Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OH man do I need Help!


  • Please log in to reply
1 reply to this topic

#1 BBI

BBI

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 08 August 2005 - 09:35 AM

I need some help deleting some adware\spyware. I have run spy-bot, ad aware, CWS, and norton antivirus. Whenever I delete something it seems that two new things take it's place. Any help would be GREATLY appreciated. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 8:38:03 AM, on 8/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\hkcmd.exe
C:\ocerd\plotter.exe
C:\WINNT\system32\kjlrnn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system\xlxpldlx.exe
C:\Program Files\tune\aolc.exe
C:\Program Files\UltimateBuddy\UltimateBuddy.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\ocerd\jobmain.exe
C:\Program Files\AutoCAD 2004\acad.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\WINNT\TEMP\ei.exe
C:\Program Files\Rebate Retriever\RebateRetriever.exe
C:\WINNT\system32\rdsndin.exe
C:\WINNT\system32\scle2n.exe
C:\WINNT\system32\apisvc.exe
C:\WINNT\system32\apisvc.exe
C:\WINNT\system32\scle2n.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Cleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.screenname.aol.com/_cqr/login/lo...webmail.aol.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 69.31.81.22 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 69.31.81.22 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 69.31.81.22 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: SDWin32 Class - {BD0B5903-B603-413F-83D0-1EB4853D0124} - C:\WINNT\system32\flnzl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [rdtds800] C:\ocerd\job.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\apisvc.exe
O4 - HKLM\..\Run: [dmzfy.exe] C:\WINNT\system32\dmzfy.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINNT\system32\apisvc.exe
O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [scle2n] C:\WINNT\system32\scle2n.exe
O4 - HKCU\..\RunOnce: [scle2n] C:\WINNT\system32\scle2n.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0388AA1C-226E-4DAE-BD82-38048D94547F}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A1A81FB-4390-4BF3-99F9-69D7D05B623E}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B3AFE08-8601-47C3-8C98-B264BEDECBD3}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD4C35B9-8A97-49AC-9AF5-D2598BB5277B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB30124E-08D5-4350-9625-83A777608B79}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{D85A9354-4906-4B55-8A23-31143AF81CCB}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0388AA1C-226E-4DAE-BD82-38048D94547F}: NameServer = 69.50.176.198,85.255.112.12
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\Program Files\Common Files\Repro Desk\PmProtocol.dll
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\mkrepl40.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:33 PM

Posted 10 August 2005 - 09:52 AM

Hello BBI and welcome to the BC malware forum. I think there is more to this than what we are seeing in the log. Let's do an additional scan and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users