Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with persistent spyware


  • This topic is locked This topic is locked
30 replies to this topic

#1 pojo

pojo

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 17 March 2005 - 10:40 PM

My niece has done the unthinkable (atleast to me) of cruising the web and downloading files while having no virus protections software.

I beleive that I have resolved most of the problems with the virus's and spyware but Spybot scans still find the IsearchTechPower.Scan and CoolWWWSearch.ToonComics.

I am running AVG antivirus and the following spyware programs to clean up the PC, Adware SE, Spybot and Microsoft Antispyware.

the following is the Hijack log

Thanks in advance for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 7:15:40 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\wauctlxp4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HANH HOA\Application Data\rpen.exe
C:\WINDOWS\System32\??plorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [aolvwltpjefqd] C:\WINDOWS\System32\wadpxay.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lms] C:\WINDOWS\Cco.exe
O4 - HKLM\..\Run: [Aur] C:\WINDOWS\Eni.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [eoOAmCn] C:\WINDOWS\rguvtim.exe
O4 - HKLM\..\Run: [Jvm] C:\WINDOWS\System32\Nmt.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\System32\Uqo.exe
O4 - HKLM\..\Run: [Rvo] C:\WINDOWS\System32\Cve.exe
O4 - HKLM\..\Run: [Thk] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Pen] C:\WINDOWS\Tpd.exe
O4 - HKLM\..\Run: [Obf] C:\WINDOWS\Cmt.exe
O4 - HKLM\..\Run: [Uru] C:\WINDOWS\System32\Psl.exe
O4 - HKLM\..\Run: [Oec] C:\WINDOWS\System32\Ibc.exe
O4 - HKLM\..\Run: [Bac] C:\WINDOWS\System32\Gak.exe
O4 - HKLM\..\Run: [Jtt] C:\WINDOWS\System32\Blk.exe
O4 - HKLM\..\Run: [Lsf] C:\WINDOWS\System32\Srb.exe
O4 - HKLM\..\Run: [Rlk] C:\WINDOWS\Ssp.exe
O4 - HKLM\..\Run: [Cko] C:\WINDOWS\System32\Rpu.exe
O4 - HKLM\..\Run: [Lha] C:\WINDOWS\Rpn.exe
O4 - HKLM\..\Run: [Vcm] C:\WINDOWS\Gsh.exe
O4 - HKLM\..\Run: [Ovv] C:\WINDOWS\System32\Fnd.exe
O4 - HKLM\..\Run: [Pjm] C:\WINDOWS\Ukc.exe
O4 - HKLM\..\Run: [Slq] C:\WINDOWS\System32\Vsg.exe
O4 - HKLM\..\Run: [Sak] C:\WINDOWS\System32\Faj.exe
O4 - HKLM\..\Run: [Kou] C:\WINDOWS\System32\Dog.exe
O4 - HKLM\..\Run: [Bfv] C:\WINDOWS\Jom.exe
O4 - HKLM\..\Run: [Ojh] C:\WINDOWS\Qpt.exe
O4 - HKLM\..\Run: [Grh] C:\WINDOWS\Urd.exe
O4 - HKLM\..\Run: [Ijc] C:\WINDOWS\Ega.exe
O4 - HKLM\..\Run: [Jil] C:\WINDOWS\System32\Jhh.exe
O4 - HKLM\..\Run: [Phv] C:\WINDOWS\Rnj.exe
O4 - HKLM\..\Run: [Gtc] C:\WINDOWS\System32\Eko.exe
O4 - HKLM\..\Run: [Hob] C:\WINDOWS\Lri.exe
O4 - HKLM\..\Run: [Fif] C:\WINDOWS\Oqm.exe
O4 - HKLM\..\Run: [Voa] C:\WINDOWS\Soq.exe
O4 - HKLM\..\Run: [Jpu] C:\WINDOWS\System32\Ltp.exe
O4 - HKLM\..\Run: [Mks] C:\WINDOWS\System32\Lsb.exe
O4 - HKLM\..\Run: [Vpe] C:\WINDOWS\System32\Ubb.exe
O4 - HKLM\..\Run: [Jeo] C:\WINDOWS\System32\Ken.exe
O4 - HKLM\..\Run: [Vte] C:\WINDOWS\System32\Qbc.exe
O4 - HKLM\..\Run: [Ums] C:\WINDOWS\System32\Pjc.exe
O4 - HKLM\..\Run: [Djh] C:\WINDOWS\Qtk.exe
O4 - HKLM\..\Run: [Pjf] C:\WINDOWS\Pum.exe
O4 - HKLM\..\Run: [Feq] C:\WINDOWS\Vik.exe
O4 - HKLM\..\Run: [Dnj] C:\WINDOWS\System32\Hpj.exe
O4 - HKLM\..\Run: [Upq] C:\WINDOWS\System32\Ski.exe
O4 - HKLM\..\Run: [Jss] C:\WINDOWS\Uvh.exe
O4 - HKLM\..\Run: [Fss] C:\WINDOWS\System32\Skk.exe
O4 - HKLM\..\Run: [Nre] C:\WINDOWS\Ovk.exe
O4 - HKLM\..\Run: [Nlh] C:\WINDOWS\System32\Iuq.exe
O4 - HKLM\..\Run: [Jrs] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [Pvc] C:\WINDOWS\Ata.exe
O4 - HKLM\..\Run: [Leb] C:\WINDOWS\System32\Spb.exe
O4 - HKLM\..\Run: [Dof] C:\WINDOWS\System32\Srd.exe
O4 - HKLM\..\Run: [Kbj] C:\WINDOWS\System32\Qok.exe
O4 - HKLM\..\Run: [Jdn] C:\WINDOWS\Piv.exe
O4 - HKLM\..\Run: [Ngb] C:\WINDOWS\System32\Lqn.exe
O4 - HKLM\..\Run: [Src] C:\WINDOWS\System32\Iie.exe
O4 - HKLM\..\Run: [r34T33i] inshlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoLoaderrwvv1NXgJLLL] "C:\WINDOWS\System32\inshlpr.exe" /HideDir /HideUninstall /PC="CP.AMS" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\HANH HOA\Application Data\rpen.exe
O4 - HKCU\..\Run: [Fcv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [a0v3RTGqS] iestray.exe
O4 - HKCU\..\Run: [Lms] C:\WINDOWS\Cco.exe
O4 - HKCU\..\Run: [Aur] C:\WINDOWS\Eni.exe
O4 - HKCU\..\Run: [Jvm] C:\WINDOWS\System32\Nmt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\System32\Uqo.exe
O4 - HKCU\..\Run: [Rvo] C:\WINDOWS\System32\Cve.exe
O4 - HKCU\..\Run: [Thk] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Pen] C:\WINDOWS\Tpd.exe
O4 - HKCU\..\Run: [Obf] C:\WINDOWS\Cmt.exe
O4 - HKCU\..\Run: [Uru] C:\WINDOWS\System32\Psl.exe
O4 - HKCU\..\Run: [Oec] C:\WINDOWS\System32\Ibc.exe
O4 - HKCU\..\Run: [Bac] C:\WINDOWS\System32\Gak.exe
O4 - HKCU\..\Run: [Jtt] C:\WINDOWS\System32\Blk.exe
O4 - HKCU\..\Run: [Lsf] C:\WINDOWS\System32\Srb.exe
O4 - HKCU\..\Run: [Rlk] C:\WINDOWS\Ssp.exe
O4 - HKCU\..\Run: [Cko] C:\WINDOWS\System32\Rpu.exe
O4 - HKCU\..\Run: [Lha] C:\WINDOWS\Rpn.exe
O4 - HKCU\..\Run: [Vcm] C:\WINDOWS\Gsh.exe
O4 - HKCU\..\Run: [Ovv] C:\WINDOWS\System32\Fnd.exe
O4 - HKCU\..\Run: [Pjm] C:\WINDOWS\Ukc.exe
O4 - HKCU\..\Run: [Slq] C:\WINDOWS\System32\Vsg.exe
O4 - HKCU\..\Run: [Sak] C:\WINDOWS\System32\Faj.exe
O4 - HKCU\..\Run: [Kou] C:\WINDOWS\System32\Dog.exe
O4 - HKCU\..\Run: [Bfv] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Ojh] C:\WINDOWS\Qpt.exe
O4 - HKCU\..\Run: [Grh] C:\WINDOWS\Urd.exe
O4 - HKCU\..\Run: [Ijc] C:\WINDOWS\Ega.exe
O4 - HKCU\..\Run: [Jil] C:\WINDOWS\System32\Jhh.exe
O4 - HKCU\..\Run: [Phv] C:\WINDOWS\Rnj.exe
O4 - HKCU\..\Run: [Gtc] C:\WINDOWS\System32\Eko.exe
O4 - HKCU\..\Run: [Hob] C:\WINDOWS\Lri.exe
O4 - HKCU\..\Run: [Fif] C:\WINDOWS\Oqm.exe
O4 - HKCU\..\Run: [Voa] C:\WINDOWS\Soq.exe
O4 - HKCU\..\Run: [Jpu] C:\WINDOWS\System32\Ltp.exe
O4 - HKCU\..\Run: [Mks] C:\WINDOWS\System32\Lsb.exe
O4 - HKCU\..\Run: [Vpe] C:\WINDOWS\System32\Ubb.exe
O4 - HKCU\..\Run: [Jeo] C:\WINDOWS\System32\Ken.exe
O4 - HKCU\..\Run: [Vte] C:\WINDOWS\System32\Qbc.exe
O4 - HKCU\..\Run: [Ums] C:\WINDOWS\System32\Pjc.exe
O4 - HKCU\..\Run: [Djh] C:\WINDOWS\Qtk.exe
O4 - HKCU\..\Run: [Pjf] C:\WINDOWS\Pum.exe
O4 - HKCU\..\Run: [Feq] C:\WINDOWS\Vik.exe
O4 - HKCU\..\Run: [Dnj] C:\WINDOWS\System32\Hpj.exe
O4 - HKCU\..\Run: [Upq] C:\WINDOWS\System32\Ski.exe
O4 - HKCU\..\Run: [Jss] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Fss] C:\WINDOWS\System32\Skk.exe
O4 - HKCU\..\Run: [Nre] C:\WINDOWS\Ovk.exe
O4 - HKCU\..\Run: [Nlh] C:\WINDOWS\System32\Iuq.exe
O4 - HKCU\..\Run: [Jrs] C:\WINDOWS\System32\Rsh.exe
O4 - HKCU\..\Run: [Pvc] C:\WINDOWS\Ata.exe
O4 - HKCU\..\Run: [Leb] C:\WINDOWS\System32\Spb.exe
O4 - HKCU\..\Run: [Dof] C:\WINDOWS\System32\Srd.exe
O4 - HKCU\..\Run: [Kbj] C:\WINDOWS\System32\Qok.exe
O4 - HKCU\..\Run: [Jdn] C:\WINDOWS\Piv.exe
O4 - HKCU\..\Run: [Ngb] C:\WINDOWS\System32\Lqn.exe
O4 - HKCU\..\Run: [Src] C:\WINDOWS\System32\Iie.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.vxiframe.biz
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.vxiframe.biz (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 18 March 2005 - 02:52 PM

Hi there,

I see you are running teatimer. I suggest you to disable it during this cleanup, because teatimer can make the changes you do back undone. Read here how to diable it: http://russelltexas.com/malware/teatimer.htm

* Download and install CCleaner
Do not use it yet.

* Please set your system to show
all files; please see here if you're unsure how to do this.

* Download CWShredder. Start CWShredder and click FIX

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O4 - HKLM\..\Run: [aolvwltpjefqd] C:\WINDOWS\System32\wadpxay.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [Lms] C:\WINDOWS\Cco.exe
O4 - HKLM\..\Run: [Aur] C:\WINDOWS\Eni.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [eoOAmCn] C:\WINDOWS\rguvtim.exe
O4 - HKLM\..\Run: [Jvm] C:\WINDOWS\System32\Nmt.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\System32\Uqo.exe
O4 - HKLM\..\Run: [Rvo] C:\WINDOWS\System32\Cve.exe
O4 - HKLM\..\Run: [Thk] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Pen] C:\WINDOWS\Tpd.exe
O4 - HKLM\..\Run: [Obf] C:\WINDOWS\Cmt.exe
O4 - HKLM\..\Run: [Uru] C:\WINDOWS\System32\Psl.exe
O4 - HKLM\..\Run: [Oec] C:\WINDOWS\System32\Ibc.exe
O4 - HKLM\..\Run: [Bac] C:\WINDOWS\System32\Gak.exe
O4 - HKLM\..\Run: [Jtt] C:\WINDOWS\System32\Blk.exe
O4 - HKLM\..\Run: [Lsf] C:\WINDOWS\System32\Srb.exe
O4 - HKLM\..\Run: [Rlk] C:\WINDOWS\Ssp.exe
O4 - HKLM\..\Run: [Cko] C:\WINDOWS\System32\Rpu.exe
O4 - HKLM\..\Run: [Lha] C:\WINDOWS\Rpn.exe
O4 - HKLM\..\Run: [Vcm] C:\WINDOWS\Gsh.exe
O4 - HKLM\..\Run: [Ovv] C:\WINDOWS\System32\Fnd.exe
O4 - HKLM\..\Run: [Pjm] C:\WINDOWS\Ukc.exe
O4 - HKLM\..\Run: [Slq] C:\WINDOWS\System32\Vsg.exe
O4 - HKLM\..\Run: [Sak] C:\WINDOWS\System32\Faj.exe
O4 - HKLM\..\Run: [Kou] C:\WINDOWS\System32\Dog.exe
O4 - HKLM\..\Run: [Bfv] C:\WINDOWS\Jom.exe
O4 - HKLM\..\Run: [Ojh] C:\WINDOWS\Qpt.exe
O4 - HKLM\..\Run: [Grh] C:\WINDOWS\Urd.exe
O4 - HKLM\..\Run: [Ijc] C:\WINDOWS\Ega.exe
O4 - HKLM\..\Run: [Jil] C:\WINDOWS\System32\Jhh.exe
O4 - HKLM\..\Run: [Phv] C:\WINDOWS\Rnj.exe
O4 - HKLM\..\Run: [Gtc] C:\WINDOWS\System32\Eko.exe
O4 - HKLM\..\Run: [Hob] C:\WINDOWS\Lri.exe
O4 - HKLM\..\Run: [Fif] C:\WINDOWS\Oqm.exe
O4 - HKLM\..\Run: [Voa] C:\WINDOWS\Soq.exe
O4 - HKLM\..\Run: [Jpu] C:\WINDOWS\System32\Ltp.exe
O4 - HKLM\..\Run: [Mks] C:\WINDOWS\System32\Lsb.exe
O4 - HKLM\..\Run: [Vpe] C:\WINDOWS\System32\Ubb.exe
O4 - HKLM\..\Run: [Jeo] C:\WINDOWS\System32\Ken.exe
O4 - HKLM\..\Run: [Vte] C:\WINDOWS\System32\Qbc.exe
O4 - HKLM\..\Run: [Ums] C:\WINDOWS\System32\Pjc.exe
O4 - HKLM\..\Run: [Djh] C:\WINDOWS\Qtk.exe
O4 - HKLM\..\Run: [Pjf] C:\WINDOWS\Pum.exe
O4 - HKLM\..\Run: [Feq] C:\WINDOWS\Vik.exe
O4 - HKLM\..\Run: [Dnj] C:\WINDOWS\System32\Hpj.exe
O4 - HKLM\..\Run: [Upq] C:\WINDOWS\System32\Ski.exe
O4 - HKLM\..\Run: [Jss] C:\WINDOWS\Uvh.exe
O4 - HKLM\..\Run: [Fss] C:\WINDOWS\System32\Skk.exe
O4 - HKLM\..\Run: [Nre] C:\WINDOWS\Ovk.exe
O4 - HKLM\..\Run: [Nlh] C:\WINDOWS\System32\Iuq.exe
O4 - HKLM\..\Run: [Jrs] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [Pvc] C:\WINDOWS\Ata.exe
O4 - HKLM\..\Run: [Leb] C:\WINDOWS\System32\Spb.exe
O4 - HKLM\..\Run: [Dof] C:\WINDOWS\System32\Srd.exe
O4 - HKLM\..\Run: [Kbj] C:\WINDOWS\System32\Qok.exe
O4 - HKLM\..\Run: [Jdn] C:\WINDOWS\Piv.exe
O4 - HKLM\..\Run: [Ngb] C:\WINDOWS\System32\Lqn.exe
O4 - HKLM\..\Run: [Src] C:\WINDOWS\System32\Iie.exe
O4 - HKLM\..\Run: [r34T33i] inshlpr.exe
O4 - HKLM\..\Run: [AutoLoaderrwvv1NXgJLLL] "C:\WINDOWS\System32\inshlpr.exe" /HideDir /HideUninstall /PC="CP.AMS" /ShowLegalNote="nonbranded"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\HANH HOA\Application Data\rpen.exe
O4 - HKCU\..\Run: [Fcv] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [a0v3RTGqS] iestray.exe
O4 - HKCU\..\Run: [Lms] C:\WINDOWS\Cco.exe
O4 - HKCU\..\Run: [Aur] C:\WINDOWS\Eni.exe
O4 - HKCU\..\Run: [Jvm] C:\WINDOWS\System32\Nmt.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\System32\Uqo.exe
O4 - HKCU\..\Run: [Rvo] C:\WINDOWS\System32\Cve.exe
O4 - HKCU\..\Run: [Thk] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Pen] C:\WINDOWS\Tpd.exe
O4 - HKCU\..\Run: [Obf] C:\WINDOWS\Cmt.exe
O4 - HKCU\..\Run: [Uru] C:\WINDOWS\System32\Psl.exe
O4 - HKCU\..\Run: [Oec] C:\WINDOWS\System32\Ibc.exe
O4 - HKCU\..\Run: [Bac] C:\WINDOWS\System32\Gak.exe
O4 - HKCU\..\Run: [Jtt] C:\WINDOWS\System32\Blk.exe
O4 - HKCU\..\Run: [Lsf] C:\WINDOWS\System32\Srb.exe
O4 - HKCU\..\Run: [Rlk] C:\WINDOWS\Ssp.exe
O4 - HKCU\..\Run: [Cko] C:\WINDOWS\System32\Rpu.exe
O4 - HKCU\..\Run: [Lha] C:\WINDOWS\Rpn.exe
O4 - HKCU\..\Run: [Vcm] C:\WINDOWS\Gsh.exe
O4 - HKCU\..\Run: [Ovv] C:\WINDOWS\System32\Fnd.exe
O4 - HKCU\..\Run: [Pjm] C:\WINDOWS\Ukc.exe
O4 - HKCU\..\Run: [Slq] C:\WINDOWS\System32\Vsg.exe
O4 - HKCU\..\Run: [Sak] C:\WINDOWS\System32\Faj.exe
O4 - HKCU\..\Run: [Kou] C:\WINDOWS\System32\Dog.exe
O4 - HKCU\..\Run: [Bfv] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Ojh] C:\WINDOWS\Qpt.exe
O4 - HKCU\..\Run: [Grh] C:\WINDOWS\Urd.exe
O4 - HKCU\..\Run: [Ijc] C:\WINDOWS\Ega.exe
O4 - HKCU\..\Run: [Jil] C:\WINDOWS\System32\Jhh.exe
O4 - HKCU\..\Run: [Phv] C:\WINDOWS\Rnj.exe
O4 - HKCU\..\Run: [Gtc] C:\WINDOWS\System32\Eko.exe
O4 - HKCU\..\Run: [Hob] C:\WINDOWS\Lri.exe
O4 - HKCU\..\Run: [Fif] C:\WINDOWS\Oqm.exe
O4 - HKCU\..\Run: [Voa] C:\WINDOWS\Soq.exe
O4 - HKCU\..\Run: [Jpu] C:\WINDOWS\System32\Ltp.exe
O4 - HKCU\..\Run: [Mks] C:\WINDOWS\System32\Lsb.exe
O4 - HKCU\..\Run: [Vpe] C:\WINDOWS\System32\Ubb.exe
O4 - HKCU\..\Run: [Jeo] C:\WINDOWS\System32\Ken.exe
O4 - HKCU\..\Run: [Vte] C:\WINDOWS\System32\Qbc.exe
O4 - HKCU\..\Run: [Ums] C:\WINDOWS\System32\Pjc.exe
O4 - HKCU\..\Run: [Djh] C:\WINDOWS\Qtk.exe
O4 - HKCU\..\Run: [Pjf] C:\WINDOWS\Pum.exe
O4 - HKCU\..\Run: [Feq] C:\WINDOWS\Vik.exe
O4 - HKCU\..\Run: [Dnj] C:\WINDOWS\System32\Hpj.exe
O4 - HKCU\..\Run: [Upq] C:\WINDOWS\System32\Ski.exe
O4 - HKCU\..\Run: [Jss] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Fss] C:\WINDOWS\System32\Skk.exe
O4 - HKCU\..\Run: [Nre] C:\WINDOWS\Ovk.exe
O4 - HKCU\..\Run: [Nlh] C:\WINDOWS\System32\Iuq.exe
O4 - HKCU\..\Run: [Jrs] C:\WINDOWS\System32\Rsh.exe
O4 - HKCU\..\Run: [Pvc] C:\WINDOWS\Ata.exe
O4 - HKCU\..\Run: [Leb] C:\WINDOWS\System32\Spb.exe
O4 - HKCU\..\Run: [Dof] C:\WINDOWS\System32\Srd.exe
O4 - HKCU\..\Run: [Kbj] C:\WINDOWS\System32\Qok.exe
O4 - HKCU\..\Run: [Jdn] C:\WINDOWS\Piv.exe
O4 - HKCU\..\Run: [Ngb] C:\WINDOWS\System32\Lqn.exe
O4 - HKCU\..\Run: [Src] C:\WINDOWS\System32\Iie.exe
O9 - Extra button: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {2ADD0C84-D7B7-4F1F-AF1E-A70ABBDDB1A2} - C:\WINDOWS\System32\intlmain.dll (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.vxiframe.biz
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.vxiframe.biz (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 66.197.161.149


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\wauctlxp4.exe
C:\Documents and Settings\HANH HOA\Application Data\rpen.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\System32\msasmsn7.dll
C:\WINDOWS\System32\wadpxay.exe
C:\WINDOWS\Cco.exe
C:\WINDOWS\Eni.exe
C:\WINDOWS\rguvtim.exe
C:\WINDOWS\System32\Nmt.exe
C:\WINDOWS\System32\Uqo.exe
C:\WINDOWS\System32\Cve.exe
C:\WINDOWS\System32\Ppc.exe
C:\WINDOWS\Tpd.exe
C:\WINDOWS\Cmt.exe
C:\WINDOWS\System32\Psl.exe
C:\WINDOWS\System32\Ibc.exe
C:\WINDOWS\System32\Gak.exe
C:\WINDOWS\System32\Blk.exe
C:\WINDOWS\System32\Srb.exe
C:\WINDOWS\Ssp.exe
C:\WINDOWS\System32\Rpu.exe
C:\WINDOWS\Rpn.exe
C:\WINDOWS\Gsh.exe
C:\WINDOWS\System32\Fnd.exe
C:\WINDOWS\Ukc.exe
C:\WINDOWS\System32\Vsg.exe
C:\WINDOWS\System32\Faj.exe
C:\WINDOWS\System32\Dog.exe
C:\WINDOWS\Jom.exe
C:\WINDOWS\Qpt.exe
C:\WINDOWS\Urd.exe
C:\WINDOWS\Ega.exe
C:\WINDOWS\System32\Jhh.exe
C:\WINDOWS\Rnj.exe
C:\WINDOWS\System32\Eko.exe
C:\WINDOWS\Lri.exe
C:\WINDOWS\Oqm.exe
C:\WINDOWS\Soq.exe
C:\WINDOWS\System32\Ltp.exe
C:\WINDOWS\System32\Lsb.exe
C:\WINDOWS\System32\Ubb.exe
C:\WINDOWS\System32\Ken.exe
C:\WINDOWS\System32\Qbc.exe
C:\WINDOWS\System32\Pjc.exe
C:\WINDOWS\Qtk.exe
C:\WINDOWS\Pum.exe
C:\WINDOWS\Vik.exe
C:\WINDOWS\System32\Hpj.exe
C:\WINDOWS\System32\Ski.exe
C:\WINDOWS\Uvh.exe
C:\WINDOWS\System32\Skk.exe
C:\WINDOWS\Ovk.exe
C:\WINDOWS\System32\Iuq.exe
C:\WINDOWS\System32\Rsh.exe
C:\WINDOWS\Ata.exe
C:\WINDOWS\System32\Spb.exe
C:\WINDOWS\System32\Srd.exe
C:\WINDOWS\System32\Qok.exe
C:\WINDOWS\Piv.exe
C:\WINDOWS\System32\Lqn.exe
C:\WINDOWS\System32\Iie.exe


Above, you see a lot of .exe-files with 3 characters before the exe in your system32 and WINDOWS-folder.
Rightclick on one or two of those files and choose properties. You will see the size of it (most probably 8kb and a date)
Delete all those files (random .exe's with 3 characters before it) with exactly the same filesize and date!!! Please don't delete any others!!
If you're unsure about this, leave it.

To do this quickly..

Open Explorer to C:\WINDOWS\system32.
Change the view to details and click on the header of the size column in order to sort the files on size.
So, you'll find all the files sorted by size. (most probably 8kb as you have seen in the properties of that file)

Do the same for your WINDOWS-folder.
Also look in your WINDOWS-folder if there are random .html-files eg jhl2.html, hyrs.html, usr.html (these are just examples)
They also must have the same date!!! So delete them.

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

Can you zip the next file and submit it here: http://www.bleepingcomputer.com/submit-malware.php

C:\WINDOWS\System32\inshlpr.exe

Post back a fresh HijackThis log and I'll take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 10:57 AM

I downloaded the tools.
I ran hijacked and fixed the files-entries from the list.

I removed the files from the list.
but I also did the following change.
for file C:\WINDOWS\System32\??plorer.exe
I removed the last file by alphabetically sorted file name in the
C:\WINDOWS\System32 directory, explorer.exe.
I have seen from earlier posts that a Cyrillic ex would make this the
last entry in the C:\WINDOWS\System32 directory. and ??plorer.exe would show up this way in the directory.
I also did not remove C:\WINDOWS\System32\rsh.exe.

I was not able to find most files in the list, can I assume that this is normal?
I also checked by using the command (cmd.exe) window to look for files.

I could not find this file
C:\WINDOWS\System32\inshlpr.exe

Logfile of HijackThis v1.99.1
Scan saved at 7:50:42 AM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp psc 2000 Series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 11:43 AM

Hello,

I removed the files from the list.
but I also did the following change.
for file C:\WINDOWS\System32\??plorer.exe
I removed the last file by alphabetically sorted file name in the
C:\WINDOWS\System32 directory, explorer.exe.
I have seen from earlier posts that a Cyrillic ex would make this the
last entry in the C:\WINDOWS\System32 directory. and ??plorer.exe would show up this way in the directory.
I also did not remove C:\WINDOWS\System32\rsh.exe.


So, you mean in here that the ??plorer.exe was actually explorer.exe in your system32-folder?

About rsh.exe... as noticed in your log:

O4 - HKCU\..\Run: [Jrs] C:\WINDOWS\System32\Rsh.exe

This doesn't look 'healthy' ,but as you said, there's a legit one there too. There must be a difference in it..

Okay, let's take a better look now..

Open notepad and copy and paste next content in the white field in it:

dir C:\WINDOWS\System32\Rsh.exe /a h > files1.txt 
dir C:\WINDOWS\System32\??plorer.exe /a h > files2.txt
copy files1.txt + files2.txt = Output.txt
notepad Output.txt

Save this as look.bat choose to save as *all files and place it on your desktop. Now doubleclick on it and copy and paste the contents of the log you will get in your next reply.

You startpage: about:blank... is it a blank page you get or a searchpage?

I was not able to find most files in the list, can I assume that this is normal?


I know AVG does flag those 3.exe files, so most probably most of them were already deleted.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 12:08 PM

If I had not mentioned it I am running XP home SP1.

>>> below is contents of file Output.txt
Volume in drive C has no label.
Volume Serial Number is 2464-4BA4

Directory of C:\WINDOWS\System32

03/31/2003 04:00 AM 13,312 rsh.exe

Directory of C:\WINDOWS\System32

1 File(s) 13,312 bytes
0 Dir(s) 69,442,707,456 bytes free
Volume in drive C has no label.
Volume Serial Number is 2464-4BA4

Directory of C:\WINDOWS\System32


Directory of C:\WINDOWS\System32
>>> above is contents of file Output.txt

>>You startpage: about:blank... is it a blank page you get or a searchpage?
It seems to be a search page. It displays a page with the top left side saying
Search for...
also a tool that says "Search the Web:"
also a popup window (i am quite sure this is bogus)
title: Microsoft Internet Explorer
Warning!
Windows detected spy software "scpStelth.cih" ver.2.018
somebody is trying to access you through port XXX

also some private information in the popup window.

I close this window by using the red X in the top right side of the window.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 12:22 PM

03/31/2003 04:00 AM 13,312 rsh.exe is a legit one. That's ok. The bad one is 8kb.

I'll keep that in mind for the next time. Thx for the extra addition.

It seems to be a search page. It displays a page with the top left side saying
Search for...
also a tool that says "Search the Web:"


Hmmm.. a startpage.

Ok.. let's find out..

Open notepad and copy and paste next content in it:

dir c:\ppc.dll  /a h /s > files.txt
notepad files.txt

Save this as look2.bat , choose to save as *all files and place it on your desktop.
Doubleclick on it and notepad will open. Copy and paste this in your next reply.

Edited by miekiemoes, 19 March 2005 - 12:23 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 12:30 PM

this is what i got from the .bat file.

>>>below is the contents of file files.txt
Volume in drive C has no label.
Volume Serial Number is 2464-4BA4

>>>above is the contents of file files.txt

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 12:41 PM

Hmmm.. can you check if there is a folder in your program Files with the name: PPC Advertor?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 12:52 PM

If PPC Advertor is not present..

Then I suspect you are infected with CWS.Holax viral variant. Please run the Computer Associates online scan here:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Follow the prompts to scan your hard drive. When the scan is finished it will produce a report of infected files at the bottom of the screen. Please copy the entire text of this report and post it here for me to see.
Do not fix anything yet!!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 01:53 PM

>> Hmmm.. can you check if there is a folder in your program Files with the name: PPC Advertor?

did not find this directory.

this is the results of the CA virus scan.

Scan Results: 49913 files scanned. 1 virus was detected.

File Infection Status Path
blcn.dll Win32.Startpage.FZ infected C:\WINDOWS\system32\

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 02:01 PM

Can you zip blcn.dll and submit it here: http://www.bleepingcomputer.com/submit-malware.php

If you can't zip it in normal mode, try it in safe mode.
Delete it afterwards.

Check and fix again the next lines in hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Reboot and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 02:48 PM

I deleted blcn.dll and "fixed" the registy entries (closed IE first) .

I have also turned off "System restore".

here is the log from safe mode

Logfile of HijackThis v1.99.1
Scan saved at 11:42:35 AM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp psc 2000 Series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 02:49 PM

Hi, I need a log from normal mode... ;)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 pojo

pojo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 March 2005 - 04:01 PM

heres the log.
Logfile of HijackThis v1.99.1
Scan saved at 12:49:29 PM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp psc 2000 Series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:12 AM

Posted 19 March 2005 - 04:07 PM

Hmm.. still there:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


If you fix them.. I suppose they are back? Still have that searchpage?
If so.. follow my next step..

Ok.. let's try something else..

Download rkfiles.zip
UNZIP the contents to a permanent folder

Reboot in SAFE MODE !! Important !!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Doubleclick rkfiles.bat
It will scan for a while.
Wait till the doswindow closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

Edited by miekiemoes, 19 March 2005 - 04:08 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users