Desktop\HIJACK THIS\HijackThis1982\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 07 March 2005 - 02:40 AM

Hi,

Much better!!
You posted your log with a previous version of hijackthis. What happened with the new version 1.99.1?

The viruses housecall maybe found but couldn't be deleted are most probably in your systemrestorepoints.

So, please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it)
Disabling system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:

Then..

*It could be possible that this hijacker deleted some files, so check if the following are still present:

░Control.exe: Is in your C:\WINDOWS\system32. Download here when missing.

░Hosts: C:\WINDOWS\SYSTEM32\DRIVERS\ETC .Download here when missing.
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK. Close the program.

░Shell.dll: C:\WINDOWS\SYSTEM32 Download here when missing

░SDHelper.dll:
If you are using Spybot Search & Destroy, this hijacker can also delete SDHelper.dll.
Download SDHelper.dll.
Place the file in the Spybot Search & Destroy-folder. Most probably, this ist C:\Program Files\Spybot - Search & Destroy

When done the above.. Let housecall scan another time and write down the files (full path of file) which housecall couldn't delete and post this in your next reply together with a new hijackthislog (1.99.1-version)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 oblaxican

oblaxican
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 07 March 2005 - 08:23 PM

Alright, I cleaned the system restore and here is the Housecall Virus Scan Results and actions:


Results:

We have detected 13 infected file(s) with 14 virus(es) on your computer.
Detected File Associated Virus Name
C:\Documents and Settings\Jospeh\Local Settings\Temp\THI3E9F.tmp\btgrab.cab (BTGrab.dll) TROJ_BISPY.B

C:\Documents and Settings\Jospeh\Local Settings\Temp\THI3E9F.tmp\btgrab.cab (polall1b.exe) TROJ_AGENT.AAB

C:\Documents and Settings\Jospeh\Local Settings\Temporary Internet Files\Content.IE5\DF3J9L42\our[1].htm EXPL_IFRAMEBO.A

C:\WINDOWS\system32\Cache\adl_dh.exe TROJ_AGENT.NJ

C:\WINDOWS\system32\apiah.exe TROJ_AGENT.RK

C:\WINDOWS\system32\d3jp.exe TROJ_AGENT.RK

C:\WINDOWS\system32\javayw32.exe TROJ_AGENT.MP

C:\WINDOWS\system32\sdkkh.exe TROJ_AGENT.RK

C:\WINDOWS\system32\sysmonnt.exe BKDR_VB.EC

C:\WINDOWS\d3ut32.exe TROJ_AGENT.MP

C:\WINDOWS\d3vk.exe TROJ_AGENT.MP

C:\WINDOWS\mfcbo32.exe TROJ_AGENT.MP

C:\WINDOWS\netri.exe TROJ_AGENT.RK

C:\WINDOWS\SysCheckBop32.exe TROJ_VB.IW



ACTIONS (2 undeletable)


Detected File Associated Virus Name Action taken
C:\Documents and Settings\Jospeh\Local Settings\Temp\THI3E9F.tmp\btgrab.cab (BTGrab.dll) TROJ_BISPY.B
Undeletable
C:\Documents and Settings\Jospeh\Local Settings\Temp\THI3E9F.tmp\btgrab.cab (polall1b.exe) TROJ_AGENT.AAB
Undeletable
C:\Documents and Settings\Jospeh\Local Settings\Temporary Internet Files\Content.IE5\DF3J9L42\our[1].htm EXPL_IFRAMEBO.A
Delete successful
C:\WINDOWS\system32\Cache\adl_dh.exe TROJ_AGENT.NJ
Delete successful
C:\WINDOWS\system32\apiah.exe TROJ_AGENT.RK
Delete successful
C:\WINDOWS\system32\d3jp.exe TROJ_AGENT.RK
Delete successful
C:\WINDOWS\system32\javayw32.exe TROJ_AGENT.MP
Delete successful
C:\WINDOWS\system32\sdkkh.exe TROJ_AGENT.RK
Delete successful
C:\WINDOWS\system32\sysmonnt.exe BKDR_VB.EC
Delete successful
C:\WINDOWS\d3ut32.exe TROJ_AGENT.MP
Delete successful
C:\WINDOWS\d3vk.exe TROJ_AGENT.MP
Delete successful
C:\WINDOWS\mfcbo32.exe TROJ_AGENT.MP
Delete successful
C:\WINDOWS\netri.exe TROJ_AGENT.RK
Delete successful
C:\WINDOWS\SysCheckBop32.exe TROJ_VB.IW
Delete successful




HIJACK THIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 5:20:15 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Bryce\My Documents\HIJACKER REMOVAL TOOLS\HIJACK THIS\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110169666046
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 08 March 2005 - 01:27 AM

Log looks good.

For the items that were undeletable, reboot in safe mode again and delete the whole content of C:\Documents and Settings\Jospeh\Local Settings\Temp <== this folder.

How are things working now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 oblaxican

oblaxican
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 09 March 2005 - 10:02 PM

Alright I deleated those files, and now things work great. Thanks a whole lot, you've been a great help. Can you recommend to me the best FREE virus and spyware protection program so this doesn't happen again?(in your opinion) Once again, thank you so much for your time.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 10 March 2005 - 01:20 AM

Glad I could help you.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

If you haven't installed the following programs yet, I would strongly advise to install them:
-Spybot s&d
-Adaware se
Let them scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!
You asked me for a free antivirus, well, AVG Or Avast are good free antivirus. But.. I see that you have norton installed, so I don't suggest you to install more than 1 antivirus, because several together can give problems and decreases the reliability of it seriously! So, if you decide to use another antivirus, you have the uninstall norton before.
I also suggest you install a firewall:
Zonealarm OR Sygate are free firewalls.

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 11 March 2005 - 07:11 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users