Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Spyware Removal Help


  • This topic is locked This topic is locked
3 replies to this topic

#1 stoplying

stoplying

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 04 August 2005 - 04:02 PM

Thanks in advance for any help

My work PC, a Compaq Evo has been pretty badly infected with some spyware. A co-worker has used this board and highly recommends it so I come here in search of help.
I've tried using SpyBot, tried cleaning my registry and I'm still having serious issues.

(additional info)
At my desk, I have a PC and a G5 - I'm not able to open any browser on the PC due to the spyware errors I'm receiving. So I'm on my mac now and all info I receive on this board will have to be downloaded to the MAC and transferred to my PC.

I already downloaded the "hijack this" tool and I have my log file which is below.

Logfile of HijackThis v1.99.1

Scan saved at 4:36:48 PM, on 8/4/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\userinit.exe

C:\WINNT\Explorer.exe

C:\WINNT\system32\wpvvzh.exe

D:\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kworld.kpmg.com/usearch/USearch.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kworld.kpmg.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kworld.kpmg.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KPMG

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://llpins.us.kworld.kpmg.com/llp/kpmg_ie55.ins

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://kpmgproxy.com/kpmgproxy.pac:80

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [KPMG Profile Manager] C:\Program Files\KPMG\Global Desktop\Utilities\kpmg profile manager.exe

O4 - HKLM\..\Run: [SSv2] C:\Program Files\KPMG\Global Desktop\Utilities\SSService.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe

O4 - HKLM\..\Run: [BlackICE] C:\Program Files\KPMG\Global Desktop\Utilities\Install BlackICE.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [LiveUpdate Check] C:\Program Files\navnt\vpdn_lu.exe /s

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\KPMGES~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [VSClient Smart Tunnel] C:\Program Files\KPMG\Global Desktop\Utilities\Smart Tunnel.exe

O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"

O4 - HKLM\..\Run: [CABC] D:\Content Download\731439\Program\backWeb-731439.exe -startup

O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe" -startup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [w34Q3pO] sgsmeter.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [jghryro] C:\WINNT\system32\wpvvzh.exe r

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: KPMG eSupport Center.lnk = C:\Program Files\KPMG eSupport Center\bin\mpbtn.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\netware\nwws2nds.dll' missing

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.kworld.kpmg.com

O15 - Trusted Zone: http://abcv.kworld.kpmg.com

O15 - Trusted Zone: http://conf.kworld.kpmg.com

O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com

O15 - Trusted Zone: http://maint.kworld.kpmg.com

O15 - Trusted Zone: http://search.kworld.kpmg.com

O15 - Trusted Zone: http://suggestions.kworld.kpmg.com

O15 - Trusted Zone: http://training1.us.kworld.kpmg.com

O15 - Trusted Zone: http://www.kworld.kpmg.com

O15 - Trusted Zone: http://*.kpmgconsulting.com

O15 - Trusted Zone: http://*.meomweb14

O15 - Trusted Zone: http://kworld2.newsedge-web.com

O15 - Trusted Zone: http://abcv.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://conf.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://maint.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://search.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://suggestions.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://training1.us.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://www.kworld.kpmg.com (HKLM)

O15 - Trusted Zone: http://*.kpmgconsulting.com (HKLM)

O15 - Trusted Zone: http://www.kpmgtax.com (HKLM)

O15 - Trusted Zone: http://www.matrixcapitalonline.com (HKLM)

O15 - Trusted Zone: http://*.meomweb14 (HKLM)

O15 - Trusted Zone: http://kworld2.newsedge-web.com (HKLM)

O16 - DPF: TIMEnX - http://timenx.us.kworld.kpmg.com/TIMEnX.cab

O16 - DPF: TIMEnX Client Library - http://timenx.us.kworld.kpmg.com/tnxclient.cab

O16 - DPF: TIMEnX Fonts - http://timenx.us.kworld.kpmg.com/TmxFnt.cab

O16 - DPF: TIMEnX JFC Library - http://timenx.us.kworld.kpmg.com/tnxjfc.cab

O16 - DPF: TIMEnX VisiBroker Library - http://timenx.us.kworld.kpmg.com/tnxvb.cab

O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - http://gosystemrs.fasttax.com/OCX/RSLoginModule.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A02451EE00} - http://usisweb/firm/remote/wfica.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

O16 - DPF: {6D59A1DF-87FB-11D4-836D-00805F6FC463} - http://usisweb.us.kworld.kpmg.com/firm/msg...13/SetupINF.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: NavLogon - C:\Program Files\Navnt\NavLogon.dll

O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\SGSSETUP.DLL

O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe

O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

O23 - Service: Vsclient Service - Unknown owner - C:\WINNT\System32\vnxserv.exe


Mod Edit: This will be moved to a more appropriate Forum.

Edited by Scarlett, 04 August 2005 - 04:05 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:31 PM

Posted 05 August 2005 - 10:54 AM

Hello stoplying and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Download nailfix.zip and unzip it to its own folder.

Step #3

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Navigate to the folder you unzipped nailfix.zip into and double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step #5

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Step #6

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O4 - HKLM\..\Run: [SSv2] C:\Program Files\KPMG\Global Desktop\Utilities\SSService.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [w34Q3pO] sgsmeter.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [jghryro] C:\WINNT\system32\wpvvzh.exe r
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\SGSSETUP.DLL

Unless you know what the following are for and you or the company has placed them on this computer remove these also:O4 - HKLM\..\Run: [CABC] D:\Content Download\731439\Program\backWeb-731439.exe -startup
O4 - HKLM\..\Run: [Digital Distribution] "D:\Content Download\731439\Program\Digital Distribution.exe" -startup

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #7

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\dsr.dll
C:\Program Files\KPMG\Global Desktop\Utilities\SSService.exe
C:\WINNT\dinst.exe
C:\WINNT\System32\AUNPS2.DLL
C:\WINNT\etb\ <--folder
C:\WINNT\system32\cxtpls_loader.EXE
C:\Program Files\AutoUpdate\ <--folder
C:\WINNT\system32\wpvvzh.exe
C:\WINNT\system32\SGSSETUP.DLL
D:\Content Download\731439\Program\backWeb-731439.exe (if you fixed above)
D:\Content Download\731439\Program\Digital Distribution.exe (if you fixed above)

Now search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.sgsmeter.exe
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 stoplying

stoplying
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 08 August 2005 - 10:05 AM

Thanks a lot OT, but I talked to a couple people at work here (where my infected machine is) and I was told that if I call the help desk they will upgrade me to XP. So I did call our help desk and they did upgrade me - so thanks anyway but for now my problem is solved.

Thanks for the reply, though.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:31 PM

Posted 08 August 2005 - 10:15 AM

You're very welcome stoplying. Yes, if it is a company computer then the company should be the ones dealing with it.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users