Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

searchmiricle/wintools amoung others


  • Please log in to reply
4 replies to this topic

#1 dana denise

dana denise

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 April 2005 - 06:56 PM

hi, as this is my very fist posting, let me start out by first stating what is going on, i have WXP home w/sp1 and did not know that one of the kids had disabled the firewall. not having any other protection, i got hijacked. now when i first tried to start up the connection for the ICF, it said that an error occurred, class not registered. now when i had called up my uncle he stated to first start by running AdAware and Spybot, i did, the AdAware found over 500 infections and Spybot only 5. I had disabled system restore then started to clean. I had to reboot several times, but all but 3 or 4 files found by AdAware could not be removed. they ere all toolbars. I deleted my TIF's and cookies, emptied out recycle bin, ran my AV as well. i used opera to download and install Zone Alarm for added protection. now after all of that, he suggested that i run hijackthis and submit a log but to first ask permission to do so, depending on what forum i go to. is submitting a log permitted here giving the reasons i am still hijacked? tia. :thumbsup:

BC AdBot (Login to Remove)

 


#2 virusX

virusX

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazilia
  • Local time:01:34 PM

Posted 30 April 2005 - 07:00 PM

Hi and welcome to the BC forums.We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. After you donethis please post the log into the forum "HijackThis Logs and Analysis" Forum now let's start.If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis. Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ directory by default.

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.
And post it into the "HijackThis Logs and Analysis" forum

Hope ive helped you

Regard's
Claudio

#3 dana denise

dana denise
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 April 2005 - 07:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:24:43 PM, on 04/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinPoET Broadband
Connection\winpppoverethernet.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\windows\system32\zgdmhp.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINDOWS\System32\psoft1.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\iaknzr.exe
C:\Documents and Settings\All Users\Application
Data\msw\BMan1.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE
C:\WINDOWS\System32\GSMedia3.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\grplegih.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ractpl.exe
C:\WINDOWS\System32\ractpl.exe
C:\DOCUME~1\Alissa\LOCALS~1\Temp\ICD2.tmp\svcmm32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Alissa\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Alissa\Local
Settings\Temp\Temporary Directory 3 for
hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.websearch.com/ie.aspx?tb_id=50266
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50266
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50266
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet
Explorer provided by CenturyTel
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) -
{8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: &EliteBar -
{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: CControl Object -
{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program
Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: &EliteSideBar -
{ED103D9F-3070-4580-AB1E-E5C179C1AE41} -
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar -
{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32
cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program
Files\WinPoET Broadband
Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program
Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [zgdmhp]
c:\windows\system32\zgdmhp.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program
Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [SpySpotter]
C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program
Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program
Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [PSoft1]
C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [winupdtl]
C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [exp.exe]
C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver]
C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE
C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [KavSvc]
C:\WINDOWS\System32\iaknzr.exe
O4 - HKLM\..\Run: [checkrun]
C:\windows\system32\eliteibu32.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All
Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [VBouncer]
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoLoader4F561ZdLJaaX]
"C:\WINDOWS\System32\hot64k.exe" /HideDir
/HideUninstall /PC="CP.SAV"
/ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [4smg3tg] hot64k.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [GMedia2]
C:\WINDOWS\System32\GSMedia3.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [USB controller]
"C:\DOCUME~1\Alissa\LOCALS~1\Temp\ICD2.tmp\svcmm32.exe"
/startup
O4 - HKLM\..\Run: [WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program
Files\Registry Cleaner Trial\RegClean.exe"
O4 - HKCU\..\Run: [LB5mRjMFS] grplegih.exe
O4 - HKCU\..\Run: [ractpl]
C:\WINDOWS\System32\ractpl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ractpl]
C:\WINDOWS\System32\ractpl.exe
O4 - Global Startup: 11 News ALERT.lnk = C:\Program
Files\Common Files\11 News ALERT\TrueWeather.exe
O8 - Extra context menu item: &Yahoo! Search -
file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3}
(StagingUI Object) -
http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B}
(Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8}
(ZoneBuddy Class) -
http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
(RdxIE Class) -
http://software-dl.real.com/1485c794b08e69...ip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3}
(ZonePAChat Object) -
http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763}
(ZPA_WheelOfFortune Object) -
http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}
(ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
(YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D}
(Toontown Installer ActiveX Control) -
http://download.toontown.com/sv1.0.15.25/ttinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN
Photo Upload Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
(iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937}
(StadiumProxy Class) -
http://zone.msn.com/binframework/v10/StProxy.cab34842.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{CD5239F3-F22E-47C7-BD6C-ADAE7AB6FBAD}:
NameServer = 209.142.169.250 209.142.136.85
O18 - Protocol: tpro -
{FF76A5DA-6158-4439-99FF-EDC1B3FE100C} -
C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: AntiVir Service (AntiVirService) -
H+BEDV Datentechnik GmbH - C:\Program
Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) -
America Online, Inc. -
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV
Datentechnik GmbH, Germany - C:\Program
Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark
International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WebSeach Toolbar support NT service
(TBPSSvc) - Unknown owner -
C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) -
Zone Labs, LLC -
C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinPPPoverEthernet - iVasion, a
Routerware Company - C:\Program Files\WinPoET
Broadband Connection\WrOS.EXE
O23 - Service: WinTools for IE service (WinToolsSvc) -
Unknown owner - C:\Program Files\Common
Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

I really hope That I had done this right :thumbsup:

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:34 PM

Posted 30 April 2005 - 07:52 PM

Hi dana denise. I'll be helping you out here. Well we certainly have our work cut out for us. We will be removing these infections in stages. For the first stage I would like you to do the following.

Download the EliteToolbar Remover V.1.2.2 and unzip it into a folder of its own and then proceed with the following directions.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Start ETRemover and click the Kill Elite Toolbar button.
  • When the process is finished reboot normally.
OK. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 dana denise

dana denise
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 April 2005 - 09:51 PM

It is going a little slow do to the computer kind of fighting me right now, I'm using another computer at the moment but I just wanted to let you know that I am still here, and I will be posting back that info you asked for ASAP. Thank You So Much :flowers: :trumpet: :inlove: :cool: :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users