Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of this - log posted. Please help


  • This topic is locked This topic is locked
5 replies to this topic

#1 cinder

cinder

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 20 April 2005 - 11:20 AM

System keeps redirecting to 69.42.87.221 and other places.

I have done the following:

- searched the registry manually
- run Mcafee
- run adaware, spybot, and spyhunter
- gotten rid of nail.exe

O4 - HKLM\..\Run: [vdoxwxc] c:\windows\system32\uvazhj.exe keeps coming back and autoregenerating to something else and I can't seem to get rid of it.


This is from Startuplist

StartupList report, 4/20/2005, 12:18:56 PM
StartupList version: 1.52
Started from : C:\hijackthis\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\uvazhj.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
anvshell = anvshell.exe
nwiz = nwiz.exe /install
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SpyHunter =
WAIT GRIM SEEK INTRA = C:\Documents and Settings\All Users\Application Data\License Sign Wait Grim\Tray Gpl.exe
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
vdoxwxc = c:\windows\system32\uvazhj.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RHSI SHS = "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
Update Manager = "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
PopUpStopperFreeEdition = "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\Nail.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\Aquarium.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\DOCUME~1\Mark\APPLIC~1\KINDTE~1\platform cool.exe - {0DDEE530-C208-F4BD-4B1A-8F574195920A}
(no name) - C:\WINDOWS\Bolger.dll - {302A3240-4805-4a34-97D7-1645A0B08410}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
ohb - C:\WINDOWS\system32\nss314.dll - {999A06FF-10EF-4A29-8640-69E99882C26B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

94417E6192BF0C6D.job
AF7255FC9181C7B0.job
ghu.job
McAfee.com Update Check (MARK-01-Mark).job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[WCSAXrview Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WCSAXR~1.OCX
CODEBASE = http://24.129.130.102:8888/wcsarview.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.microsoft.com/security/prot...b?1065723538312

[{1C78AB3F-A857-482E-80C0-3A1E5238A565}]
CODEBASE = file://C:\install.cab

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx
CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

[CScanner Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ppctl.dll
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab

[Info Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Si.dll
CODEBASE = http://www.blizzard.com/register/wowbeta/si.cab

[DownloadScanEngine.ctlDSE295497]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RHSIDownloads.ocx
CODEBASE = http://downloads.rogershelp.com/updates.cab

[FVLiteLoad Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FVLiteX.dll
CODEBASE = http://flipview.com/fvlite22/fvlite.cab

[View22RTE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\View22RTE.dll
CODEBASE = http://66.242.36.117/view22/diyapp/View22RTE.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,105 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

End of startuplist


Logfile of HijackThis v1.99.1
Scan saved at 12:10:16 PM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis1991.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\uvazhj.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DDEE530-C208-F4BD-4B1A-8F574195920A} - C:\DOCUME~1\Mark\APPLIC~1\KINDTE~1\platform cool.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nss314.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WAIT GRIM SEEK INTRA] C:\Documents and Settings\All Users\Application Data\License Sign Wait Grim\Tray Gpl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [vdoxwxc] c:\windows\system32\uvazhj.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://24.129.130.102:8888/wcsarview.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {7112EAD8-E590-463A-93EF-A7B90A1E3A57} (DownloadScanEngine.ctlDSE295497) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite22/fvlite.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.117/view22/diyapp/View22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{711D1A19-271E-43AC-B029-A46E811A2CDE}: NameServer = 206.47.244.61,206.47.244.13
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe



Please help, this is a pesky bugger

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:55 PM

Posted 20 April 2005 - 01:07 PM

Hello cinder and welcome to BleepingComputer.

(Thanks to Swandog46 for this canned fix)

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as remove.bat. Close Notepad.


Again, Open Notepad, copy & pastes the following block of text into Notepad.

dir c:\windows\tasks /a > sched.txt
notepad sched.txt
del sched.txt

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as sched.bat. Close Notepad.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) During startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following Safe Mode instructions .


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines:

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {0DDEE530-C208-F4BD-4B1A-8F574195920A} - C:\DOCUME~1\Mark\APPLIC~1\KINDTE~1\platform cool.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nss314.dll

O4 - HKLM\..\Run: [WAIT GRIM SEEK INTRA] C:\Documents and Settings\All Users\Application Data\License Sign Wait Grim\Tray Gpl.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

There will also be an item towards the bottom of the O4 section in HijackThis (it should be the last O4 item marked "HKLM", and it should be between the entries for [MCUpdateExe] and [RHSI SHS]). This item will be marked with "garbage" random characters. However, it seems to be renaming itself so the name will most likely be different by the time you follow these directions. In your previous log it was:

O4 - HKLM\..\Run: [vdoxwxc] c:\windows\system32\uvazhj.exe

Whatever the name of the item is, check it.


Then close all open windows except for HijackThis and click Fix Checked.

Open Windows Explorer (Windows key+e), navigate to and delete the file listed in the random O4 entry. In the above example you would delete c:\windows\system32\jjgvkc.exe.

Also, navigate to and delete if found:

C:\WINDOWS\Bolger.dll <--File
C:\WINDOWS\system32\nss314.dll <--File

C:\DOCUME~1\Mark\APPLIC~1\KINDTE~1\ <--Folder that begins with 'KINDTE'
C:\Documents and Settings\All Users\Application Data\License Sign Wait Grim\ <--Folder


Reboot normally.

Double click on sched.bat and a notepad file should open. Copy the contents of that file to your next post along with a fresh HJT log.

Edited by ddeerrff, 20 April 2005 - 04:15 PM.

Derfram
~~~~~~

#3 cinder

cinder
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 20 April 2005 - 11:31 PM

Thank you, I believe I am clear now. Companies that put bleep like this out should be charged.

Volume in drive C has no label.
Volume Serial Number is F487-8B33

Directory of c:\windows\tasks

04/20/2005 11:58 PM <DIR> .
04/20/2005 11:58 PM <DIR> ..
04/21/2005 12:00 AM 260 94417E6192BF0C6D.job
04/21/2005 12:00 AM 260 AF7255FC9181C7B0.job
08/18/2001 08:00 AM 65 desktop.ini
01/17/2003 08:30 PM 212 ghu.job
04/20/2005 11:58 PM 474 McAfee.com Update Check (MARK-01-Mark).job
04/21/2005 12:18 AM 6 SA.DAT
04/21/2005 12:18 AM 410 Symantec NetDetect.job
7 File(s) 1,687 bytes
2 Dir(s) 17,716,158,464 bytes free


Logfile of HijackThis v1.99.1
Scan saved at 12:29:08 AM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://24.129.130.102:8888/wcsarview.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {7112EAD8-E590-463A-93EF-A7B90A1E3A57} (DownloadScanEngine.ctlDSE295497) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite22/fvlite.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.117/view22/diyapp/View22RTE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...458/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{711D1A19-271E-43AC-B029-A46E811A2CDE}: NameServer = 206.47.244.61,206.47.244.13
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 cinder

cinder
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 20 April 2005 - 11:34 PM

I also sent in a donation. I think this site is a serious plus for the windows community and I want to thank you for your efforts.

Cinder

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:55 PM

Posted 21 April 2005 - 12:03 AM

A little bit left to do Cinder.

Looks like we've got two hidden tasks that don't belong there and may reinfect you with LOP. Let's get rid of them:
Open Notepad, copy & paste the following into Notepad:

del /f C:\windows\tasks\94417E6192BF0C6D.job
del /f C:\windows\tasks\AF7255FC9181C7B0.job
dir c:\windows\tasks /a > sched.txt
notepad sched.txt
del sched.txt

Save it to your desktop as Remjob.bat. Close Notepad.
Run Remjob.bat by double clicking on it. Post the resulting text file in your next post.


One entry in HJT that is being difficult:

Open Task Manager (Ctrl-Alt-Del) and End Process on the following if found: (we need to temporarily disable SpySubtract so that it does not interfere with the HJT fix)

SpySub.exe


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following file:

C:\WINDOWS\Bolger.dll

If any of these resist being deleted, boot into Safe Mode and try from there.


Please post the results of Remjob.bat along with a fresh HJT log.
Derfram
~~~~~~

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:55 PM

Posted 09 May 2005 - 10:37 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users