Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About Blank Hijacked


  • Please log in to reply
9 replies to this topic

#1 Tommy C

Tommy C

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:09:48 AM

Posted 23 March 2005 - 04:07 PM

I need help. I have the about:blank hijack problem. I have tried all of the suggestions and fixes I could find on this site, but I still have the problem. Its driving me crazy.

Thanks for any help.

Tommy

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:48 PM

Posted 23 March 2005 - 05:20 PM

Hello Tommy and welcome to Bleeping. :thumbsup:

Can you please follow the instructions in this thread about how to post a HijackThis log and the programs you need to run before doing so. When you've scanned with Ad-Aware SE and Spybot, come back to this thread and post your log ensuring you've rebooted before generating it. Although these programs won't remove the hijacker, they will remove a lot of other nasty stuff you may have.

We'll then take it from there. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:09:48 AM

Posted 24 March 2005 - 11:21 AM

OK, I ran Ad-Aware and Spybot, rebooted and ran Hijack this. After I rebooted, a icon popped up on my windows task bar. After I clicked on it, it opened a window showing info about how to get rid of spy-ware. I think the window was a HTML help program.

Below is the Hijack log. :thumbsup:

Thanks.

Tommy


Logfile of HijackThis v1.99.1
Scan saved at 10:15:49 AM, on 3/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\appdd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\hpnra.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINNT\system32\sysvp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\Downloads\HijachThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\vvddj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\vvddj.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DE04A825-A481-2E12-BFC9-FC36733B1168} - C:\WINNT\system32\iepa32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sysqh32.exe] C:\WINNT\system32\sysqh32.exe
O4 - HKLM\..\Run: [sysvp.exe] C:\WINNT\system32\sysvp.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{895A2D04-81C0-4093-9C12-0C599023438A}: NameServer = 68.113.206.10,66.169.221.10
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\appdd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\GEARSEC.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
:flowers:

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:48 PM

Posted 24 March 2005 - 06:31 PM

Please print these instructions out of save them to notepad or as you'll be working in Safe Mode later without internet access. Read the instructions carefully and complete them in the order they're posted. Ask any questions before proceeding. The entire fix MUST be carried out in the same sitting for it to work.


Two of the entries relating to your browser hijacking are listed below in the quote box. Note the dll filenames I've highlighted in red as they have a tendancy to 'morph' on successive reboots. When you get to 'Step 3' of the fix and run HijackThis again, please check to make sure those dll filenames are the same as in your last log. If they have morphed, make a note of the new names and ensure you substitute them for the ones listed in both the APM instructions and safe mode deletions. If you don't do this, the infection will remain.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\vvddj.dll/sp.html#37049

O2 - BHO: (no name) - {DE04A825-A481-2E12-BFC9-FC36733B1168} - C:\WINNT\system32\iepa32.dll




Step 1 - Preparation

Ensure you have set Windows to show all hidden files and folders.
See here if you don't know how to do this.

Download and install About:Buster from here to it's own directory (C:\About:Buster).
Open the program and click oK > Update > Check for Update.
Download Update (if available) and then close the program.

Download and install APM from here to it's own directory (C:\APM).

Download and install CrapCleaner from here.

Update your Anti-Virus definitions to the latest and then disconnect from the internet.



Step 2 - Stop the Malicious Service

Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.



Step 3 - Remove HijackThis Entries

Scan with HijackThis again and place a checkmark before the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\vvddj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\vvddj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\vvddj.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DE04A825-A481-2E12-BFC9-FC36733B1168} - C:\WINNT\system32\iepa32.dll
O4 - HKLM\..\Run: [sysqh32.exe] C:\WINNT\system32\sysqh32.exe
O4 - HKLM\..\Run: [sysvp.exe] C:\WINNT\system32\sysvp.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\appdd.exe

Close ALL open windows and Browsers (inc. this one) and click FIX CHECKED



Step 4 - Manipulate malicious '02 BHO' dll file

Start APM.
In the upper window select 'explorer.exe'
In the lower window locate and rightclick the 02 BHO file which in your last log was:

C:\WINNT\system32\iepa32.dll <--Alter if morphed

Select 'Unload DLL'
Click 'OK' on the following prompts.


Step 5 - About:Buster & Anti-Virus Scan

Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.

Start About:Buster
Close open ALL windows-VERY important.
Click on 'Start' to begin the scan.
When the scan has finished let it scan again.
Save the report it produces to a notepad file for posting.
Exit About:Buster
Now run your Anti-Virus program choosing a selective scan of your C:\ only.


Step 6 - Remove Malicious Programs/Files/Folders if still present

Delete the following files in bold:

C:\WINNT\vvddj.dll <--Alter if morphed ('R' entries)
C:\WINNT\system32\iepa32.dll <--Alter if morphed (02 BHO entry)
C:\WINNT\system32\sysqh32.exe
C:\WINNT\system32\sysvp.exe
C:\WINNT\system32\appdd.exe


Step 7 - Clean Out Temp Files & Recycle Bin

Start CrapCleaner
Leave the default settings on the left as they are.
Click on Options > Settings and checkmark the box next to 'Close Program After Cleaning' and click OK.
Click 'Run Cleaner'
Then reboot the machine into normal mode.


Step 8 - Online Virus Scans

Run an online virus scan from any of the following locations making a note of the scan results.

http://uk.trendmicro-europe.com/consumer/p...call_launch.php - Trend Micro
http://www.ravantivirus.com/scan/ - RAV
http://www.pandasoftware.com/activescan/ - Panda
http://www.bitdefender.com/scan/licence.php - BitDefender

Reboot once more and post a fresh HijackThis log, About:Buster log and let me know if the online scan found anything.

Edited by John_McKenna, 24 March 2005 - 06:35 PM.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:09:48 AM

Posted 03 June 2005 - 11:52 AM

Mod edit. Post moved to previously opened topic.

OT - 6/3/05


I have serious problems.

Windows closes IE and I can not open windows control panel.

Below is my HJT log.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:51:59 AM, on 6/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\appox32.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\hpnra.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Downloads\HijachThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {395BB7AA-547E-4C71-BE42-D60D6E0AC389} - C:\WINNT\system32\ipnd32.dll
O2 - BHO: Class - {4F96F696-50BA-E211-9CC1-95DD27AB7866} - C:\WINNT\msat32.dll
O2 - BHO: Class - {92A4352E-CDB2-FF91-BCBA-58684A744E3A} - C:\WINNT\system32\netxc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sysvp.exe] C:\WINNT\system32\sysvp.exe
O4 - HKLM\..\Run: [javaag.exe] C:\WINNT\javaag.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{895A2D04-81C0-4093-9C12-0C599023438A}: NameServer = 68.113.206.10,66.169.221.10
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\appdd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\GEARSEC.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by OldTimer, 03 June 2005 - 07:03 PM.


#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:48 PM

Posted 05 June 2005 - 03:08 PM

Hi Tommy,

It would appear we lost each other until today. Near the top of the forum, click on the link which says 'My Control Panel'. Scroll down the options on the left hand side and select 'Email Settings'. Check all three boxes under 'Board Preferences' and then hit the 'Amend my email settings' button to confirm. You will now recieve emails with a link to the topic every time I reply to one of your posts. If you have to amend a post you've made, please edit the original post as double posting will more than likely cancel the email notification.

As it's been a few days since your last post, the files we need to kill will have changed by now. Please post another log in THIS thread please and then refrain from rebooting until I give you further instructions. The nature of this infection requires you to respond in a timely manner so let me know if anything is preventing you from accessing this machine on a regular basis.

HJM
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:09:48 AM

Posted 06 June 2005 - 10:58 AM

Ok I fixed my email settings.

HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 10:59:36 AM, on 6/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINNT\system32\hpnra.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Downloads\HijachThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {395BB7AA-547E-4C71-BE42-D60D6E0AC389} - C:\WINNT\system32\ipnd32.dll
O2 - BHO: Class - {4F96F696-50BA-E211-9CC1-95DD27AB7866} - C:\WINNT\msat32.dll
O2 - BHO: Class - {92A4352E-CDB2-FF91-BCBA-58684A744E3A} - C:\WINNT\system32\netxc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sysvp.exe] C:\WINNT\system32\sysvp.exe
O4 - HKLM\..\Run: [javaag.exe] C:\WINNT\javaag.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [appox32.exe] C:\WINNT\system32\appox32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{895A2D04-81C0-4093-9C12-0C599023438A}: NameServer = 68.113.206.10,66.169.221.10
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\appdd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\GEARSEC.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:48 PM

Posted 06 June 2005 - 01:09 PM

This may not shift on the first time of asking so please be patient. You have a fairly new variant which has proved to be very resistant to removal most of the time.

Please print these instructions out or save them to notepad or as you'll be working in Safe Mode later without internet access. Read the instructions carefully and complete them in the order they're posted. Ask any questions before proceeding. The entire fix MUST be carried out in the same sitting for it to work.


Step 1

Download and install the Mozilla Firefox browser from here.
Please use this browser until we get you clean.
Keep Internet Explorer firmly shut until further notice.

Download and install About:Buster 5.0 from here and unzip it to a new folder on your desktop.
Open the program and click oK > Update > Check for Updates.
Download any new ref. file and then close the program.

Download and install APM from here.

Update your Norton definitions to the latest and ensure it is configured to scan ALL FILES. See here for instructions.

Download CWShredder from here.

Download Killbox from here to your desktop.

Download CWSServicemove.zip from here and unzip it to your desktop. Don't do anything with it yet.

Ensure you're familiar with rebooting into Safe Mode.
Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.


Step 2

Click Start | Run and type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.

Double-click on CWShredder.exe
Click on 'Check for Update' and download any new reference file.
Click on Fix
Let me know what it found/removed please.

Start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINNT\system32\ipnd32.dll
Select Unload DLL and click OK on the prompts that follow.
Repeat these steps for the following:

C:\WINNT\msat32.dll
C:\WINNT\system32\netxc.dll


Then close APM.

Step 3

Run HJT again and checkmark the boxes next to the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ghyta.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {395BB7AA-547E-4C71-BE42-D60D6E0AC389} - C:\WINNT\system32\ipnd32.dll
O2 - BHO: Class - {4F96F696-50BA-E211-9CC1-95DD27AB7866} - C:\WINNT\msat32.dll
O2 - BHO: Class - {92A4352E-CDB2-FF91-BCBA-58684A744E3A} - C:\WINNT\system32\netxc.dll
O4 - HKLM\..\Run: [sysvp.exe] C:\WINNT\system32\sysvp.exe
O4 - HKLM\..\Run: [javaag.exe] C:\WINNT\javaag.exe
O4 - HKLM\..\RunOnce: [appox32.exe] C:\WINNT\system32\appox32.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINNT\system32\appdd.exe (file missing)

Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked


Step 4

Reboot into Safe Mode.

Start About:Buster
Close ALL open windows - VERY important.
Click on 'Begin Removal' to start the scan.
When the scan has finished let it scan again.
A log of the scan will appear in the folder.
Exit About:Buster.


Step 5

Double-click killbox.exe
Click on Tools > Delete Temp Files and click ok.
Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:

C:\WINNT\system32\ghyta.dll
C:\WINNT\system32\ipnd32.dll
C:\WINNT\msat32.dll
C:\WINNT\system32\netxc.dll
C:\WINNT\system32\sysvp.exe
C:\WINNT\javaag.exe
C:\WINNT\system32\appox32.exe
C:\WINNT\system32\appdd.exe


Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'

The entire list should now be in the "Full Path of File to Delete" field.
To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

As your machine starts to reboot, please start tapping F8 and go straight into Safe Mode - Very Important!!


Step 6

Now open Norton and run a selective scan of your C:\ drive, removing everything it finds. Make a note of anything it couldn't remove and it's location.

Now double-click on the CWSServicemove.reg
Confirm you wish to add the contents to the registry when prompted and then reboot back to normal mode.


Step 7

Run an online virus scan at the following location making a note of the scan results.

http://uk.trendmicro-europe.com/consumer/p...call_launch.php - Trend Micro

Reboot once more and post a fresh HijackThis log, About:Buster log and let me know if the online scan found anything.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:09:48 AM

Posted 16 June 2005 - 09:27 AM

John,

Your solution worked great. I did the online scan and it found about forty items, but could not remove any of them. I wrote them all down and will get you a list.

A coworker is having problem with pop ups. She will have pop ups appear when she is not even on the web. We have a cable connection through our server so she is constantly connected to the internet.

HJT log below

Logfile of HijackThis v1.99.1
Scan saved at 9:05:06 AM, on 6/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hpnra.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\seeve.exe
C:\winnt\system32\eaioid.exe
C:\WINNT\system32\87c3m4pf.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\initpki.exe
C:\Program Files\cama\siil.exe
C:\WINNT\system32\??crosoft.NET\services.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\winnt\system32\calc.exe
C:\WINNT\system32\wuauclt.exe
U:\HijachThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsvcin] C:\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehxi32.exe
O4 - HKLM\..\Run: [seeve] C:\WINNT\seeve.exe
O4 - HKLM\..\Run: [eaioid] c:\winnt\system32\eaioid.exe
O4 - HKLM\..\Run: [87c3m4pf] C:\WINNT\system32\87c3m4pf.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [initpki] C:\WINNT\system32\initpki.exe
O4 - HKCU\..\Run: [Ruhe] C:\Program Files\cama\siil.exe
O4 - HKCU\..\Run: [Eyqtcl] C:\WINNT\system32\??crosoft.NET\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF82E314-8CF8-44E2-950C-2EF56FA4EB86}: NameServer = 68.113.206.10,66.169.221.10
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\dnn6015se.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:48 PM

Posted 17 June 2005 - 03:44 PM

Hi Tommy, your friend does indeed have some serious problems there which need attention immediately. However, we concentrate on one machine per thread as a rule. If your friend would like to start a new thread and post the log, someone will help her asap. Feel free to post the link to the thread in here. If I get to it first I'll help her myself. In the meantime, can you post a fresh log from your workstation please so that I may check everything is OK. :thumbsup:

That list of infected files (and their locations) the virus scan couldn't remove would be helpful as well.

Edited by John_McKenna, 17 June 2005 - 03:45 PM.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users