Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VX2 pain in the ass


  • Please log in to reply
5 replies to this topic

#1 chiron674

chiron674

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 28 May 2005 - 05:31 AM

Hi!

Please help me. I´ve been trying to deal with this for 6 hrs and can´t find a way to delete this application. It seems to be a VX2 thing, thats what AdAware says. Spybot doesn´t find anything, Norton is useless here. The VX2 add-on doesn´t help. That VX2 lovely seems to be appearing with a different name everytime I reboot the computer, and AdAware always finds one process (the VX2 with different names) and several Registries/ possibly also a file in System Volume Information.

Looking for info I did an "L2MFIX find log 1" (but didn´t proceed from there after the log, because the description says to run the fix and then doubleclick a "cleanup.reg" file which I can´t find in the l2mfix folder) and the startup log and the HijackThis log. Since I think it also has to do with the startup process I can also post the startup log and the L2MFIX log if needed.

(Something tells me Line 15 of the log shouldn´t be there: C:\WINDOWS\Explorer.EXE - is this the opening of IE with the startup so that "aboutblank" site appears? However, I leave that to your interpretation. Please also tell me how to reset the start page of IE, it always jumps back to "aboutblank" after modifying it)

Please tell me how to go from here (I´m not a computer savvy, so pls explain it like you would explain to a 5 y.o. kid). The HijackThis log is:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:02, on 28.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Utilities\NPROTECT.EXE
C:\Programme\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\d3bq.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programme\ahead\InCD\InCD.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\msaj.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Programme\Plextor\PlexTool.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\g\LOKALE~1\Temp\Rar$EX00.995\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {A02E347F-8BF6-310A-944E-8F4FF9AA318A} - C:\WINDOWS\system32\iege32.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Programme\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Programme\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [msaj.exe] C:\WINDOWS\system32\msaj.exe
O4 - HKLM\..\RunOnce: [d3bq.exe] C:\WINDOWS\system32\d3bq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PlexTools.lnk = C:\Programme\Plextor\PlexTool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096154028272
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/es...ivex_300_es.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthn.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programme\Speed Disk\nopdb.exe

Edited by chiron674, 28 May 2005 - 05:51 AM.


BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 May 2005 - 06:31 AM

Hi chiron674 and Welcome to the Bleeping Computer!

You will need to create a new folder for HijackThis and anything I ask you to download!

To do this>"Right Click" the Desktop>Select "New">Select "Folder">Name it whatever you like!

Now locate the original Zip file for HijackThis and place it in the new folder!

Download all the below to the new folder but please DO NOT run them until I ask you to!

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

Reglite
http://www.resplendence.com/reglite

CWShredder
http://cwshredder.net/bin/CWShredder.exe

Double Click CWShredder.exe to run it>>Click Check Check For Update
Close it out once updated,We will run it in Safe Mode!

cwsserviceremove.reg
http://forums.techguy.org/attachment.php?attachmentid=45240

ABout Buster
http://www.besttechie.net/forums/index.php?showtopic=1488

Follow the Instructions inside the link to Update it,We will run it it Safe Mode!

CleanUp!
http://downloads.stevengould.org/cleanup/CleanUp40.exe

Once all are downloaded Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Once in Safe Mode>Click Start>Click Run>Type in Services.msc and Click OK!

Scroll that list and locate

Network Security Service

Right Click and Select Properties>>Click the Stop button then go up and change the Startup Type to Disabled!

Open RegLite and Copy&Paste the below text into the address bar>>Hit Enter and follow the Instructions!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Look to the larger right hand pane and locate an entry that begins with

11F or Legacy_11F<<< Right Click and Select Delete>>That should be the only entry with 11F or Legacy_11F

Do the same for all these entries as well

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root


Make sure to search each key thoroughly for that entry!!

Now Open the Reg File I had you download cwsserviceremove.reg

Double Click cwsserviceremove.reg and Allow it to merge with the Registry!

Run CWShredder

Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit"

Run ABout Buster just as described in the link!

Please run it until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Run CleanUp!

Click "Cleanup" and it will Scan and Remove all available Temp files>Click "Close">Click "No" to Logoff!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u iege32.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\iege32.dll

Do the same for these:

regsvr32 /u gds.dll
or
regsvr32 /u C:\WINDOWS\gds.dll

regsvr32 /u cjigf.dll
or
regsvr32 /u C:\WINDOWS\cjigf.dll

Locate and Delete

C:\WINDOWS\system32\msaj.exe<< File!

C:\WINDOWS\system32\d3bq.exe<< File!

C:\WINDOWS\system32\iege32.dll<< File!

C:\WINDOWS\cjigf.dll<< File!

C:\WINDOWS\gds.dll<< File!

C:\WINDOWS\nthn.exe<< File!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cjigf.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cjigf.dll/sp.html#12047

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {A02E347F-8BF6-310A-944E-8F4FF9AA318A} - C:\WINDOWS\system32\iege32.dll

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Programme\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [msaj.exe] C:\WINDOWS\system32\msaj.exe

O4 - HKLM\..\RunOnce: [d3bq.exe] C:\WINDOWS\system32\d3bq.exe

O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab

O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/es...ivex_300_es.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthn.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Special Note: Some of the names of the files may have changed by the time you see this!

The ones listed below may be listed with a differen named file!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cjigf.dll/sp.html#12047

O2 - BHO: Class - {A02E347F-8BF6-310A-944E-8F4FF9AA318A} - C:\WINDOWS\system32\iege32.dll

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll

O4 - HKLM\..\Run: [msaj.exe] C:\WINDOWS\system32\msaj.exe

O4 - HKLM\..\RunOnce: [d3bq.exe] C:\WINDOWS\system32\d3bq.exe

You will need to Scan with Hijackthis before you begin File Deletion and dll unregistration and Confirm and Adjust the names of these files!

Once you know the proper names>>Replace them in my instructions where needed!

Now Open Ewido Secirity Suite>>Scan the PC and Save the log!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with the Reports from Panda and Ewido along with a fresh HijackThis log!

#3 chiron674

chiron674
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 30 May 2005 - 02:16 PM

Wow.

First of all, thank you for your time and help.

When I followed your instructions, the following happened:

1) I could delete some keys in the registry, but not all.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services DELETED
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services DELETED
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services DELETED

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root ACCESS DENIED
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root ACCESS DENIED
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root ACCESS DENIED

I found the Enum\Root not in ControlSet002, but in ControlSet003 (instead of ControlSet002)

In all three Control Sets in Enum\Root, the key starts with Legacy__11F (not Legacy_11F or 11F). In Services, it started with 11F.

2) ran CWShredder like instructed
3) ran AdBuster like instructed
4) ran CleanUp! like instructed

5) the iege.dll and gds.dll were easy to remove, but

regsvr32 /u cjigf.dll and regsvr32 /u C:\WINDOWS\cjigf.dll were not found.

Could locate and delete msaj.exe, iege32.dll and gds.dll, but

d3bq.exe, cjigf.dll and nthn.exe were not found.

6) in HiJackThis

the R1, R0 and R3 were gone (except of the hotmail one, which apparently is ok)

O2 - BHO: Class - {A02E347F-8BF6-310A-944E-8F4FF9AA318A} - C:\WINDOWS\system32\iege32.dll CHECKED

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds.dll NOT DISPLAYED IN HIJACKTHIS

O4 - HKLM\..\Run: [iexplore.exe] C:\Programme\Internet Explorer\iexplore.exe CHECKED

O4 - HKLM\..\Run: [msaj.exe] C:\WINDOWS\system32\msaj.exe CHECKED

O4 - HKLM\..\RunOnce: [d3bq.exe] C:\WINDOWS\system32\d3bq.exe NOT DISPLAYED IN HIJACKTHIS, BUT WHEN COMPARING FOUND THE \RunOnce FILE sysri.exe - CHECKED THAT ONE

O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab CHECKED

O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.energyfactor.com/dialer/es...ivex_300_es.exe CHECKED

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthn.exe (file missing) NOT DISPLAYED IN HIJACKTHIS

7) Ewido found some more stuff, see report
8) Panda found some more stuff, see report

When I rebooted the PC, WinXP started faster after entering my password; IE didn´t open automatically; the about:blank page was gone; currently I get no warnings.

However, those registry keys with denied access do worry me. What can I do to get rid of Legacy__11F?

Please also see the following scans!

MUCH RESPECT and thank you again.

ewido security suite - Scan Report
---------------------------------------------------------

+ Infizierte Dateien: 42
+ Entfernte Dateien: 42
+ Unter Quarantäne gestellte Dateien: 0
+ Dateien, die nicht geöffnet werden konnten: 0
+ Dateien, die nicht gesäubert werden konnten: 0

+ Binder: Ja
+ Packer: Ja
+ Archive: Nein

+ Gescannt wurde:
C:\

+ Scanergebnis:
C:\Programme\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000264.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000314.dll -> Spyware.SearchPage -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000316.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000370.dll -> Spyware.SearchPage -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000371.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000447.dll -> Spyware.SearchPage -> Gesäubert ohne Backup
C:\RECYCLER\NPROTECT\00000448.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\RECYCLER\S-1-5-21-1275210071-920026266-1343024091-1003\Dc1.exe -> TrojanDownloader.Agent.bq -> Gesäubert ohne Backup
C:\RECYCLER\S-1-5-21-1275210071-920026266-1343024091-1003\Dc2.dll -> TrojanDownloader.Agent.bc -> Gesäubert ohne Backup
C:\RECYCLER\S-1-5-21-1275210071-920026266-1343024091-1003\Dc4.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\28229471.exe -> Dialer.Generic -> Gesäubert ohne Backup
C:\WINDOWS\addew32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\addgq32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\apppg32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\atlgb.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\crit.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\crrx.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\cruq32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\Downloaded Program Files\gvx103atsm_adult.exe -> Dialer.Generic -> Gesäubert ohne Backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar -> Gesäubert ohne Backup
C:\WINDOWS\mfcyc32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\mspo32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\nethk32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\sdkcd32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\addko32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\addts32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\appik32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\d3ch.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\d3kn.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\EGDHTML_1030.dll -> Dialer.Generic -> Gesäubert ohne Backup
C:\WINDOWS\system32\mfcce32.dll -> TrojanDownloader.Agent.bc -> Gesäubert ohne Backup
C:\WINDOWS\system32\mfcgi32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\mfcxf.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\ntcj32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\nteh.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\ntro.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\P2ECOM.dll -> Trojan.P2E.r -> Gesäubert ohne Backup
C:\WINDOWS\system32\preload.ocx -> TrojanDownloader.Dyfuca.w -> Gesäubert ohne Backup
C:\WINDOWS\system32\sdkiu.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\system32\sysaz32.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup
C:\WINDOWS\winzg.exe -> Trojan.Agent.bi -> Gesäubert ohne Backup


::Report Ende





Logfile of HijackThis v1.99.1
Scan saved at 19:53:55, on 30.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Dokumente und Einstellungen\g\Desktop\Bleeping Computer\security suite\ewidoctrl.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Utilities\NPROTECT.EXE
C:\Programme\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programme\ahead\InCD\InCD.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Programme\Plextor\PlexTool.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\Programme\Messenger\msmsgs.exe
C:\DOKUME~1\g\LOKALE~1\Temp\Rar$EX09.340\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Programme\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PlexTools.lnk = C:\Programme\Plextor\PlexTool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096154028272
O17 - HKLM\System\CCS\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Dokumente und Einstellungen\g\Desktop\Bleeping Computer\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programme\Speed Disk\nopdb.exe



Panda:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Only sex website.url
Adware:Adware/ILookup No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Messenger links
Adware:Adware/SideStep No disinfected C:\Dokumente und Einstellungen\g\Startmenü\Programme\SideStep
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Ab scissor.url
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\g\.jpi_cache\jar\1.0\counter.jar-22500802-618021a4.zip[counter.class]
Adware:Adware/SideStep No disinfected C:\Dokumente und Einstellungen\g\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\SideStep.lnk
Adware:Adware/SearchAid No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Seven days of free porn.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Dokumente und Einstellungen\g\Favoriten\Sites about\What is hydrocodone.url
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.inf
Adware:Adware/ILookup No disinfected C:\WINDOWS\system32\windec32.dll

Edited by chiron674, 30 May 2005 - 02:26 PM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2005 - 02:25 PM

Wow,I need to learn German Quick!!!!

Looks like Ewido did a fantatic job!!!

Please Identify all entries flagged by Panda and Delete them!

I wouldnt even attempt to work my way through that but I assume Ewido says Cleaned with BackUp and anything Panda didnt disinfect needs to be deleted!!

Fair Enough?? :thumbsup:

Post a Fresh HijackThis Log and I will work up a Reg Search for ya to use!

#5 chiron674

chiron674
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 30 May 2005 - 04:03 PM

If you want to learn German, I can help you out :thumbsup:

Ewido says Cleaned without backup. It stopped at every single item, and I unchecked the save backup box because I really don´t want to keep backups of viruses. (Who knows what crawls out of a backup?) Hope that´s ok.

There are 5 files that Panda found that can´t be deleted because I can´t find them. The SideStep ones are of about a year ago, didn´t even know I got them, was another task bar thing I once had but removed. So please tell what to do with those and the two files in the Registry.

The current Panda scan:

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe???.???
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.inf



And the fresh HiJack This scan is:

Logfile of HijackThis v1.99.1
Scan saved at 23:01:31, on 30.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Dokumente und Einstellungen\g\Desktop\Bleeping Computer\security suite\ewidoctrl.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Utilities\NPROTECT.EXE
C:\Programme\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programme\ahead\InCD\InCD.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Programme\Plextor\PlexTool.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllcache\notepad.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\g\LOKALE~1\Temp\Rar$EX00.349\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Programme\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PlexTools.lnk = C:\Programme\Plextor\PlexTool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096154028272
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{644BC4AB-10D3-425B-8E86-C0BC4BEFD649}: NameServer = 195.34.133.10,195.34.133.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Dokumente und Einstellungen\g\Desktop\Bleeping Computer\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Programme\Speed Disk\nopdb.exe


Thank you!
Rock on.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 May 2005 - 05:07 PM

That Downloaded Program Files Folder has always been a Pain!!!

Look in Add\Remove Programs and See if Side Step Exist....if so remove it!

Make sure Windows is Showing Hidden Files and look in C:\WINDOWS\Downloaded Program Files

Tell me what you see there?

Generate a HijackThis StartUp log...That may shed some light on things!!

Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!

After you do that

Click Start>>Click Run>>Type in cmd and Click OK!

At the Command Prompt Window type in

cd\ and hit Enter

type in

del C:\WINDOWS\Downloaded Program Files\SbCIe026.dll>>> Hit Enter

type in

del C:\WINDOWS\Downloaded Program Files\SbCIe026.inf>>> Hit Enter

Close Command Prompt!

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Install these 2

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingcomputer.com/forums/ind...showtutorial=53
There is a direct download inside and great tutorial also!

Get Windows Updated
http://windowsupdate.microsoft.com/



Tighten Internet Explorers Security Settings

1. Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft. Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

2. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051

Lets have a look at that StartUp log and see what it shows!!!

I spec that PC is acting alot morte respetful now????




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users