Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Topspin817


  • Please log in to reply
8 replies to this topic

#1 topspin817

topspin817

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 26 May 2005 - 09:20 PM

I have been having a terrible time with popups, especially. Things have been installed without my consent and I sometimes turn on my computer only to find that a new toolbar has been installed in my Internet Explorer. I have something called TopText iLookUp under Ezula, Inc., and I can't get rid of it. I use Bazooka Scanner, Spyware Blaster, Spybot, and Ad-Aware along with Norton Antivirus and a ZoneAlarm Pro Firewall. I have tried to manually get rid of these things, but they keep coming back. I would greatly appreciate your help :thumbsup:. Thanks a bunch, my HijackThis logfile is copied below.

Logfile of HijackThis v1.99.1
Scan saved at 9:55:00 PM, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\iPYSvc.exe
C:\WINNT\system32\iPYSvr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spupdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ipycp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\spupdw2k.exe
C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://addictinggames.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ipyrun] ipycp.exe
O4 - HKLM\..\Run: [zbwxqx] c:\winnt\system32\zbwxqx.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitejjm32.exe
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Shockmachine\SmReminder.exe
O4 - HKCU\..\Run: [KaZaA Download Accelerator] D:\Kazaa Accelerator\kda.exe
O4 - HKCU\..\Run: [Kppgv] C:\WINNT\system32\??stem32\nopdb.exe
O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Aaron Dingman\Application Data\owtr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\winnt\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\k4nole531h.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPYSvc - Unknown owner - C:\WINNT\system32\iPYSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:12 PM

Posted 26 May 2005 - 11:27 PM

Hello topspin817 and welcome to the BC forums. Let's start out with a couple of scans.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINNT\system32\iPYSvc.exe
C:\WINNT\system32\iPYSvr.exe
C:\WINNT\system32\spupdsvc.exe
C:\WINNT\system32\ipycp.exe
C:\WINNT\system32\spupdw2k.exe

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Let's also check for some files that might not be showing in the Hijackthis log.

PFind - 1

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt and the information from the scans back here and I will review it when it comes in.

OT

Cheers.
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 topspin817

topspin817
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 27 May 2005 - 09:48 AM

The Jotti's malware scan said that all of those files are OK. Here's the PFind log:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder

C:\pagefils.csp: UPX!


Checking the C:\Program Files folder

C:\Program Files\sdf.exe: FSG!


Checking the C:\WINNT folder

C:\WINNT\azentretien.dll: UPX!
C:\WINNT\Buddy.exe: UPX!
C:\WINNT\ceres.dll: UPX!
C:\WINNT\daemon.dll: UPX!
C:\WINNT\icont.exe: UPX!
C:\WINNT\protector.exe: FSG!
C:\WINNT\VT17.exe: UPX!


Checking the C:\WINNT\SYSTEM32 folder

C:\WINNT\SYSTEM32\Agent.dll: UPX!
C:\WINNT\SYSTEM32\CometTB.dll: UPX!
C:\WINNT\SYSTEM32\ctbv2.dll: UPX!
C:\WINNT\SYSTEM32\elitejjm32.exe: FSG!
C:\WINNT\SYSTEM32\eliteskg32.exe: FSG!
C:\WINNT\SYSTEM32\elitexoc32.exe: FSG!
C:\WINNT\SYSTEM32\eliteyuy32.exe: FSG!
C:\WINNT\SYSTEM32\exactsetup.dll: UPX!
C:\WINNT\SYSTEM32\i504b6s.dll: UPX!
C:\WINNT\SYSTEM32\LameACM.acm: UPX!
C:\WINNT\SYSTEM32\netpals.dll: UPX!
C:\WINNT\SYSTEM32\Rsrc32.dll: UPX!


Checking all directories under the C:\WINNT\SYSTEM32\drivers folder

C:\WINNT\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 www.qoologic.com
C:\WINNT\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 www.urllogic.com
C:\WINNT\SYSTEM32\Drivers\etc\hosts.20050518-142509.backup: 127.0.0.1 www.qoologic.com
C:\WINNT\SYSTEM32\Drivers\etc\hosts.20050518-142509.backup: 127.0.0.1 www.urllogic.com


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Aaron Dingman\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Aaron Dingman\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINNT\
shelli~1 Fri May 27 2005 10:28:04a ...H. 1,097,376 1.04 M

C:\WINNT\CSC\
00000001 Tue Apr 26 2005 6:42:34p A.S.. 64 0.06 K
00000002 Tue Apr 26 2005 11:44:28a A.S.. 64 0.06 K
csc1.tmp Tue Apr 19 2005 4:57:10p A.S.. 64 0.06 K

C:\WINNT\FONTS\
infoview.fon Tue Apr 26 2005 8:40:18p A..H. 37,472 36.59 K

C:\WINNT\SYSTEM32\
hr6s05~1.dll Fri May 27 2005 9:45:04a ..S.R 235,567 230.04 K
i6lolg~1.dll Fri Apr 29 2005 6:46:30a ..S.R 236,248 230.71 K
k8260i~1.dll Thu May 26 2005 7:21:38p ..S.R 235,430 229.91 K
ksdgr.dll Fri May 27 2005 9:45:04a ..S.R 234,802 229.30 K
mmrui.dll Wed May 11 2005 7:05:24p ..S.R 234,272 228.78 K
p64ulg~1.dll Mon May 9 2005 6:10:46p ..S.R 236,232 230.70 K
pylagent.dll Wed May 18 2005 2:09:44p ..S.R 235,716 230.19 K
q0ps0a~1.dll Fri May 27 2005 10:32:00a ..S.R 236,337 230.80 K
q0rq0a~1.dll Tue May 10 2005 4:44:22p ..S.R 232,298 226.85 K
r0p8la~1.dll Sat May 7 2005 9:50:22p ..S.R 233,159 227.69 K
rcsauth.dll Fri May 27 2005 10:32:00a ..S.R 235,567 230.04 K
zllictbl.dat Fri May 27 2005 10:23:20a ...H. 4,212 4.11 K

C:\WINNT\TASKS\
sa.dat Fri May 27 2005 10:28:14a A..H. 6 0.00 K

C:\WINNT\SYSTEM32\STEM32~1\
nopdb.exe Wed May 25 2005 9:15:36a ..SHR 430,080 420.00 K

19 items found: 19 files, 0 directories.
Total of file sizes: 4,154,966 bytes 3.96 M

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:12 PM

Posted 27 May 2005 - 03:33 PM

Hi topspin817. Ok, let's get started. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Now uninstall anything by Kazaa by:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
anything with Kazaa in the name
Step #2

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
C:\WINNT\azentretien.dll
C:\WINNT\Buddy.exe
C:\WINNT\ceres.dll
C:\WINNT\icont.exe
C:\WINNT\protector.exe
C:\WINNT\VT17.exe
C:\WINNT\SYSTEM32\CometTB.dll
C:\WINNT\SYSTEM32\ctbv2.dll
C:\WINNT\SYSTEM32\elitejjm32.exe
C:\WINNT\SYSTEM32\eliteskg32.exe
C:\WINNT\SYSTEM32\elitexoc32.exe
C:\WINNT\SYSTEM32\eliteyuy32.exe
C:\WINNT\SYSTEM32\exactsetup.dll
C:\WINNT\SYSTEM32\netpals.dll

[/list]
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now. Reboot into Safe Mode by:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [zbwxqx] c:\winnt\system32\zbwxqx.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitejjm32.exe
O4 - HKCU\..\Run: [KaZaA Download Accelerator] D:\Kazaa Accelerator\kda.exe
O4 - HKCU\..\Run: [Kppgv] C:\WINNT\system32\??stem32\nopdb.exe
O4 - HKCU\..\Run: [Into] C:\Documents and Settings\Aaron Dingman\Application Data\owtr.exe
O14 - IERESET.INF: SearchAssistant=
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\k4nole531h.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):c:\winnt\system32\zbwxqx.exe
C:\winnt\system32\elitejjm32.exe (and any other file with a name like elite***32.exe)
C:\WINNT\system32\k4nole531h.dll
D:\Kazaa Accelerator\ <--folder
C:\Documents and Settings\Aaron Dingman\Application Data\owtr.exe

Now search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.nopdb.exe
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Start ewido and click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 topspin817

topspin817
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 27 May 2005 - 06:44 PM

I couldn't find:
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\k4nole531h.dll

but I found:
O20 - Winlogin Notify: Controls Folder - C:\WINNT\system32\n8p4li7q18.dll, should I delete that?

I also couldn't find nopdb.exe at all.

Here's my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:39:20 PM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\iPYSvc.exe
C:\WINNT\system32\iPYSvr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spupdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spupdw2k.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ipycp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Aaron Dingman\Start Menu\Programs\12Ghosts\12popup.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://addictinggames.com/
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ipyrun] ipycp.exe
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Shockmachine\SmReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Documents and Settings\Aaron Dingman\Start Menu\Programs\12Ghosts\12popup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\winnt\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: MCD - C:\WINNT\system32\f2j2lc1o1f.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPYSvc - Unknown owner - C:\WINNT\system32\iPYSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:12 PM

Posted 28 May 2005 - 01:27 PM

Hey topspin817. Looks better but we still have something in there. Let's do this.
  • Download FindQoologic2.zip save it to your Desktop.
  • Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
  • Double-click the Find-Qoologic2.bat file to run it. It will take some time so be patient.
  • When Notepad opens with the results in it copy/paste the entire contents of the document back here.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 topspin817

topspin817
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 28 May 2005 - 03:59 PM

Here's the log that Find-Qoologic2 created:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
A
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..

User Startup:
C:\Documents and Settings\Aaron Dingman\Start Menu\Programs\Startup
.
..
12Ghosts Popup-Killer.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 16:33
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{26923b43-4d38-484f-9b9e-de460746276c}\(Default)" = "Internet Explorer Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE" [MS]

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:12 PM

Posted 06 June 2005 - 03:21 PM

Hi topspin817. Sorry for the long delay. I did not see that you had posted back. The Qoologic scan doesn't show anything unusual so let's do this.

Post a new HijackThis log and after you run HijackThis do not shut down or reboot your machine. Doing so will rename the files and then we will need to start all over again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 topspin817

topspin817
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 06 June 2005 - 03:44 PM

That's ok, I don't mind, thanks for all your help. The log file is posted below.

Logfile of HijackThis v1.99.1
Scan saved at 4:42:14 PM, on 6/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\iPYSvc.exe
C:\WINNT\system32\iPYSvr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\spupdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\ipycp.exe
C:\program files\tvs\tvs_b.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Aaron Dingman\Start Menu\Programs\12Ghosts\12popup.exe
C:\WINNT\system32\spupdw2k.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://addictinggames.com/
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ipyrun] ipycp.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Shockmachine\SmReminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Documents and Settings\Aaron Dingman\Start Menu\Programs\12Ghosts\12popup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\winnt\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\r48slel71hq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPYSvc - Unknown owner - C:\WINNT\system32\iPYSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users