Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winmovieplugin


  • Please log in to reply
8 replies to this topic

#1 trulscw

trulscw

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 March 2005 - 02:55 PM

Hi,

I have a problem with some sort of malware/spyware (don't really know what it is). A window pops up on my desktop and says something in Italian, at the same time it put's two shortcuts on my desktop, quicklaunch, startmenu and i my bookmarks in IE. One is a shortcut (called winmovieplugin) to a file in my temp folder and the other is a IE shortcut to some italian porn site. After a while a IE explorer pops up and takes me to master69.biz and also changes my home page to master69.biz... Every time i delete it, it comes back after a short time. I have tried to get rid of it with ad aware, spy ware, antivirus and hijacker, but nothing works. Here is my log file:

Logfile of HijackThis v1.98.2
Scan saved at 20:47:57, on 25.03.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Programfiler\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\VeriSign\NAVI\naviagent.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\LogMeIn\LogMeInSystray.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\system32\gah95on6.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Daily Weather Forecast\weather.exe
C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt\IE4321.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\t?skmgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\PROGRA~1\COMMON~1\uqkk\uqkkm.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\Programfiler\BitComet\BitComet.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programfiler\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\COMMON~1\uqkk\uqkka.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Truls Christian Waag\Skrivebord\HijackThis.exe

R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O2 - BHO: (no name) - {E645D65A-44E3-4348-CBA0-45819CC359B5} - C:\WINDOWS\system32\nzpvn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programfiler\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programfiler\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programfiler\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTPerformanceUtility] C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [T6J3y] C:\WINDOWS\dgcjrqx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Programfiler\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [duz] C:\WINDOWS\duz.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt\IE4321.exe
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{A82F1~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{A82F1~1\reboot.ini -l0x9
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Bzuot] C:\WINDOWS\system32\t?skmgr.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [uqkk] C:\PROGRA~1\COMMON~1\uqkk\uqkkm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: FontHit Font Tools.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Search Engine Commando Schedule Viewer.lnk = C:\Programfiler\Search Engine Commando\ScheduleViewer.exe
O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra 'Tools' menuitem: Innstillinger for i-Nav - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:06:13 PM

Posted 26 March 2005 - 06:49 PM

Hi and welcome to Bleeping. :thumbsup:

Before we get started can you please switch off Spybot's Teatimer by following the instructions here and then reboot to complete the change.

Then update your version of HijackThis.
Download the HijackThis Self Extracting zip file from here to your desktop. Double click 'hijackthis_sfx.exe' and select "Unzip".
You will now find HijackThis in C:\Program Files\HijackThis from now on.

Please then post a fresh HijackThis log in THIS thread and we'll get to work. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 trulscw

trulscw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 27 March 2005 - 11:49 AM

hey,

thanks for your help.

I've downloaded the new hijackthis file, however when it scans my comp. it stops halfway through and generates an error message, and shuts down. I've tried to reboot, and reinstall, but this makes no difference. Can i use the one i used for the first log file?

#4 trulscw

trulscw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 27 March 2005 - 01:07 PM

I finally got it to work.

Logfile of HijackThis v1.99.1
Scan saved at 20:04:47, on 27.03.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Programfiler\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programfiler\VeriSign\NAVI\naviagent.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\LogMeIn\LogMeInSystray.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\dgcjrqx.exe
C:\Programfiler\Daily Weather Forecast\weather.exe
C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt\IE4321.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\t?skmgr.exe
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\Programfiler\FontHit Software\FontHit Font Tools\FontTools.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\Programfiler\ISTsvc\istsvc.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\BitComet\BitComet.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\Truls Christian Waag\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.master69.biz?1462
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.goolge.com
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O2 - BHO: (no name) - {E645D65A-44E3-4348-CBA0-45819CC359B5} - C:\WINDOWS\system32\nzpvn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programfiler\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programfiler\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programfiler\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTPerformanceUtility] C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [T6J3y] C:\WINDOWS\dgcjrqx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Programfiler\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [duz] C:\WINDOWS\duz.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [IST Service] C:\Programfiler\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Bzuot] C:\WINDOWS\system32\t?skmgr.exe
O4 - HKCU\..\Run: [uqkk] C:\PROGRA~1\COMMON~1\uqkk\uqkkm.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe"
O4 - Startup: FontHit Font Tools.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Search Engine Commando Schedule Viewer.lnk = C:\Programfiler\Search Engine Commando\ScheduleViewer.exe
O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra 'Tools' menuitem: Innstillinger for i-Nav - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programfiler\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programfiler\VeriSign\NAVI\naviagent.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Search Engine Commando Schedule Service (SECScheduleService) - Unknown owner - C:\Programfiler\Search Engine Commando\ScheduleService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#5 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:06:13 PM

Posted 27 March 2005 - 05:55 PM

Can you move HijackThis to it's own dedicated folder please. This will ensure the vital backup feature works correctly.

Go to My Computer (Windows key+e), double click on C:
Click File > New > Folder
Name it HijackThis and unzip/move or download the program again to this folder.


Run HJT again and checkmark the boxes next to the following:-

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.master69.biz?1462
O2 - BHO: (no name) - {E645D65A-44E3-4348-CBA0-45819CC359B5} - C:\WINDOWS\system32\nzpvn.dll
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [T6J3y] C:\WINDOWS\dgcjrqx.exe
4 - HKLM\..\Run: [duz] C:\WINDOWS\duz.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [IST Service] C:\Programfiler\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Bzuot] C:\WINDOWS\system32\t?skmgr.exe
O4 - HKCU\..\Run: [uqkk] C:\PROGRA~1\COMMON~1\uqkk\uqkkm.exe
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Now close ALL windows & browsers and click FIX CHECKED




Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.


Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.



Delete the following files in bold:

C:\WINDOWS\dgcjrqx.exe
C:\WINDOWS\duz.exe
C:\WINDOWS\system32\nzpvn.dll
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\t?skmgr.exe <--This will probably appear as Taskmgr.exe - DO NOT delete the legit file of the same name. Right click the file and select 'Properties'. The legit file will have Micro$oft Copyright information under the 'Version' tab.



Delete the following folders in bold:

C:\Documents and Settings\Truls Christian Waag\Programdata\sgrunt
C:\Programfiler\ISTsvc
C:\PROGRA~1\COMMON~1\uqkk


Then click on Start > Run and type cleanmgr into the run box.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin ONLY are checkmarked and click 'OK'.



Reboot and run an online virus scan from any of the following locations:

http://www.ravantivirus.com/scan/ - RAV
http://uk.trendmicro-europe.com/consumer/p...call_launch.php - Trend Micro
http://www.pandasoftware.com/activescan/ - Panda
http://www.bitdefender.com/scan/licence.php - BitDefender


Reboot once more and post a fresh log.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#6 trulscw

trulscw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 28 March 2005 - 07:27 AM

Logfile of HijackThis v1.99.1
Scan saved at 14:24:10, on 28.03.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Programfiler\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programfiler\VeriSign\NAVI\naviagent.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\LogMeIn\LogMeInSystray.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Daily Weather Forecast\weather.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programfiler\WinZip\WZQKPICK.EXE
C:\Programfiler\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programfiler\FontHit Software\FontHit Font Tools\FontTools.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\HijackThis\HijackThis.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.goolge.com
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programfiler\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programfiler\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programfiler\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programfiler\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Programfiler\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Programfiler\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTPerformanceUtility] C:\Programfiler\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Programfiler\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Programfiler\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Programfiler\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe"
O4 - Startup: FontHit Font Tools.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programfiler\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Search Engine Commando Schedule Viewer.lnk = C:\Programfiler\Search Engine Commando\ScheduleViewer.exe
O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programfiler\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programfiler\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: Hjelp for i-Nav - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra 'Tools' menuitem: Innstillinger for i-Nav - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Programfiler\VeriSign\i-Nav\i-nav_4_2_0.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Programfiler\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Programfiler\VeriSign\NAVI\naviagent.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Search Engine Commando Schedule Service (SECScheduleService) - Unknown owner - C:\Programfiler\Search Engine Commando\ScheduleService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#7 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:06:13 PM

Posted 28 March 2005 - 04:33 PM

That's a clean log.

Just one query I forgot to mention. The Daily Weather Forecast program bares a striking resemblance to another program called Weatherbug which is classed as adware. Can you tell me if yours is made by the same people?
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#8 trulscw

trulscw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 29 March 2005 - 02:40 AM

Hi,

It could very well be a bug of some sort. It doesn't give me any information on the distributor, and I can't delete it in "normal" windows mode. And also I didn't install it.

Another thing though, the malware keeps coming back, and these entries are now back in my log file:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.master69.biz?1462

O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.yeak.net

These are linked to my first problem that I posted, and still shortcuts are put on my desktop ++. The winmovieplugin links to files in my temp folder, would it help to go into safemode and delete all my files in this location?

Thank you for your help

Chris :thumbsup:

#9 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:06:13 PM

Posted 29 March 2005 - 04:24 AM

I've done a little more research on this and I think this is a fairly new trojan. I couldn't find much on it I'm afraid though so we'll have to fight it blindfolded. I always like to get the big guns out when blindfolded so lets get stuck in straightaway. :thumbsup:

1. Start by updating your Norton definitions to the latest. You'll be scanning in Safe Mode with your AV in a while.

2. Download and install CrapCleaner. We'll use it later.

3. Download and install the trial version of TDS-3 Anti-Trojan from here. Don't start the program yet. Update the trojan database by right clicking the link below and selecting 'save as' and save it to the directory where you installed TDS-3, overwriting the previous radius.td3.

http://www.diamondcs.com.au/tds/radius.td3

4. Reboot in safe mode and launch TDS-3. In the top bar of the TDS window click System Testing > Full System Scan.

5. Detections will appear in the lower pane of the TDS window. When the scan has eventually finished, right click the lower pane and select 'save as txt' to save the 'scandump.txt'. Leaving the program open, copy and paste the contents of scandump.txt into your next reply.

6. After posting the scanlog, right click the lower TDS pane again and select 'delete' to remove everything labelled 'positive identification'.

7. Reboot the machine in Safe Mode again and run a full system scan with your anti-virus program. Copy & paste a summary of it's findings in your next reply if it detects anything.

8. While still in Safe Mode, open CrapCleaner and click on Options > Settings. Remove the checkmark (if present) from the box beside "Only delete files in temp folders older than 48 hours". Click ok to confirm and then click "Run Cleaner" to clean out your temp files, temporary internet files and recycle bin amongst other things.

9. Reboot in normal mode and post the TDS log, anti-virus summary and a fresh HijackThis log for inspection.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users