Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

been hijacked


  • This topic is locked This topic is locked
20 replies to this topic

#1 sotasteve

sotasteve

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 20 May 2005 - 02:16 PM

Hi,
I've been hijacked by something. I've run every spyware utility I've got even without an internet connection and in safe mode. Thney don't find any issues anymore but I'm still hijacked! Please help

Logfile of HijackThis v1.99.1
Scan saved at 3:11:42 PM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
c:\windows\system32\wflhlpd.exe
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsrDB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Zmqefh.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepbd32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [r7FR3mQ] mpnelper.exe
O4 - HKLM\..\Run: [ohzlcps] c:\windows\system32\wflhlpd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Super Utilities] C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min
O4 - Startup: Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk = C:\Documents and Settings\steve\Desktop\traverse city Frame ReadyFullcalc.rdp
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113141262808
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 20 May 2005 - 03:19 PM

Welcome sotasteve to Bleeping Computer.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

****

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.

***

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsrDB.dll

O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Zmqefh.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepbd32.exe

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

O4 - HKLM\..\Run: [r7FR3mQ] mpnelper.exe

O4 - HKLM\..\Run: [ohzlcps] c:\windows\system32\wflhlpd.exe

Close all open windows except for HijackThis and click Fix Checked.

***

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


Posted Image
Life is what happens while you're making other plans

#3 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 21 May 2005 - 08:32 AM

Hi & thanks for the reply,
Followed instructions best as I could. TheEwido scan took a looong time and quarentined as it went along. Here's the logfile for that and HJT

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:12:08 AM, 5/21/2005
+ Report-Checksum: 586CFAB1

+ Date of database: 5/20/2005
+ Version of scan engine: v3.0

+ Duration: 962 min
+ Scanned Files: 41558
+ Speed: 0.72 Files/Second
+ Infected files: 35
+ Removed files: 35
+ Files put in quarantine: 35
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\Program Files\ddd.exe -> TrojanDropper.Agent.hh -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\03743AB9-C385-4F61-B64C-E8C939\26A65FDD-DBC2-4E0E-8587-334A55 -> TrojanDownloader.Wintool.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\20BEE324-A971-45C9-B6E3-224364 -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\33920987-F9CF-4721-A948-FE2511 -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\513B0730-7309-4052-9E34-A0FEBB -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\732DCD6E-03D5-42D0-BC79-093E80 -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\84DDD385-9236-45D3-800B-395C61 -> Spyware.BargainBuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\894FB746-F306-4400-A2F0-15FF4B -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\91B5EB2E-883A-49AF-AD91-437599 -> Spyware.BargainBuddy.i -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\A6BBDD11-B43D-4C28-81C1-CCE4F0 -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\14BD37E4-7713-4B63-93EF-315C92\BF4BFF15-ABAA-407B-BC84-F0CF4B -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4CF1D796-12F0-476F-A0BC-8D597C\6B40CC92-3729-43C8-9493-8F5132 -> Spyware.WinAD.am -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4CF1D796-12F0-476F-A0BC-8D597C\F0FC5423-E2B2-4081-8A10-C4960D -> Spyware.Winad -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5562CEFD-466B-4255-962F-9CB8A9\75FADD72-9746-4750-8B92-80E9D5 -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5562CEFD-466B-4255-962F-9CB8A9\784A5CB5-F0F2-4A00-BA16-F3A487 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5562CEFD-466B-4255-962F-9CB8A9\A4DCAFAD-7752-4949-99C2-856D67 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\89488A34-3F6E-41F6-B249-4FC7D8\275413F9-653D-4659-A09C-AF1CDE -> Spyware.Small.ez -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9FAB8C12-F7EC-4501-A312-FD6CCC\666A7E5D-96FE-4E99-8CAF-AA5E82 -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A1BDF448-C152-484B-A6B3-C23C02\828E30E5-FD58-4198-B33B-4FA48E -> Spyware.CashBack.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A1BDF448-C152-484B-A6B3-C23C02\82F50246-A93A-4D62-97A3-318B74 -> Spyware.CashBack.b -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CBF6BB9E-3A48-4022-99AE-36BBFB\0D3CAA03-B1B1-4F8E-805F-B70AAA -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CBF6BB9E-3A48-4022-99AE-36BBFB\2990842E-5C59-434C-9BE3-3D04B3 -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CD1A6027-681C-44AD-B69D-921F68\0B303CC2-92FE-4BC6-971E-1748AA -> Spyware.Wintol.y -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\aun_0036.exe -> TrojanDownloader.Small.akz -> Cleaned with backup
C:\WINDOWS\system32\elitepbd32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\pakawbn.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\poker.exe -> TrojanDownloader.Agent.nj -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\Qool.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\winup2date.dll -> Spyware.Small.et -> Cleaned with backup
C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\system32\Zmqefh.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\WINDOWS\uawqzphnr.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 9:26:07 AM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mnkpkz.exe
C:\WINDOWS\system\xgpava.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\mnkpkz.exe reg_run
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Super Utilities] C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min
O4 - Startup: Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk = C:\Documents and Settings\steve\Desktop\traverse city Frame ReadyFullcalc.rdp
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113141262808
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Things seem OK now but LMK what you think.
Thanks!!!

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 21 May 2005 - 01:23 PM

Please download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

Edited by g2i2r4, 21 May 2005 - 01:23 PM.



Posted Image
Life is what happens while you're making other plans

#5 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 May 2005 - 11:22 AM

Hi,
I had to be away from this box for a couple of days. I thought I posted my logs after following your instructions but I don't see them here now. Wonder what I did wrong. At any rate my system seems to up & running clean right now but I'll post logs again If you'd like .
I just saw you last post on the 21st That log file is in my next post

Thanks,
steve

Edited by sotasteve, 24 May 2005 - 11:31 AM.


#6 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 May 2005 - 11:30 AM

Here's the log file from your last reply:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\MNKPKZ.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\RONMNAC.EXE
* aspack C:\WINDOWS\System32\BAKSM.DAT
* aspack C:\WINDOWS\System32\BVAKA.DAT
* qoologic C:\WINDOWS\HKOZO.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\PTKI.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
ptki.exe
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\steve\Start Menu\Programs\Startup
.
..
desktop.ini
Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\tqnxnygt
<NO NAME> REG_SZ {40440874-bada-47e6-b2a4-1f32752d3eb4}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinExpert
<NO NAME> REG_SZ {19741013-C829-11D1-8233-0020AF3E97A9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 12:25
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

#7 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 24 May 2005 - 12:46 PM

my system seems to up & running clean right now

Please post a fresh log using HijackThis and we'll check that first.

I merged your posts, one topic per user is preferred.


Posted Image
Life is what happens while you're making other plans

#8 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 May 2005 - 04:08 PM

Here 'tis:

Logfile of HijackThis v1.99.1
Scan saved at 5:07:02 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mnkpkz.exe
C:\WINDOWS\system\xgpava.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\mnkpkz.exe reg_run
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Super Utilities] C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min
O4 - Startup: Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk = C:\Documents and Settings\steve\Desktop\traverse city Frame ReadyFullcalc.rdp
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113141262808
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Steve

#9 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 24 May 2005 - 04:18 PM

I'm sorry but it's still there.

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\tqnxnygt]

[-HKEY_CLASSES_ROOT\CLSID\{40440874-bada-47e6-b2a4-1f32752d3eb4}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.


Next, run Find-Qoologic2.bat again and please post that log here in this topic.


Posted Image
Life is what happens while you're making other plans

#10 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 25 May 2005 - 05:36 PM

Here is that log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\MNKPKZ.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\RONMNAC.EXE
* aspack C:\WINDOWS\System32\BAKSM.DAT
* aspack C:\WINDOWS\System32\BVAKA.DAT
* qoologic C:\WINDOWS\HKOZO.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\PTKI.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
ptki.exe
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\steve\Start Menu\Programs\Startup
.
..
desktop.ini
Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinExpert
<NO NAME> REG_SZ {19741013-C829-11D1-8233-0020AF3E97A9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 18:33
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

Thanks
Steve

#11 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 26 May 2005 - 07:16 AM

Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please double-click Killbox.exe to run it.
Go to the File menu, and choose "Delete all Dummy Files".
Close Killbox.

***

Run HijackThis and post the scan here in your answer.


Posted Image
Life is what happens while you're making other plans

#12 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 27 May 2005 - 09:28 AM

Hi,
I ran the killbox but no dummy fils were found.
Steve

#13 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 27 May 2005 - 05:45 PM

Sigh, I made the wrong step here, should have done a previous step first.
My appologies for the misstep.

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Please double-click Killbox.exe to run it.

Select "Delete on Reboot".

Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\System32\MNKPKZ.EXE
C:\WINDOWS\System32\RONMNAC.EXE
C:\WINDOWS\System32\BAKSM.DAT
C:\WINDOWS\System32\BVAKA.DAT
C:\WINDOWS\HKOZO.DLL
C:\documents and settings\all users\startmenu\programs\startup\PTKI.EXE
C:\WINDOWS\system\xgpava.exe
C:\WINDOWS\VCMnet11.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the "Replace on Reboot" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Post back with another Find-Qoologic2 log and a fresh log using HijackThis.


Posted Image
Life is what happens while you're making other plans

#14 sotasteve

sotasteve
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 28 May 2005 - 08:42 AM

Hi,
Here's my Find-Qoologic2 log even though the killbox did not prompt me as described in your previous post. After I pasted the clipboard of the files in your last post, I selected the "replace on reboot" but saw nothing that prompted me or gave me an option to reboot. So I did not click yes at the Delete on reboot or No at the Pending Operations prompt because I never saw them.


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\BAKSM.DAT
* qoologic C:\WINDOWS\HKOZO.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\steve\Start Menu\Programs\Startup
.
..
desktop.ini
Shortcut to traverse city Frame ReadyFullcalc.rdp.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinExpert
<NO NAME> REG_SZ {19741013-C829-11D1-8233-0020AF3E97A9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 09:32
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

#15 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:19 AM

Posted 28 May 2005 - 11:49 AM

Please reboot the computer (if you haven't done that already).

Then post back here with a fresh log using HijackThis.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users