Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me...


  • This topic is locked This topic is locked
41 replies to this topic

#1 alos

alos

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 05 May 2005 - 11:02 PM

Hallo
Thank you.!
I hope you can understand my english, I´m from Sweden and sometimes it´s hard to find the correct word.

I send the HiJack loggfile to you. I´ve already tried to delete Smitfraud.c after instructions from Pieter Arntz.
I found the instruction at Wilders Security Forums.

I hope I´ve made it correct. The warning in the frontside on our computer is now gone.

I know that the computer is infected with New.net and I´m sure of that it is more in it

Logfile of HijackThis v1.99.1
Scan saved at 05:27:26, on 2005-05-06
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM\MESSENGER\MSMSGS.EXE
C:\PROGRAM\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM\WINZIP\WZQKPICK.EXE
C:\PROGRAM\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM\PACKARD BELL DIAMOND 2400\DRIVER\WATCH.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 3.0 SE\CALCHECK.EXE
C:\PROGRAM\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\Program\TOLKEN99\Tolken99.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MVWU29~1.DLL (file missing)
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\program\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRAM\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRAM\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM\REAL\REALJUKEBOX\tsystray.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O4 - Startup: Watch.lnk = C:\Program\Packard Bell Diamond 2400\Driver\WATCH.exe
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.se/scr/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://communities.msn.se/scr/MsnUpld.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/us/sa/common/c...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/us/nav/common/...bin/AvSniff.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex/contr...x86/ietimer.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.aftonbladet.se/it/special/comma...cabs/cssweb.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...r/scaleo600.htm
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


Please help me !

/Alos

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 06 May 2005 - 02:52 PM

Hello Alos, Welcome to BleepingComputer. Your computer is still badly infected. I will try to help you if you like. We will do this in several steps as I think it is too much to do at once.

First you have a hijacker called New.Net. We cannot use HijackThis to remove it. You can see this item in the multiple 010 lines in your HJT log. Here are the instructions to remove this hijacker:
http://www.newdotnet.com/removal.html
It is very unlikely you will have any problems if you follow those directions carefully, but we are dealing with a situation involving your internet connection. I am giving you this tool: http://www.cexx.org/lspfix.htm for use only in an emergency situation. If you read the instruction you will understand this. Do not use this tool unless there is a problem.

You also have a CoolWebSearch infection. Use the following link to download CWshredder, put it where you can find it. Once it is downloaded, open the program and choose update and then choose FIX not scan. Allow this program to run and remove anything it locates. Please tell me what it found in the next post.
http://www.softpedia.com/get/Internet/Popu...WShredder.shtml
Here is a tutorial: http://www.bleepingcomputer.com/forums/CWS...dder-tut47.html please do the download from the first link I provided.

Once you have completed these instruction then post a new HJT log, make sure you stay in this same thread and I will be notified when you post. We will have more to do.

Thanks...pskelley
HJT Team
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 May 2005 - 01:22 AM

Hello pskelly

Thank you for your answer, I´m very, very greatful that you take care of my problems.

1, New.net is now gone, I think. In the registry is it gone. But in the Windows directory I have som files namned;

- NDDEAPI.DLL
- NDDENB.DLL
- NDISLOG
I wonder if they have somthing to do with New.net

- NDNuninstall6-38
- NET
- NET
- NETCONN
- NETDE
- NETDET
- NETH
- NETSTAT
- NETWATCH
- NETWORK
- NETWORKS
- newdotnet2-78.dll
- newnet
The first one is the uninstallfile, Have the others somthing to do with New.net also ?

Then the other problem.

I´ve run CWShredder as you told me to do. The result I got was that it was no infection with CWS found on my computer. ?

Once again many thanks to you for your help to me
/Alos

And here is the HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 08:27:45, on 2005-05-07
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE
C:\PROGRAM\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM\MESSENGER\MSMSGS.EXE
C:\PROGRAM\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM\WINZIP\WZQKPICK.EXE
C:\PROGRAM\PACKARD BELL DIAMOND 2400\DRIVER\WATCH.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 3.0 SE\CALCHECK.EXE
C:\PROGRAM\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MVWU29~1.DLL (file missing)
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\program\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRAM\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [MSMSGS] "C:\PROGRAM\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [RealJukeboxSystray] "C:\PROGRAM\REAL\REALJUKEBOX\tsystray.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O4 - Startup: Watch.lnk = C:\Program\Packard Bell Diamond 2400\Driver\WATCH.exe
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.se/scr/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://communities.msn.se/scr/MsnUpld.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/us/sa/common/c...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/us/nav/common/...bin/AvSniff.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex/contr...x86/ietimer.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.aftonbladet.se/it/special/comma...cabs/cssweb.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...r/scaleo600.htm
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 07 May 2005 - 06:51 AM

Hello Alos,

Thank you for your answer, I´m very, very greatful that you take care of my problems.

You are very welcome, and we will do this. It will take a little time and once we have removed the big stuff, then we will clean but sometimes it is never all gone as this bad stuff puts many files and it is hard to remove them all. When we are done they will not be able to cause you any problems. I also want you to know there is probably six hours of time difference so when you are at noon, I am just having my breakfast, so we will do the best we can. As you can see by my name I am in Clearwater, Florida.

Yes, New.Net is gone and a very good job you did removing it. I wonder why no CWS was found as one item told my scanner CWS was present. I want to be sure you choose Fix. If so, then I will look at the log and we will proceed with cleaning out the bad stuff.

I must ask, it does appear you may be running two antivirus programs. You will know better than I as it can be hard to tell at times what is running in the logs. I see this: C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE view information: http://www.bleepingcomputer.com/startups/Icmon.exe-2238.html and also this: C:\PROGRAM\NORTON ANTIVIRUS\NAVAPW32.EXE : http://www.liutilities.com/products/wintas...brary/navapw32/ if there are two you must choose as the conflictions between AV programs will make you less protected than if you choose one good program, keep it updated and run it on a regular basis.
If this is the case then choose one and turn the other off or uninstall it as it must not be running.

This is a very bad on: C:\WINDOWS\TEMP\ICSUPP95.EXE see here: http://vic.zonelabs.com/tmpl/body/CA/virus...s.jsp?VId=29927 and it is running from a TEMP folder to hide from you. Later we must empty all Temp folders.

This is not so bad but must go: C:\PROGRAM\BACKWEB\PROGRAM\BACKWEB.EXE Read here http://castlecops.com/startuplist-356.html and here http://www.liutilities.com/products/wintas...ibrary/backWeb/

This one is very tricky: C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE read this: http://castlecops.com/startuplist-5336.html and this: http://www.sophos.com/virusinfo/analyses/w32rbotey.html (review all tabs so you will know what this worm does)

This item: O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MVWU29~1.DLL (file missing) may have been killed by your earlier efforts but this is what I saw: http://castlecops.com/clsid-1229.html

There are a couple of items that are resource wasters that are part of the Alexa Toolbar in IE, most folks do not know it is there. If you use Alexa, you may pass over those two item which I will code Alexa in red. The last three DPF items I have indicated what they are, so proceed like this:

Alos, you have many items that are all of the 09 lines which have to do with Microsoft AntiSpyware. I do not see the program elsewhere in the log. This program is still Beta and if you decided to remove it you can also check each of the 09 items as they are worthless without the program. If I am missing the Microsoft AntiSpyware program somehow it must be turned off or HJT will not work.

1) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing.

2) Open Add Remove Programs and look for "Backweb" if there uninstall it. Open Task Manager (Ctrl, Alt, Delete at the same time) locate highlite and end process on these items if they are there:
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\PROGRAM\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE

3) This program: C:\program files\InterMute\SpySubtract\SpySub.exe will stop HJT from doing it's fix and must be turned off. If you can't turn it off you will need to uninstall it. If it is a paid version you will be able to reinstall when we a finished.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\MVWU29~1.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Alexa
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Alexa
(remove these if you removed Beta Microsoft AntiSpyware)
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E467F5A0-1206-4C48-B08E-5035469BFBF1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {29090BF3-047C-46E6-BE37-0647AFA61894} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
-Adult Content Dialer
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
-Adult Content Dialer
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
-Adult Content Dialer
016 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
-Blazefind Windupdates Adware

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\TEMP\ICSUPP95.EXE >>> file
(You will open this C:\Windows\Temp folder and delete all of the contents...NOT THE FOLDER) CCleaner will take care of the rest, but we want to be positive this file ICSUPP95.EXE is gone.

C:\PROGRAM\BACKWEB\ >>> folder

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE >>> file (careful to remove only this file and that it looks just like this, a valid item may be near.
I am concerned about the above item. When you get there right click on the item and then choose Properties. Look good at this item. If it was valid, the creation date would coincide with the time your computer was assembled. A bad item would be recent with the date created about the time of your infection. Be careful here.

Let's check for trojans in case any are hiding, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
http://www.windowsecurity.com/trojanscan/

Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running.

Sorry to give you so much at once, you can do it as I saw how well you handled the first instructions. Take your time and be careful, I will be notified when you post. If all goes well your next log will be clean.

Thanks...pskelley
HJT Team

PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instruction:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Edited by pskelley, 07 May 2005 - 06:59 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 May 2005 - 01:06 PM

Hello pskelley
Thanks for your help. And now I´ve a lot to do with the computer. I follow your instructions exactly.

Yes I understand that it is a difference in time between our countries. I never remeber if AM is in the morning or the afternoon therefore will I tell you that it is evening now here in Sweden. It is 8 o´clock and we have early spring here now.

Back to the computer You asked me about CWShredder, yes I pushed only FIX-button nothing more .

And the other - yes I know about the AV-programs - I will delete one of them immedlity. I Have ordered a new AV-program and I hope we will have it latest on tuesday.

How can I see by your name that you are i Clearwater, Florida ? I´m sorry, but I´m not so good in USA´s geography is your name a town or something ?

I´m living in the middle of Sweden our region heter Östergötland.

here is the log ;
**** Run Keys ****

RUN: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
RUN: [TaskMonitor] C:\WINDOWS\taskmon.exe
RUN: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
RUN: [SystemTray] SysTray.Exe
RUN: [MULTIMEDIA KEYBOARD] C:\Program\Netropa\Multimedia Keyboard\MMKeybd.exe
RUN: [reminder.exe] C:\program\BackWeb\tuner\reminder.exe
RUN: [Hidserv] Hidserv.exe run
RUN: [Norton eMail Protect] C:\Program\Norton AntiVirus\POPROXY.EXE
RUN: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
RUN: [InterCheckMonitor] "C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE" -minimised
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [Norton Auto-Protect] C:\PROGRAM\NORTON~1\NAVAPW32.EXE /LOADQUIET
RUN: [LoadQM] loadqm.exe
RUN: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
RUN: [MoneyAgent] "C:\Program\Microsoft Money\System\Money Express.exe"
RUN: [MSMSGS] "C:\PROGRAM\MESSEN~1\msmsgs.exe" /background
RUN: [RealJukeboxSystray] "C:\PROGRAM\REAL\REALJUKEBOX\tsystray.exe"


**** Browser Helper Objects ****

BHO: [] C:\WINDOWS\SYSTEM\MVWU29~1.DLL


**** IE Toolbars ****

TOOLBAR: [&Kangaroo] C:\IDC\WEBKA.DLL
TOOLBAR: [@msdxmLC.dll,-1@1053,&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX


**** IE Extensions ****

IEExt: [@shdoclc.dll,-866@1053,Relaterat]
IEExt: [Messenger] C:\PROGRAM\MESSEN~1\MSMSGS.EXE
IEExt: [Kangaroo] C:\PROGRAM\MESSEN~1\MSMSGS.EXE
IEExt: [Real.com] C:\PROGRAM\MESSEN~1\MSMSGS.EXE
IEExt: [Web Browser Applet Control] C:\WINDOWS\SYSTEM\MSJAVA.DLL
IEExt: [Microsoft AntiSpyware helper] C:\WINDOWS\SYSTEM\MSJAVA.DLL
IEExt: [Microsoft AntiSpyware helper] C:\WINDOWS\SYSTEM\MSJAVA.DLL


**** Hosts File Entries ****



**** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dll?p...=5.5&ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm
Search Bar: http://letgohome.com/sp.htm?id=9
Search Page: http://letgohome.com/sp.htm?id=9


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp


**** Blocked Control Panel Items ****

BLOCKED: []


**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]


**** Windows Services ****



**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://letgohome.com/sp.htm?id=9
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [Anchor Underline] no
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?p...=5.5&ar=msnhome
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://letgohome.com/sp.htm?id=9
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [LastCheckedHi]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Use FormSuggest] yes
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Save Directory] C:\Mina dokument\
IEOPT: [HistoryTopNSitesView]
IEOPT: [HistoryViewType]
IEOPT: [Söksida] http://www.msn.com/allinone.asp
IEOPT: [Startsida] http://www.microsoft.com/msoffice/
IEOPT: [FormSuggest PW Ask] yes
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Play_Animations] yes
IEOPT: [Show image placeholders]
IEOPT: [Display Inline Videos] yes
IEOPT: [Print_Background] no
IEOPT: [FavIntelliMenus] no
IEOPT: [Page_Transitions]
IEOPT: [AllowWindowReuse]
IEOPT: [SmoothScroll]
IEOPT: [Disable Script Debugger] yes
IEOPT: [NoJITSetup]
IEOPT: [NscSingleExpand]
IEOPT: [NoUpdateCheck]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [FormSuggest Passwords] yes
IEOPT: [Use Custom Search URL]
IEOPT: [Search Bar] http://letgohome.com/sp.htm?id=9
IEOPT: [Enable AutoImageResize] yes
IEOPT: [today] 04/09/05
IEOPT: [today2] 04/09/05
IEOPT: [hour] 23
IEOPT: [check_associations]
IEOPT: [Enable Browser Extensions] yes
IEOPT: [HPDed] http://letgohome.com/hp.htm?id=9
IEOPT: [SPDed] http://letgohome.com/sp.htm?id=9
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?p...=5.5&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
IEOPT: [Wizard_Version] 5.50.4134.100
IEOPT: [FullScreen] no
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO

/Alos

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 07 May 2005 - 01:21 PM

Hi Alos, Sorry but the city we are located in does not show at this forum, I wqork at many. http://www.floridasbeach.com/bch_nat/topbeaches.aspx

What is this log?

here is the log ;
**** Run Keys ****

Take your time working through the directions and post questions if you have any.
Here is a good antivitus program that is free if you need it:
http://free.grisoft.com/freeweb.php

and a free firewall if you need one of those:
http://www.zonelabs.com/store/content/comp...reeDownload.jsp

If I am online as you can see my name by yours at the bottom, you can ask questions and I will answer right away. Have a great day
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 May 2005 - 01:33 PM

Help
I don´t know how to turn off Norton AV - it´s the oldest AV-program i got on the computer

/alos

#8 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 May 2005 - 01:42 PM

Hello again !

The log is the "report" from CWShredder when I searched for that bad thing.

The link did´t work (about florida)

thanks again for your help and your patience with me :-)
/Alos

#9 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 07 May 2005 - 01:44 PM

Alos, Please mention what that log was you sent me in the next post.

Please continue with the removal of the malware as you can fix the antivirus issues when the bad stuff is gone. Please read over the information I posted so you will know what is happening and get to the numbered area of the fix.

When the bad stuff has been removed, then look in Add Remove Programs and you will see the Norton and should be able to uninstall it from there.

I hope this helps...
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 07 May 2005 - 01:46 PM

I have never used Norton but perhaps something here would help:
http://www.google.com/search?hl=en&q=how+t...G=Google+Search
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 07 May 2005 - 02:29 PM

Hallo,

Perhaps or probably i missunderstood. The log I sent to you was the report I got when I used CWShredder to delete the CWS -intruder. Sorry if I made somthing stupid.
I can´t find "Backweb" in Add Remove Programs.
In Task manager is the only thing I can find Back Web Agent. / I will go on following your instructions /Alos

#12 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 08 May 2005 - 01:39 AM

Hello,
I couldn´t find Backweb inAdd/Remowe programs. But I found the map on C:/PROGRAM/BACKWEB

I tried to get rid of it but it didn´t work. I got a message from my computer ;
"- Some programs can stop work if you change name, move or delete BACKWEB"
( this is my own translation - the message was written in swedish)

Spy substract
I tried to uninstall it. parts of it dissapeard but there is still a mapp SPYSUBSTRACT
I got the message; It´s a free version.
-" You can´t delete sshok. possession is denied. Sourcefil is maybe already in use "
( my own translation to english)

I don´t know anything about Microsoft AntiSpyware ??? I makes me a bit confused.

I´ve a firewall installed already - Zonelab´s it work ok.

Shall I check all the boxes in line 09?

I never use Alexa

Thanks
/Alos

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 08 May 2005 - 05:18 AM

Hello Alos, Thank you for the information. It is good that you tell me all you think and I will learn what I need from that or ask more questions. Please always post a new HJT log when you make changes as this is how I see what progress we have make and what is left to do. I wait patiently to see the new log. I want you to know that there is nothing wrong with SpySubtract, it is a good program. It just will not let our HJT changes happen so that is why it must turn off or uninstall. When you have a clean computer, then you may put it back. I will suggest other safety programs at that point also.
Microsoft AntiSpyware: someone had to download this program as it is very new and still in Beta stages (experimental) If you could not turn it off than chances are very good that you could not remove the bad stuff from your computer using HijackThis. Until I see the log I will not know if you were able to make any progress, Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#14 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 08 May 2005 - 02:25 PM

Hello !

I´ve followed your instructions very carefully. Some items couldn´t be done.

C:\WINDOWS\TEMP\ICSUPP95.EXE (120kb) - got a message from my computer :-"couldn´t remove it because it always was in use by Windows" ?

C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE coldn´t remove it - I tried at put in the waste-paper-basket but then wouldn´t IE
I´m also a bit confused about this. This file has not the same date as the others, but I´m not sure about if we have tried to update IE earlier.

I´ve now installed the third AV-program :-) (as you recomended - perhaps I first should have removed the others, but I´vnt yet.)

I scanned the computer with AVG - it found one intruder a trojan Krepper.s (c:\WINDOWS\8vrz9srles.exe)
It´s in quarantin now.

C:\PROGRAM\BACKWEB - the whole folder is now deleted an gone

Windowssecurity- Trojanscan is done succesfully - it found these;

- Adaware NewDotNet C:\Windows\NDNuninstall_38exe
- Adaware NewDotNet C:\Program\NewDotNet\newdotnet6_38dll
- Adaware NewDotNet C:\Program\NewDotNet\uninstall6_38exe
- Adaware WinAD.ah C:\unzipped\hijackthis\backups\backup-20050508-193836-902dll

Then I run CCleaner it was no problems.

I don´t think the log is absolutely clean

thanks for your help/Annette

#15 alos

alos
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 08 May 2005 - 02:27 PM

oops...
Here is the log :-)
Logfile of HijackThis v1.99.1
Scan saved at 21:01:46, on 2005-05-08
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE
C:\PROGRAM\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM\MESSENGER\MSMSGS.EXE
C:\PROGRAM\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM\WINZIP\WZQKPICK.EXE
C:\PROGRAM\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM\PACKARD BELL DIAMOND 2400\DRIVER\WATCH.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 3.0 SE\CALCHECK.EXE
C:\PROGRAM\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [reminder.exe] C:\program\BackWeb\tuner\reminder.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRAM\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRAM\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRAM\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRAM\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM\REAL\REALJUKEBOX\tsystray.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O4 - Startup: Watch.lnk = C:\Program\Packard Bell Diamond 2400\Driver\WATCH.exe
O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Kangaroo - {06A18DC1-FE86-11d3-B9AF-0000B4C32B4D} - http://knowledge-assistant.com/webka/toolbar/tbie.asp (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.se/scr/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://communities.msn.se/scr/MsnUpld.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/us/sa/common/c...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/us/nav/common/...bin/AvSniff.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex/contr...x86/ietimer.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.aftonbladet.se/it/special/comma...cabs/cssweb.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...r/scaleo600.htm
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

/Annette




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users