Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 N519AT

N519AT

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 June 2005 - 11:15 AM

I've been browsing these forums for a couple of days now looking for a solution, but I can't seem to find it. Any help would be greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 12:14:46 PM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wwSecure.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\crlv32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\ntqk32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\grwfn.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {CAC3BD88-2C00-5674-427F-7FFB1F860343} - C:\WINDOWS\addgq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [sdkwj.exe] C:\WINDOWS\sdkwj.exe
O4 - HKLM\..\Run: [addoc.exe] C:\WINDOWS\addoc.exe
O4 - HKLM\..\Run: [sdkgz32.exe] C:\WINDOWS\sdkgz32.exe
O4 - HKLM\..\Run: [ntqk32.exe] C:\WINDOWS\ntqk32.exe
O4 - HKLM\..\RunOnce: [crlv32.exe] C:\WINDOWS\crlv32.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Grabber2k] C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://aolexpressions.aol.com/testdrive.adp?clientId=2&langCode=&expTypeId=1&catId=&subcatId=&search=superbuddy&skip=217&expId=4436
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/Hotbar/programs/Hotbar.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\d3ft32.exe"  /s (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe


BC AdBot (Login to Remove)

 


m

#2 N519AT

N519AT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 June 2005 - 10:13 PM

bump? Anyone?

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:49 PM

Posted 14 June 2005 - 01:37 PM

Do you still need help? If you do, please post a fresh HJT log.

#4 N519AT

N519AT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 June 2005 - 07:04 AM

Yes, I still need help

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeerGuardian2\pg2.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vmwsz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vmwsz.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qbzfw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qbzfw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qbzfw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qbzfw.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {75ABCEA0-563C-8B9C-F538-83FF7C428B05} - C:\WINDOWS\system32\ipvq.dll
O2 - BHO: Class - {FD452CF8-EDCD-D7BA-05A1-83F0CCF1AE4F} - C:\WINDOWS\d3cw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [sdkwj.exe] C:\WINDOWS\sdkwj.exe
O4 - HKLM\..\Run: [addoc.exe] C:\WINDOWS\addoc.exe
O4 - HKLM\..\Run: [sdkgz32.exe] C:\WINDOWS\sdkgz32.exe
O4 - HKLM\..\Run: [ntqk32.exe] C:\WINDOWS\ntqk32.exe
O4 - HKLM\..\RunOnce: [crlv32.exe] C:\WINDOWS\crlv32.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Grabber2k] C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...=217&expId=4436
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/Hotbar...rams/Hotbar.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\d3ft32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

Thanks!

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:49 PM

Posted 15 June 2005 - 08:28 AM

This is a lengthy fix.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Printer Icon in the upper LH corner next to the Post Reply button)


Please continue with the next step if you run into a problem with the current one. Just be sure to let me know if any problems occured for each step when you reply.

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/


STEP 2:
Please download CWShredder Version 2.1 here. http://cwshredder.net/bin/CWShredder.exe

Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
http://www.malwarebytes.biz/AboutBuster5.zip



Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.

Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.

NOTE: You might want to view this AboutBuster tutorial here http://www.besttechie.net/forums/index.php?showtopic=1488
first before running the tool.

Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
.
Please configure the program by following these instructions here. http://www.bleepingcomputer.com/tutorials/use-ad-aware-2007-to-remove-spyware/

Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
http://www.spywareinfo.dk/download/mwav.exe

Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite 3.0

NOTE: The Ewido Security Suite 3.0 utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite 3.0 is: Windows 2000 or Windows XP. 1.)

Download and install the Ewido Security Suite 3.0 here
http://download.ewido.net/ewido-setup.exe

2.) Double-click on the new Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.

STEP 7:

You must first STOP and DISABLE the rogue Service:

There are different Display Names to look for:

Workstation NetLogon Service
Remote Procedure Call (RPC) Helper
Remote Access Service
Network Security Service (NSS)


Go to Start => Run and type "Services.msc" (without quotes) then click Ok.

1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.

STEP 8:
copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg.
Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F?? #????`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]





STEP 9:
Please reboot into Safe Mode. For instructions click here
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Get into Safe Mode using the F8 Key on your keyboard:
1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).

STEP 10:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds.
After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe.
1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK.
It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop.
A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK.
After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears.
In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive.
eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed.
To close the interface, click OK, click Exit, then click Exit again.

STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0.

1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.

STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.

Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg
you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file.
Make sure you always perform a Windows search for these files after the cleanup.

Go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows XP, it will be found here:

C:\Windows\System32
C:\Windows\System


Now look for the control.exe file.
For Windows XP it will be found here:

C:\Windows\System32

If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.

For Windows XP, a replacement can be found here:

C:\Windows\System32\dllcache

Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here. http://www.spywareinfo.com/~merijn/winfiles.html

Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.

Please post your HijackThis log, the About:Buster log, the Ewido log for review .

Be sure to tell me how each steps ran or what problems you had with a step.

#6 N519AT

N519AT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 June 2005 - 10:52 PM

About Buster:

AboutBuster 5.0 reference file 30
Scan started on [6/16/2005] at [1:28:58 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\asrc.ini:jjjbvp
Removed Stream! C:\WINDOWS\bootstat.dat:bkugxr
Removed Stream! C:\WINDOWS\chipset.log:tlmurc
Removed Stream! C:\WINDOWS\comsetup.log:fiserb
Removed Stream! C:\WINDOWS\comsetup.log:nswbuw
Removed Stream! C:\WINDOWS\comsetup.log:tzlviq
Removed Stream! C:\WINDOWS\cswwp.log:bhhwev
Removed Stream! C:\WINDOWS\ctpdusb2.uns:madbcb
Removed Stream! C:\WINDOWS\d3dx.dat:kbwymb
Removed Stream! C:\WINDOWS\d3dx.dat:oisqwo
Removed Stream! C:\WINDOWS\desktop.ini:qtztqj
Removed Stream! C:\WINDOWS\DirectX.log:cupegl
Removed Stream! C:\WINDOWS\DJBDRV.LOG:pguecy
Removed Stream! C:\WINDOWS\DtcInstall.log:likpai
Removed Stream! C:\WINDOWS\EPSC82.ini:bzfqkk
Removed Stream! C:\WINDOWS\EPSTPLOG.BAK:qhmfdf
Removed Stream! C:\WINDOWS\eyvlj.log:uvvrpg
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:gpwvz
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:secrpl
Removed Stream! C:\WINDOWS\hqbyr.dat:xpqpfe
Removed Stream! C:\WINDOWS\iis6.log:kevxrv
Removed Stream! C:\WINDOWS\imsins.BAK:pqjuao
Removed Stream! C:\WINDOWS\jusyt.dat:gjszry
Removed Stream! C:\WINDOWS\KB887472.log:jvtqlb
Removed Stream! C:\WINDOWS\KB887472.log:uphpns
Removed Stream! C:\WINDOWS\Klmamsqo.ini:mogbjh
Removed Stream! C:\WINDOWS\lvld67.lic:bnznqn
Removed Stream! C:\WINDOWS\madbc.log:fgzpdr
Removed Stream! C:\WINDOWS\Mozilla Wallpaper.bmp:ndeols
Removed Stream! C:\WINDOWS\mozver.dat:blrpiu
Removed Stream! C:\WINDOWS\msdfmap.ini:awrcfh
Removed Stream! C:\WINDOWS\msgsocm.log:fewufc
Removed Stream! C:\WINDOWS\NeroDigital.ini:abpges
Removed Stream! C:\WINDOWS\NeroDigital.ini:cuhtwm
Removed Stream! C:\WINDOWS\NeroDigital.ini:fxpocy
Removed Stream! C:\WINDOWS\NeroDigital.ini:mmjucf
Removed Stream! C:\WINDOWS\NeroDigital.ini:uqmybg
Removed Stream! C:\WINDOWS\nsreg.dat:sxkihs
Removed Stream! C:\WINDOWS\ntbtlog.txt:fyhruw
Removed Stream! C:\WINDOWS\ntbtlog.txt:yfhzhn
Removed Stream! C:\WINDOWS\ntdtcsetup.log:jeavsd
Removed Stream! C:\WINDOWS\ntdtcsetup.log:xijft
Removed Stream! C:\WINDOWS\ocmsn.log:lqcvbu
Removed Stream! C:\WINDOWS\ODBC.INI:bfsano
Removed Stream! C:\WINDOWS\ODBCINST.INI:fspjxs
Removed Stream! C:\WINDOWS\ODBCINST.INI:pqazyt
Removed Stream! C:\WINDOWS\OEWABLog.txt:drnadf
Removed Stream! C:\WINDOWS\popcinfo.dat:irkeav
Removed Stream! C:\WINDOWS\popcinfo.dat:ptiord
Removed Stream! C:\WINDOWS\PowerReg.dat:ijmyq
Removed Stream! C:\WINDOWS\River Sumida.bmp:vmelko
Removed Stream! C:\WINDOWS\RSoftInfo.dat:nmugnc
Removed Stream! C:\WINDOWS\SchedLgU.Txt:jqypm
Removed Stream! C:\WINDOWS\sessmgr.setup.log:bbcmqm
Removed Stream! C:\WINDOWS\setupapi.log:dazqez
Removed Stream! C:\WINDOWS\setupapi.log:hxxitm
Removed Stream! C:\WINDOWS\setuperr.log:bwhyvl
Removed Stream! C:\WINDOWS\setuperr.log:zgajbl
Removed Stream! C:\WINDOWS\setuplog.txt:qrnooq
Removed Stream! C:\WINDOWS\Sti_Trace.log:obkjam
Removed Stream! C:\WINDOWS\tcoen.log:bsqhkd
Removed Stream! C:\WINDOWS\tcoen.log:hccodw
Removed Stream! C:\WINDOWS\vb.ini:ytqvfc
Removed Stream! C:\WINDOWS\vbaddin.ini:aqklv
Removed Stream! C:\WINDOWS\vvhri.log:eubszy
Removed Stream! C:\WINDOWS\wiaservc.log:quijhm
Removed Stream! C:\WINDOWS\winamp(2).ini:osiqoj
Removed Stream! C:\WINDOWS\winamp(2).ini:xvmfbi
Removed Stream! C:\WINDOWS\winamp(2).ini:yorkdi
Removed Stream! C:\WINDOWS\Windows Update.log:exhlmg
Removed Stream! C:\WINDOWS\wininit.ini:jpudac
Removed Stream! C:\WINDOWS\winnt.bmp:bwyivz
Removed Stream! C:\WINDOWS\winnt.bmp:hzsdjb
Removed Stream! C:\WINDOWS\wmsetup.log:cqniuf
Removed Stream! C:\WINDOWS\WMSysPr9.prx:zzdjdd
Removed Stream! C:\WINDOWS\yacs.log:epkbsm
Removed Stream! C:\WINDOWS\yqpiu.log:hqbyrz
Removed Stream! C:\WINDOWS\yqpiu.log:wqugmx
Removed Stream! C:\WINDOWS\ytqvf.dat:ynfmga
Removed Stream! C:\WINDOWS\Zapotec.bmp:frzkme
Removed Stream! C:\WINDOWS\zgajb.dat:tckbkt
Removed Stream! C:\WINDOWS\_default(2).pif:arldtc
Removed Stream! C:\WINDOWS\_default(2).pif:zxbmk
Removed Stream! C:\WINDOWS\_default.pif:abqbtv
Removed Stream! C:\WINDOWS\_default.pif:alsilg
Removed Stream! C:\WINDOWS\_default.pif:bjmeby
Removed Stream! C:\WINDOWS\_default.pif:bosdft
Removed Stream! C:\WINDOWS\_default.pif:crbpqz
Removed Stream! C:\WINDOWS\_default.pif:dldqkc
Removed Stream! C:\WINDOWS\_default.pif:eeenfn
Removed Stream! C:\WINDOWS\_default.pif:eeriwn
Removed Stream! C:\WINDOWS\_default.pif:expxh
Removed Stream! C:\WINDOWS\_default.pif:exubhg
Removed Stream! C:\WINDOWS\_default.pif:fqynwu
------------------------------------------------
Removed File! : C:\Windows\addgq.dll
Removed File! : C:\Windows\apire.exe
Removed File! : C:\Windows\apiuc.dll
Removed File! : C:\Windows\appzf.exe
Removed File! : C:\Windows\atlwm32.dll
Removed File! : C:\Windows\atlyo.dll
Removed File! : C:\Windows\cgfzf.dll
Removed File! : C:\Windows\crbs.dll
Removed File! : C:\Windows\crek32.exe
Removed File! : C:\Windows\crlv32.exe
Removed File! : C:\Windows\czzty.dll
Removed File! : C:\Windows\d3cw32.dll
Removed File! : C:\Windows\d3fl32.dll
Removed File! : C:\Windows\d3tw.exe
Removed File! : C:\Windows\dhrit.dll
Removed File! : C:\Windows\fgzbq.dll
Removed File! : C:\Windows\hfyxt.dll
Removed File! : C:\Windows\hgaxk.dat
Removed File! : C:\Windows\hqbyr.dat
Removed File! : C:\Windows\iczze.dll
Removed File! : C:\Windows\iebf.exe
Removed File! : C:\Windows\iecq.dll
Removed File! : C:\Windows\iejj.dll
Removed File! : C:\Windows\iepc32.dll
Removed File! : C:\Windows\ieqz.exe
Removed File! : C:\Windows\ipgn.exe
Removed File! : C:\Windows\ipop32.exe
Removed File! : C:\Windows\javaes32.exe
Removed File! : C:\Windows\javajh.exe
Removed File! : C:\Windows\jeavs.dat
Removed File! : C:\Windows\jxwbh.dll
Removed File! : C:\Windows\kbwym.dat
Removed File! : C:\Windows\kvsgs.dll
Removed File! : C:\Windows\lqcvb.dat
Removed File! : C:\Windows\mfcxs32.dll
Removed File! : C:\Windows\msbv.exe
Removed File! : C:\Windows\msck.exe
Removed File! : C:\Windows\msfn32.exe
Removed File! : C:\Windows\msir32.exe
Removed File! : C:\Windows\msll.dll
Removed File! : C:\Windows\msoi.exe
Removed File! : C:\Windows\netaa32.exe
Removed File! : C:\Windows\netlm32.dll
Removed File! : C:\Windows\netls32.exe
Removed File! : C:\Windows\nttv.dll
Removed File! : C:\Windows\qbzfw.dll
Removed File! : C:\Windows\sdkdm.exe
Removed File! : C:\Windows\sdkgz32.exe
Removed File! : C:\Windows\sqhkd.dll
Removed File! : C:\Windows\sunpv.dll
Removed File! : C:\Windows\sysfb32.dll
Removed File! : C:\Windows\sysmh.exe
Removed File! : C:\Windows\tqjgx.dll
Removed File! : C:\Windows\utjkv.dll
Removed File! : C:\Windows\vmwsz.dll
Removed File! : C:\Windows\vszaf.dll
Removed File! : C:\Windows\vvrpg.dll
Removed File! : C:\Windows\winob.exe
Removed File! : C:\Windows\wswcy.dll
Removed File! : C:\Windows\ytqvf.dat
Removed File! : C:\Windows\zsqpn.dll
Removed File! : C:\Windows\System32\abpge.dat
Removed File! : C:\Windows\System32\addbi32.exe
Removed File! : C:\Windows\System32\apild32.dll
Removed File! : C:\Windows\System32\apiuh.dll
Removed File! : C:\Windows\System32\appdi.dll
Removed File! : C:\Windows\System32\apphn32.exe
Removed File! : C:\Windows\System32\appov32.exe
Removed File! : C:\Windows\System32\appuj32.exe
Removed File! : C:\Windows\System32\atlfj32.exe
Removed File! : C:\Windows\System32\atloe.exe
Removed File! : C:\Windows\System32\atlvi.exe
Removed File! : C:\Windows\System32\bqiul.dat
Removed File! : C:\Windows\System32\bvken.dat
Removed File! : C:\Windows\System32\d3bi32.dll
Removed File! : C:\Windows\System32\d3do.exe
Removed File! : C:\Windows\System32\d3ds.exe
Removed File! : C:\Windows\System32\deouh.dat
Removed File! : C:\Windows\System32\eeenf.dat
Removed File! : C:\Windows\System32\eoowc.dat
Removed File! : C:\Windows\System32\erhei.dll
Removed File! : C:\Windows\System32\ggrtj.dat
Removed File! : C:\Windows\System32\grwfn.dll
Removed File! : C:\Windows\System32\gtbdq.dat
Removed File! : C:\Windows\System32\gtcem.dll
Removed File! : C:\Windows\System32\iebr32.exe
Removed File! : C:\Windows\System32\iegw.dll
Removed File! : C:\Windows\System32\ieim32.dll
Removed File! : C:\Windows\System32\iemj.exe
Removed File! : C:\Windows\System32\ieth.dll
Removed File! : C:\Windows\System32\iezr32.dll
Removed File! : C:\Windows\System32\ipkv32.dll
Removed File! : C:\Windows\System32\ipsg.dll
Removed File! : C:\Windows\System32\ipvq.dll
Removed File! : C:\Windows\System32\javaeg.dll
Removed File! : C:\Windows\System32\javajp.dll
Removed File! : C:\Windows\System32\javala.exe
Removed File! : C:\Windows\System32\javalc32.dll
Removed File! : C:\Windows\System32\javatd32.exe
Removed File! : C:\Windows\System32\jwhri.dll
Removed File! : C:\Windows\System32\knoum.dll
Removed File! : C:\Windows\System32\lpbjz.dll
Removed File! : C:\Windows\System32\mbtdt.dll
Removed File! : C:\Windows\System32\mfcbe.exe
Removed File! : C:\Windows\System32\mfcce.dll
Removed File! : C:\Windows\System32\mfctg.dll
Removed File! : C:\Windows\System32\mfczq.exe
Removed File! : C:\Windows\System32\mnnfm.dll
Removed File! : C:\Windows\System32\mskr32.exe
Removed File! : C:\Windows\System32\msnp.exe
Removed File! : C:\Windows\System32\msyf.dll
Removed File! : C:\Windows\System32\ntpu.exe
Removed File! : C:\Windows\System32\ntqm.dll
Removed File! : C:\Windows\System32\ntrw32.dll
Removed File! : C:\Windows\System32\ntuk.exe
Removed File! : C:\Windows\System32\onpqe.dat
Removed File! : C:\Windows\System32\pwgzi.dll
Removed File! : C:\Windows\System32\qamwh.dat
Removed File! : C:\Windows\System32\sdkmf32.exe
Removed File! : C:\Windows\System32\syshh32.dll
Removed File! : C:\Windows\System32\sysnp32.exe
Removed File! : C:\Windows\System32\sysvz32.exe
Removed File! : C:\Windows\System32\sysyd32.exe
Removed File! : C:\Windows\System32\tmshc.dat
Removed File! : C:\Windows\System32\wezxj.dll
Removed File! : C:\Windows\System32\winpn.dll
Removed File! : C:\Windows\System32\winpw32.exe
Removed File! : C:\Windows\System32\winqd.dll
Removed File! : C:\Windows\System32\winzf.dll
Removed File! : C:\Windows\System32\yatop.dat
Removed File! : C:\Windows\System32\yssez.dll
Removed File! : C:\Windows\System32\zoyll.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:29:48 PM

HijackThis after all scans:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:56 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Grabber2k] C:\Documents and Settings\Dan\Desktop\Desktop\Misc\grabber2k.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {770E6087-743B-4454-95D4-EA4FEE7C2187} - (no file) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://aolexpressions.aol.com/testdrive.adp?clientId=2&langCode=&expTypeId=1&catId=&subcatId=&search=superbuddy&skip=217&expId=4436
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe


#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:49 PM

Posted 17 June 2005 - 08:01 AM

Fix the following with HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing

Are there any other things happening that you still need help with? The CWS infection is gone. :thumbsup:

#8 N519AT

N519AT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 June 2005 - 11:46 AM

Fix the following with HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing

Are there any other things happening that you still need help with? The CWS infection is gone. :thumbsup:

Nope, thanks for the help guys!

KICK ASS job! :flowers: :trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users