Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysheriff, Spyfighter, Home Search Assistant


  • This topic is locked This topic is locked
16 replies to this topic

#1 docskid

docskid

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 19 December 2005 - 11:39 PM

Following your instructions for cleaning up my computer I've been able to rid myself of some of the infection, but I'm still getting the warnings about spyware detected on my computer and ads for SpyFighter, etc.

I've found 3 programs that won't delete: Home Search Assistant, Search Extender and Shopping Wizard.

My homepage is changed to about.com.

I had the following problems when following your pre post instructions: Tried to run Bit Defender. Halfway through the scan stopped and locked up. When I try to run the scan again Bit Defender is unable to load.

I installed Panda. After install/restart my computer locks up and I can't open any programs.

Here's the Log:Logfile of HijackThis v1.99.1
Scan saved at 9:25:52 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Aluria Security Center\SecurityCenter.exe
C:\WINDOWS\system32\addqd32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TiVo\TiVoServer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\mspb.exe
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\PROGRA~1\ALURIA~2\AluriaFW.exe
C:\WINDOWS\System32\AuthFw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05563232-5F02-763A-E92E-D32E0B4BF53F} - C:\WINDOWS\crhh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {10E20286-B1F5-A99E-11C9-404DF4478A40} - C:\WINDOWS\crne32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {B35515F4-F23D-5370-7E4F-F0060FB29CBB} - C:\WINDOWS\mshh.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [ntdn32.exe] C:\WINDOWS\system32\ntdn32.exe
O4 - HKLM\..\Run: [addqd32.exe] C:\WINDOWS\system32\addqd32.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [8B.tmp.exe] C:\DOCUME~1\Computer\LOCALS~1\Temp\8B.tmp.exe
O4 - HKLM\..\Run: [8B.tmp] C:\DOCUME~1\Computer\LOCALS~1\Temp\8B.tmp.exe
O4 - HKLM\..\Run: [8A.tmp.exe] C:\DOCUME~1\Computer\LOCALS~1\Temp\8A.tmp.exe
O4 - HKLM\..\Run: [8A.tmp] C:\DOCUME~1\Computer\LOCALS~1\Temp\8A.tmp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf[1]: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/...ex/viewdw32.ocx
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://www.lizardtech.com/contentserver/plugin/MrSID_BPI.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mspb.exe
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 22 December 2005 - 09:14 AM

Hello,

I see you have Aluria installed. I really recommend you uninstall it because Aluria has partnered with WhenU, the well known Spyware company.
Also, You have two virusscanners present. Norton and Panda.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems, system crashes and decrease the reliability of it seriously!

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwopa.dll/sp.html#28129%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05563232-5F02-763A-E92E-D32E0B4BF53F} - C:\WINDOWS\crhh.dll
O2 - BHO: Class - {10E20286-B1F5-A99E-11C9-404DF4478A40} - C:\WINDOWS\crne32.dll
O2 - BHO: Class - {B35515F4-F23D-5370-7E4F-F0060FB29CBB} - C:\WINDOWS\mshh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O4 - HKLM\..\Run: [ntdn32.exe] C:\WINDOWS\system32\ntdn32.exe
O4 - HKLM\..\Run: [addqd32.exe] C:\WINDOWS\system32\addqd32.exe
O4 - HKLM\..\Run: [8B.tmp.exe] C:\DOCUME~1\Computer\LOCALS~1\Temp\8B.tmp.exe
O4 - HKLM\..\Run: [8B.tmp] C:\DOCUME~1\Computer\LOCALS~1\Temp\8B.tmp.exe
O4 - HKLM\..\Run: [8A.tmp.exe] C:\DOCUME~1\Computer\LOCALS~1\Temp\8A.tmp.exe
O4 - HKLM\..\Run: [8A.tmp] C:\DOCUME~1\Computer\LOCALS~1\Temp\8A.tmp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://www.lizardtech.com/contentserver/plugin/MrSID_BPI.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mspb.exe


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\system32\addqd32.exe
C:\WINDOWS\system32\ntdn32.exe
C:\WINDOWS\system32\mspb.exe

* Start Aboutbuster and let it scan.
Let it scan a second and third time until everything is gone.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode start Ccleaner.
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Now open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) and the Ewido Log by using Add Reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 23 December 2005 - 01:12 AM

Ooooooooohhhhh. You must be an angel, come to insure a Merry Christmas for me. Where's the "donate" button?
I'm really lost without my computer. (I've forgotten how to write a check. Geesh, that on-line banking has spoiled me!) You could probably say I know just enough about this chine to make me dangerous.
I removed Aluria (paid bucks for that sucker, and it's a pain in the tushy!). Also removed the part of Panda that had installed when I was going through the pre-post instructions (it shut down in the middle of the install.) Now I don't know whether to keep Norton or go with something else. Any suggestions?

Here are the reports/logs you requested. Everything went very well.

Incident Status Location

Adware:adware/searchaid Not disinfected C:\Documents and Settings\Computer\Favorites\Only sex website.url


Logfile of HijackThis v1.99.1
Scan saved at 11:09:22 PM, on 12/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\TiVo\TiVoServer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [addqd32.exe] C:\WINDOWS\system32\addqd32.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf[1]: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/...ex/viewdw32.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:22:23 PM, 12/22/2005
+ Report-Checksum: C257255E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D3E61C7F-BD83-EA01-13F4-464C2595C096} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D4451521-F203-568E-2657-C5AD1F0B1F77} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E5C23746-741A-FEC7-C517-86E204C95729} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20051222-212552-783.dll -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\apihv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\applb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appnt.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\atlbv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlse.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlth.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINDOWS\crhy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cryo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ml32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3vk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iepf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipgq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipxs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcqg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfczn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msir.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mssu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mstw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nethd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netla32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netpq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netwv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntnt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntvx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkpy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addpq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appnu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlck.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlhk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crjo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crqv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crwx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3co.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3np32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3qp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ehdpcp.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\ieff.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iefi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iemi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieqk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipaa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcgq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcqw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\neteh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netwr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntub.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkkc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdknz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysmt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\syszb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\windu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winvk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{1FF36D1F-F284-4C96-80EF-978E37C271D9}.dat:gdmjb -> Downloader.Agent.td : Cleaned with backup


::Report End





smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/22/2005
The current time is: 21:35:50.59

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 740 'explorer.exe'
Killing PID 740 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


:flowers: :huh:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 23 December 2005 - 02:07 AM

Great!

Only one leftover you have to check and fix in hijackthis:

O4 - HKLM\..\Run: [addqd32.exe] C:\WINDOWS\system32\addqd32.exe

Also delete next in your favorites: Only sex website.url

There are still some things you need to perform/check as well..

* Download: Hoster
Unzip hoster to an own folder.
Start Hoster.exe.
It could be possible that hoster will tell you that your Hosts file doesn't exist and if you want to create one. Click yes/ok.
If you don't get that prompt/question, click 'Restore Original Hosts' and click OK.

This hijacker is also responsible for changing the ActiveX security settings to allow all.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Set 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Perform a full scan with an updated adaware Se and/or spybot S&d to get rid of the leftovers.

Concerning antivirusscanners..

There are free scanners as well:

AVG, AntiVir OR Avast are good FREE antivirus.

But I still recommend a non free scanner, because they are more powerfull.
My favorites are Kaspersky: http://www.kaspersky.com/ and NOD32: http://www.eset.com/home/home.htm
You can use both for free for a month.
So if you decide to install another antivirus, make sure you uninstall your Norton first.

A good idea is also to use another browser instead of Internet Explorer.
Firefox: http://www.mozilla.com/firefox/ is better protected against malware. However, no browser is 100% secure, so make sure you stay away from suspicious sites.

Also read in my signature and click the link which scanners not to install (and why).

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to Service Pack 2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 23 December 2005 - 01:12 PM

Hello again.
Just completed your last instructions.
Deleted the Only Sex site from Favorites along with these new ones: 7 days of free porn; Search the Web; Sites About folder. I've been deleting these and others, and they keep returning.

How do I know if I'm accessing an illegal site? Probably not any way to be sure, huh? I was searching for an online pharmacy when I got this infection.

Updated and ran Adaware 3 times, rebooting between each scan. These 2 came up every time: Adintelligence.Apropos Tool Bar; SearchClick.

Updated and ran SpyBot and the CoolWWWSearch was back: CoolWWWSearch; CoolWWWSearch.HomeSearch; CoolWWWSearch.Feat2Installer.ADS

Also, I had installed Zone Alarm, and this file keeps asking for access: BackWeb-8876480.exe. I denied the last time, but I really don't know if it's something harmful or not.

Just one other problem that started this morning (or maybe yesterday after I completed your first instructions.) Computer won't shut down/restart. I have to keep using the reset.

I'm including a HijackThis log just in case it might help.

All in all, I'm running much better, looking forward to a pleasant holiday - 78 degrees here in Arizona today.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:56:34 AM, on 12/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TiVo\TiVoServer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf[1]: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/...ex/viewdw32.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 23 December 2005 - 01:40 PM

Hello,

Your log still looks clean. Backweb is a part of logitech desktop Messenger and is not required. It's present here in your log:

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

I think as long as Logitech desktop Messenger is present, you won't really able to check and fix that entry in your hijackthislog, because it will be reactivated every time.
So, if you don't use Logitech Desktop Messenger, I suggest you uninstall it via software > add/remove.

So, adaware and spybot are still finding things and won't fix it?
I see you mention they find apropos, so most probably you're also dealing with the apropos rootkit.
So let's find out..

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 23 December 2005 - 07:27 PM

I think the startup/shutdown problem is caused by Panda, because I still see it in your log present. This is a common issue when more than one scanners are present. You also have Spysweeper and Teatimer running in the background as well. They are ok to run in the background, although, they do the same.. so don't overdo. The reason I'm telling you this is because all those scanners have to shut down as well when you shut down your system.. that's why it can take a while and can cause errors.
Do you get any error if you shut down? It is important you tell me this.
I see in the logs from the scanners they didn't delete any legit files, so don't worry about that.
Let me know what exact errors you get.
Also, I'm going to let you disable some startupentries afterwards as well, programs that are not required to run at startup. This will improve your startup and make it faster. But that's for afterwards. Let's see what the log from blacklight reveals first. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 23 December 2005 - 09:11 PM

Hi,

First, when I came back to the computer this afternoon there was a window on the desktop: LiveUpdateCOM has encountered a problem and needs to close. When I tried to access my email I got the same message in a window for Outlook Express. Same thing happened for Internet Explorer when I tried connect. I restarted and then could log on to email and internet without a problem.

I get no error messages when I shutdown/restart. I have had a couple of messages since the infection. As I recall they were in Windows Explorer and once in Word - on startup a window appeared with a message that the system had just recovered from a serious.......(can't remember the rest.) As for anything that says "Error..." I haven't had any of those messages.

I did remove Panda, Logitech Desktop Messenger and a few others that I don't use. I was going to remove Teatimer or Spysweeper, but they aren't in the programs list. I have the Spysweeper application on the desktop. Can I delete all of it from the desktop?

Here's the Blacklight log. And again, thank you.

12/23/05 18:47:46 [Info]: BlackLight Engine 1.0.30 initialized
12/23/05 18:47:46 [Info]: OS: 5.1 build 2600 (Service Pack 1)
12/23/05 18:47:46 [Note]: 7019 4
12/23/05 18:47:46 [Note]: 7005 0
12/23/05 18:47:54 [Note]: 7006 0
12/23/05 18:47:54 [Note]: 7011 1204
12/23/05 18:47:55 [Note]: FSRAW library version 1.7.1014
12/23/05 18:50:06 [Note]: 7007 0

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 24 December 2005 - 01:20 AM

Hello,

It seems like your Norton caused problems. Maybe the infection corrupted some Norton files, so it's a good idea to uninstall and reinstall Norton.
You can keep Spysweeper, you just don't have to start it up with windows.
When you open Spysweeper, choose the options and uncheck there where it says to load at startup.
It seems like your spysweeper got corrupted as well as I see in your log:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
So it's a good idea to reinstall spysweeper also. That could also cause the errors you had before.
Because you say it has no uninstall option present in Add/remove programs, you may just install spysweeper on top. This will give you the uninstall option also back.
Teatimer is a part of Spybot S&d, and I would recommend to keep the option on.
In case you want to disable Teatimer, read here how to do this: http://russelltexas.com/malware/teatimer.htm

Your blacklight log shows clean.. so that is a good sign. Just let me know what files/keys exactly that won't remove with Spybot s&d and adaware... so we can deal with that manually.

Can you also post a new hijackthislog please. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 24 December 2005 - 03:42 AM

Howdy.

I re-installed Spysweeper and unchecked the "load at startup" option.

Removed Norton - Installed Kaspersky.

Shutdown/Restart working great.

On startup I have this message: KEM.exe Unable to locate component. This application has failed to start because lgscroll.dll was not found. This doesn't seem to be causing any problems, but I don't know what it is.

Do I need to keep Sting, CCleaner and Ewido on my computer?

Ran Adaware and it recognized the same 2 objects: Adintelligence.Apropos Toolbar (C:\Program Files\Avarnsn(2)data.bin; SearchClick (C:\System Volume Information\...\RP453\A0072963.dll

While Adaware was scanning, Kaspersky detected several Trojan-Downloader.Win32.Win... objects which were deleted. This is great software, huh?

Ran Spybot. No problems found, so the previous fix must have been successful. Right?

Here's the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:30:41 AM, on 12/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
C:\Program Files\TiVo\TiVoServer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com;<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf[1]: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/...ex/viewdw32.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 24 December 2005 - 09:12 AM

Hello,

To answer your questions..

On startup I have this message: KEM.exe Unable to locate component. This application has failed to start because lgscroll.dll was not found. This doesn't seem to be causing any problems, but I don't know what it is.


To fix this, check and fix next entry in hijackhis:

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe

Do I need to keep Sting, CCleaner and Ewido on my computer?


Well, the decision is yours ofcourse. You can use Stinger and Ewido to let it scan once in a while. But I do recommend you keep Ccleaner. This program deletes unused files like the contents of your Tempfolders, your recycle bin etc. Also look here at their site what options it all has:
http://www.ccleaner.com/
and for a quick tour how to use it: http://www.ccleaner.com/help/tour1.asp

Yes, Kaspersky is a great scanner. :thumbsup:

I still see Panda present on your system, so I suggest you check and fix next entry in hijackthis:

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe


I also recommend you check and fix next entry in your log:


O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe


I also see some programs starting up with windows that are not required to startup. You can disable them from startup. When you need the programs, you can always start them via start > all programs.

So in this case, next programs are not required to start with windows:

Share-to-Web Namespace Daemon (hpgs2wnd.exe)
QuickTime Task (qttask.exe)
PCSuiteTrayApplication (LaunchApplication.exe)
NeroCheck.exe
MM_Tray.exe
mmtask.exe
PcSync2.exe
Kodak software updater

To disable them, go to start > run and copy and paste next in the field: msconfig
Choose the tab startup and uncheck above entries there. Click apply and ok.
Windows will ask you if you want to reboot, so reboot.
After reboot, it will give you a message that you used system configuration and things got modified. This is normal. Just check the checkbox in that message next to: don't show this message anymore (or something similar).
You can always enable above programs again in your startup by checking them again.
The choice is yours ofcourse what you really think is necessary to start up with windows or not.. but above programs are not really required.

Ran Adaware and it recognized the same 2 objects: Adintelligence.Apropos Toolbar (C:\Program Files\Avarnsn(2)data.bin; SearchClick (C:\System Volume Information\...\RP453\A0072963.dll


Ok, seems like some entries are found in your System Restore Points. Nothing really to worry about. To get rid of them, disable your system restore.
(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :flowers:

One thing I need more info on..
You say Adaware flags next entry as well:
C:\Program Files\Avarnsn(2)data.bin
Can you look if that folder Avarnsn(2)data.bin is present in your program files? And can you also tell me what's exactly in that folder. Do you know that program Avarnsn?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 25 December 2005 - 12:58 AM

Okay.....

I fixed the three entries in the hijackthis log, so the KEM.exe message is gone at start up. Also disabled the list of programs from startup as I wasn't using any of them.

I disabled the System Restore, rebooted and enabled it again. That seems to have gotten rid of the SearchClick as Adaware did not identify it in a new scan.

The Adintelligence.AproposToolbar is still there, though. However, I apologize for reading the file incorrectly. It's Avamsn(2)data.bin, and I did find in in my Program Files, although I don't know what it is.

Within that folder were 2 files - data.bin and AI_06-09-2005 (a text doc). There was also a folder named Cache with 3 files inside: 00000029_431dec64_00017d8c; index; and dns.

I don't seem to be having any problems. No pop-ups :thumbsup: , no unwanted Favorites sites :flowers: , no spyware warnings :huh: . Just can't thank you enough. :huh:

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 25 December 2005 - 04:46 AM

Hello,

The Avamsn(2)data.bin indeed looks like a part of the apropos rootkit. However, it looks a bit strange in here, so we'll need to gain more info on that. Normally this is only visible in safe mode, because this infection is hidden in normal mode. So part of the infection is already gone, but I think there will be still leftovers (also in the registry) that really need to go, because this one also uses a driver and can cause problems when no properly removed.

So we're almost finished here, but I really want this infection and leftovers gone. :thumbsup:

Can you perform next please?

Download the Registry Search Tool.
http://www.billsway.com/vbspage/ (you'll find it halfway the page there)
Unzip it and run it.
If your antivirus interferes, you have to disable script blocking in the antivirus.
Put the following in the search box:

adchannel

Let it scan. It will create a log. Save this log.
Then I want you to paste next in the searchbox in The Registry Search tool:

contextplus

Let it scan/search for it again and post that log together with the other one in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 docskid

docskid
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 25 December 2005 - 09:57 AM

Hmm......

Perhaps I'm doing something wrong. I downloaded/unzipped the RegSrch. It didn't find any instances of adchannel or contextplus. I can't locate a log either. I just get a window that pops up to inform me that no instances of the search item were found.

I disabled script monitoring in Kaspersky and tried it again. Same result. What next?

Many thanks.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:39 AM

Posted 25 December 2005 - 01:59 PM

That's no problem then. Maybe a previous scan with spysweeper (because spysweeper sees this infection) already deleted the leftovers in the registry.

You may delete that Avamsn(2)data.bin-folder.

After that, everything must be ok. :thumbsup:

Now try to keep it that way. ;-)

Happy surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users