Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost and lost LAN:Hijackthislog for help


  • This topic is locked This topic is locked
19 replies to this topic

#1 Philip134

Philip134

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 21 April 2005 - 02:16 PM

This all started with svchost, but has now manifested itself as a lost LAN connection despite the fact that the network card is installed OK and running.

Here is the log. All help as always much appreciated.

Philip

Logfile of HijackThis v1.99.1
Scan saved at 8:05:32 PM, on 4/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50184
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50184
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50184
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DE8FA47F-D534-4A0B-B133-0A5326882BC1} - C:\WINNT\system32\edjbbp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [tjstartup] C:\WINNT\system\svchost.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\lspak.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.68/mGer4InoaBIuKFWjuI4J.chm::/on-line.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675102553...ip/RdxIE601.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O18 - Filter: text/html - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O18 - Filter: text/plain - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 21 April 2005 - 10:02 PM

Hi Philip134 and welcome to the BC forums. You've got a few problems here but let's see if we can get your lan connection back up first. Please do the following.

Download the Symantec Adware.Huntbar Removal Tool to your desktop and then close ALL open windows. Locate the FxHuntbr.exe file on your desktop and double-click on it to start it. Follow the prompts to run it.

Download LSP-Fix to your desktop. Disconnect from the Internet and close all Internet Explorer Windows. Run LspFix.exe and check the I know what I'm doing button. Place all listings of c:\winnt\system32\lspak.dll into the Remove section by clicking on the >> button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Now reboot to finish this part of the fix and test your internet connection.

Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 22 April 2005 - 05:44 PM

Old Timer

Many thanks for the first step.

That all went well, I think.

Huntbar deleted 18 files and 1 directory, fixed 8 registry entries and terminated 1 process. 7 files and 1 directory should have been deleted on reboot.

Lspfix - only one file selected. 4 protocols removed and 16 renumbered.

The LAN and Internet connection is now back to normal.

Here is the latest Hijacklog

Logfile of HijackThis v1.99.1
Scan saved at 11:38:57 PM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system\svchost.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\wuauclt.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DE8FA47F-D534-4A0B-B133-0A5326882BC1} - C:\WINNT\system32\edjbbp.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [tjstartup] C:\WINNT\system\svchost.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.68/mGer4InoaBIuKFWjuI4J.chm::/on-line.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675102553...ip/RdxIE601.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O18 - Filter: text/html - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O18 - Filter: text/plain - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Philip

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 22 April 2005 - 09:03 PM

Hi Philip. Well, we have our work cut out for us here so let's get started. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CleanUp! and install it but do not run it yet.

Step #2

I highly recommend that you remove the following programs using Add or Remove Programs in the Control Panel. Both 'P2P Networking' and 'Messenger Plus! 3' are known to have malware included with their installation programs and it is highly likely that that is where this infection came from and the other programs (if present) have been installed by one or the other. The rest of these directions will assume that you are removing all these applications.
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
P2P Networking
Messenger Plus! 3
My Search Bar
MyWay Speed Bar
My Web Search Bar
Fun Web Products Easy Installer
SmileyCentral

Step #3

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the WinTools for IE service service and click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete WinToolsSvc
  • Close the Command Prompt window
Step #4

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe

Step #5

Still in HijackThis click the Back button and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DE8FA47F-D534-4A0B-B133-0A5326882BC1} - C:\WINNT\system32\edjbbp.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [tjstartup] C:\WINNT\system\svchost.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.68/mGer4InoaBIuKFWjuI4J.chm::/on-line.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675102553...ip/RdxIE601.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O18 - Filter: text/html - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O18 - Filter: text/plain - {2E4454C9-4997-47AA-9DAD-2FB589CD1B5F} - C:\WINNT\system32\edjbbp.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Step #7

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\DOCUMENTS AND SETTINGS\RACHEL~1 (a folder whose name begins with RACHEL)\LOCAL SETTINGS\Temp\sp.dll
C:\PROGRAM FILES\COMMON FILES\WinTools\ <--folder
C:\Program Files\MyWay\ <--folder
C:\WINNT\system32\P2P Networking\ <--folder
C:\Program Files\Messenger Plus! 3\ <--folder
C:\WINNT\system\svchost.exe
C:\WINNT\system32\edjbbp.dll

Step #8

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 23 April 2005 - 03:18 AM

OT

Again many thanks. Here is the step by step report and the new log file.

Philip


Step #1

OK.

Step #2

P2P Networking removed OK mentioned Bullguard and Kazza as dependent programs. I couldn't find these.

Messenger Plus! 3 removed OK
My Search Bar Removed OK
MyWay Speed Bar Not listed
My Web Search Bar Not listed
Fun Web Products Easy Installer Not listed
SmileyCentral Not listed

Few other similar programs listed in particular
Web Search Tools
Search Assistant
Wintools Easy Installer
Virtual Bouncer

Step #3

Part 1

OK


Part 2

sc reported as an unrecognised command, found a copy and downloaded it, run reports SUCCESS!

Step #4


C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe

Found all these but says can't be kiilled.


Step #5

All found and fixed except

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\

OTProgram Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Step #6

OK

Step #7


C:\DOCUMENTS AND SETTINGS\RACHEL~1 (a folder whose name begins with RACHEL)\LOCAL SETTINGS\Temp\sp.dll gone

C:\PROGRAM FILES\COMMON FILES\WinTools\ <--folder

All files in directory deleted except WSup.exe WToolsA.exe WToolsB.dll where sharing violation reported.

C:\Program Files\MyWay\ <--folder gone
C:\WINNT\system32\P2P Networking\ <--folder gone
C:\Program Files\Messenger Plus! 3\ <--folder gone
C:\WINNT\system\svchost.exe OK
C:\WINNT\system32\edjbbp.dll gone


Step #8

OK.


Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 8:58:22 AM, on 4/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 23 April 2005 - 11:25 AM

Hey Philip. Things are looking better but we will need to remove Wintools manually. Please print these directions because we will need to boot into Safe Mode and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Click Start>Run, type cmd into the Open editebox and click Ok. At the Command Prompt type each of the following lines and press the Enter key after each line:cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll"
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll"

Check to see if this folder is present and if so then type the following command and press the Enter key:regsvr32 /u "\Program Files\Toolbar\toolbar.dll"
Close the Command Prompt window.

Step #3

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the WinTools for IE service service and click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete WinToolsSvc
  • Close the Command Prompt window
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Common Files\WinTools\ <--folder
C:\DOCUMENTS AND SETTINGS\RACHEL~1 (a folder whose name begins with RACHEL)\LOCAL SETTINGS\Temp\tb_setup.exe

If you found the c:\Program Files\Toolbar\ folder then delete that folder also.

Step #6

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 23 April 2005 - 12:59 PM

OT

Getting rid of WinTools seems to be problematic!! Step by step report and new log below.

Many thanks.

Philip

Step #1

OK

Step #2

Click Start>Run, type cmd into the Open editebox and click Ok. At the Command Prompt type each of the following lines and press the Enter key after each line:

cd "%WinDir%\System" OK
regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll" unregistered
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll" module not found

Check to see if this folder is present and if so then type the following command and press the Enter key:

regsvr32 /u "\Program Files\Toolbar\toolbar.dll" module not found either by searching or executing command

Step #3

Part 1

* Click Start>Run, type services.msc into the Open editbox and click the Ok button.
* Locate the WinTools for IE service service and click the Stop button.
* In the Startup type dropdown select Disabled.

Already stopped, disabled done.


Part 2

* Click Start>Run, type cmd into the Open editbox and click the Ok button.
* Copy/paste the line below into the Command Prompt window and press the Enter key:
sc delete WinToolsSvc SUCCESS


Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [TB_setup]

C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe


Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

All except first 3 see to be fixed.

Step #5

Find the following files/folders and delete them (don't worry if they are already gone):

C:\Program Files\Common Files\WinTools\ <--folder

All files in folder deleted except

WSup.exe
WToolsA.exe
WToolsB.dll

because of sharing violation

C:\DOCUMENTS AND SETTINGS\RACHEL~1 (a folder whose name begins with RACHEL)\LOCAL SETTINGS\Temp\tb_setup.exe not found

If you found the c:\Program Files\Toolbar\ folder then delete that folder also. not found

Step #6

OK

Here is the new log.

Logfile of HijackThis v1.99.1
Scan saved at 6:45:50 PM, on 4/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\HijackThis\HijackThis.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 23 April 2005 - 03:02 PM

Hi Philip. Yes sometimes it can be. Let's check something else before we continue.

Download rkfiles.zip and unzip it to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt back here and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 23 April 2005 - 04:31 PM

OT

Quite a lengthy process, but here is the log.txt file:

C:\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

The other three txt files Win Windows and Start are empty.

Again my thanks for your help.

Philip

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 23 April 2005 - 07:46 PM

Alright, let's get out the big guns :thumbsup:.

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
      C:\Program Files\Common Files\WinTools\WSup.exe
      C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
You system will reboot.

After the reboot, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 24 April 2005 - 01:48 AM

OT

That went smoothly. The machine rebooted itself - the "pendingFile..." message didn't appear.

New log below.

There seem to more pop ups and a few extra entries in the log.

Philip




Logfile of HijackThis v1.99.1
Scan saved at 7:41:40 AM, on 4/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\unzipped\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {641C843F-D3FF-40AC-ADCD-A25CC90343D9} - C:\WINNT\system32\ocji.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/t4g91re3wNmKFxxQCKJW.chm::/on-line.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O18 - Filter: text/html - {A6DEBFF9-75D1-409F-BEF7-7A0B77B73D1A} - C:\WINNT\system32\ocji.dll
O18 - Filter: text/plain - {A6DEBFF9-75D1-409F-BEF7-7A0B77B73D1A} - C:\WINNT\system32\ocji.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 24 April 2005 - 12:04 PM

Hi Philip. Let me ask you a question. Does anyone else use this computer? If so, how many user logons are there? Wintools is not that pernicious to stay around this long and I see a new CWS infection which has come from the folder that starts with RACHEL. It might very well be that another user is reinfecting as fast as we are removing these infections.

Let me know.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 24 April 2005 - 02:15 PM

Hi OT

We have an internal LAN behind a Vigor 2200usb router that is connected through Pipex.

In my previous job Sophos was free so we always had it. Since working on my own account security has been neglected. You were kind enough to sort out my machine a few weeks back. Now with Spyblaster Spybot and AVG this seems fine.

Rachel's is the only other machine that is permanently connnected to the LAN. Lots of laptops and others come and go.

There is lots of MSN messenger on this machine and she swears by Mozilla.

Anyway enough of the background, what about the accounts?

There seem to be four accounts. Rachel Cooper Administraor Guest Jill

Rachel Cooper is the one that is used all the time.

I have logged into the others. Guest seems to be disabled - not sure why. Both Adminstrator and Jill produce Trojan Startpage.19J when My Documents is opened (as does Rachel Cooper). The offending file has the same name structure as the rachel~1 one but with the name changed.

If I have missed anything vital please come back.

Philip

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:48 AM

Posted 24 April 2005 - 07:19 PM

Hi Philip. Ok, let's do the following. Please print these directions and then proceed with the following steps in order.

Step #1

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Physically disconnect your computer from the internet.

Step #3

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the WinTools for IE service service and click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Type the line below into the Command Prompt window and press the Enter key:
    • sc delete WinToolsSvc
  • Close the Command Prompt window
Step #4

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {641C843F-D3FF-40AC-ADCD-A25CC90343D9} - C:\WINNT\system32\ocji.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/t4g91re3wNmKFxxQCKJW.chm::/on-line.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O18 - Filter: text/html - {A6DEBFF9-75D1-409F-BEF7-7A0B77B73D1A} - C:\WINNT\system32\ocji.dll
O18 - Filter: text/plain - {A6DEBFF9-75D1-409F-BEF7-7A0B77B73D1A} - C:\WINNT\system32\ocji.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\DOCUMENTS AND SETTINGS\RACHEL COOPER\LOCAL SETTINGS\Temp\ (delete ALL files in this folder but not the folder itself)
C:\WINNT\system32\ocji.dll
C:\PROGRAM FILES\COMMON FILES\WinTools\ <--folder (if any files will not allow you to delete them then right-click on them and remove the checkmark from the Read-Only checkbox and delete it)
C:\foo.mht

Step #7

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Step #8

Start ewido and do a full system scan.

Step #9

Reboot your system normally. Before you re-connect your internet connection run HijackThis and perform a new scan. Save this scan as Scan1.txt and include it with your next post.

Step #10

Ok, reconnect your internet connection and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #11

Click on the link below and follow the directions on the webpage to run an online trojan scan:WindowSecurity online trojan scan
Step #12

OK. Reboot your computer normally, start HijackThis, perform a new scan and save this scan as Scan2.txt. Use the Add Reply button to post both the Scan1.txt and the Scan2.txt logs file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

Additional note: If you are using the AVG Freeversion then I recommend that you get Avast Home Edition and use that instead. It has a module that monitors IM clients and can prevent infections through instant-messaging programs. This is the anti-virus application that I use and it is also free.

Edited by OldTimer, 24 April 2005 - 07:19 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Philip134

Philip134
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 25 April 2005 - 10:44 AM

OT

A lengthy process but I have documented all the steps and added the Scan Logs and other reports below.

My feeling is we are making some progress.

Philip


Step #1 and 2

OK


Step #3

Part 1
Click Start>Run, type services.msc into the Open editbox and click the Ok button.
Locate the WinTools for IE service service and click the Stop button.

Message to say service had been stopped

Part 2
Click Start>Run, type cmd into the Open editbox and click the Ok button.
Type the line below into the Command Prompt window and press the Enter key:
sc delete WinToolsSvc

Success

Step #4

OK

Step #5

All OK but O23 not present

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Step #6

C:\DOCUMENTS AND SETTINGS\RACHEL COOPER\LOCAL SETTINGS\Temp\ (delete ALL files in this folder but not the folder itself) OK

C:\WINNT\system32\ocji.dll gone

C:\PROGRAM FILES\COMMON FILES\WinTools\ <--folder (if any files will not allow you to delete them then right-click on them and remove the checkmark from the Read-Only checkbox and delete it) OK


C:\foo.mht gone

Step #7

OK

Step #8

Start ewido and do a full system scan. OK 509 files cleaned

Step #9

OK Log below

Step #10

Trend Micro Housecall OK only JS_FORTNIGHT found

BitDefender On-Line Virus Scan OK Report below

Panda ActiveScan OK Report below


Step #11

Click on the link below and follow the directions on the webpage to run an online trojan scan: OK No trojans found

Step #12

OK. Log below

Additional note: If you are using the AVG Freeversion then I recommend that you get Avast Home Edition

Done it also seems much faster than AVG.

Scan1 Log

Logfile of HijackThis v1.99.1
Scan saved at 10:31:25 AM, on 4/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\unzipped\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


Bitdefender Report


C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\0WYDDW0U\CAK16J8X.HTM: suspect Exploit.Html.MhtRedir.Gen
C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\0WYDDW0U\CAK16J8X.HTM: disinfection failed
C:\Program Files\Efofex\FXD\FXDraw.doc: suspect Macro.VBA
C:\Program Files\Efofex\FXD\FXDraw.doc: disinfection failed
C:\Transfer from Old Drive\Documents and Settings\Administrator\My Documents\My Chat Logs\June 2003\mark_grosvenor@hotmail.com.txt: infected with Exploit.XPHelpDelete.A
C:\Transfer from Old Drive\Documents and Settings\Administrator\My Documents\My Chat Logs\June 2003\mark_grosvenor@hotmail.com.txt: disinfection failed
C:\WINNT\system32\abaamon.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\abaamon.dll: disinfection failed
C:\WINNT\system32\abctres.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\abctres.dll: disinfection failed
C:\WINNT\system32\absldpc.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\absldpc.dll: disinfection failed
C:\WINNT\system32\adsmib.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\adsmib.dll: disinfection failed
C:\WINNT\system32\aeledit.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\aeledit.dll: disinfection failed
C:\WINNT\system32\afsldp.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\afsldp.dll: disinfection failed
C:\WINNT\system32\aisldpc.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\aisldpc.dll: disinfection failed
C:\WINNT\system32\alctres.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\alctres.dll: disinfection failed
C:\WINNT\system32\amaamon.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\amaamon.dll: disinfection failed
C:\WINNT\system32\amctres.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\amctres.dll: disinfection failed
C:\WINNT\system32\anctres.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\anctres.dll: disinfection failed
C:\WINNT\system32\antxprxy.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\antxprxy.dll: disinfection failed
C:\WINNT\system32\aosldpc.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\aosldpc.dll: disinfection failed
C:\WINNT\system32\arkctrs.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\arkctrs.dll: disinfection failed
C:\WINNT\system32\aumparse.dll: infected with Adware.Look2Me.B
C:\WINNT\system32\aumparse.dll: disinfection failed


ActiveScan Report


Incident Status Location

Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\0WYDDW0U\CAK16J8X.HTM
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\0WYDDW0U\WToolsD[1].cab
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\0WYDDW0U\WToolsD[1].cab[WToolsD.cfg]
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\A8GXXRDE\WinTS[1].cab[WToolsS.exe]
Virus:Trj/Small.GV No disinfected C:\Documents and Settings\Rachel Cooper\Local Settings\Temporary Internet Files\Content.IE5\C2C7KU9H\t4g91re3wNmKFxxQCKJW[1].chm[1.htm]
Adware:Adware/AdDestroyer No disinfected C:\Program Files\AdDestroyer\AdDestroyer.exe
Adware:Adware/AdDestroyer No disinfected C:\Program Files\VBouncer\AdDestroyerInner.EXE
Adware:Adware/AdDestroyer No disinfected C:\Program Files\VBouncer\BundleOuter.EXE
Adware:Adware/VirtualBouncer No disinfected C:\Program Files\VBouncer\VBouncerInner.EXE
Adware:Adware/VirtualBouncer No disinfected C:\Program Files\VBouncer\VirtualBouncerUninstaller.EXE
Adware:Adware/WinTools No disinfected C:\RECYCLER\S-1-5-21-839522115-1708537768-1202660629-1000\Dc10\WToolsD.cfg
Adware:Adware/SearchExe No disinfected C:\RECYCLER\S-1-5-21-839522115-1708537768-1202660629-1000\Dc9.dll
Spyware:Spyware/Altnet No disinfected C:\Transfer from Old Drive\Documents and Settings\Administrator\Local Settings\Temp\__unin__.exe
Adware:Adware/MyWebSearch No disinfected C:\unzipped\HijackThis\backups\backup-20050423-081616-316.dll
Adware:Adware/MyWebSearch No disinfected C:\unzipped\HijackThis\backups\backup-20050423-181437-153.dll
Adware:Adware/123Messenger No disinfected C:\unzipped\HijackThis\backups\backup-20050425-082102-390.inf
Adware:Adware/MyWebSearch No disinfected C:\unzipped\HijackThis\backups\backup-20050425-082102-641.dll
Adware:Adware/Gator No disinfected C:\WINNT\GatorPdpSetup.log
Adware:Adware/Gator No disinfected C:\WINNT\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINNT\GatorUninstaller_cme_u.log
Adware:Adware/Twain-Tech No disinfected C:\WINNT\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINNT\smdat32m.sys
Adware:Adware/Look2Me No disinfected C:\WINNT\system\UpdInstall.exe
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\abaamon.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\abctres.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\absldpc.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\adsmib.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\aeledit.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\afsldp.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\aisldpc.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\alctres.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\amaamon.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\amctres.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\anctres.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\antxprxy.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\aosldpc.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\arkctrs.dll
Adware:Adware/Look2Me No disinfected C:\WINNT\system32\aumparse.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINNT\system32\coreak.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERADINSTALL.LOG
Adware:Adware/AdDestroyer No disinfected C:\WINNT\system32\PopOops.dll
Adware:Adware/AdDestroyer No disinfected C:\WINNT\system32\PopOops2.dll
Adware:Adware/AdDestroyer No disinfected C:\WINNT\system32\SWLAD1.dll
Adware:Adware/AdDestroyer No disinfected C:\WINNT\system32\SWLAD2.dll
Scan2 Log

Logfile of HijackThis v1.99.1
Scan saved at 4:08:53 PM, on 4/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\unzipped\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users