Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie 6 Browser Search Redirected


  • This topic is locked This topic is locked
8 replies to this topic

#1 SSTG

SSTG

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 17 February 2006 - 02:40 PM

Hi Hope someone can help.
For a week now everytime I use IE6 browser and do a search, it gives me the proper list of sites to go to, but 9 times out of 10 if I click on the site it gives me a browser such as "search.ebay.com or search.lycos or searchgeneric.com or some porn site". Also sometime when I am on a site the right hand corner comes down like a page turning and offers a search bar.

I have tried many different things but always the same result. The first time I open IE 6 after a reboot the browser has no toolbars, all is grey. The second time I get toolbars but then the browser does as indicated above.

I have run many anti-spyware/malware programs to find what is wrong but no luck.

Here is what I did. I followed the steps indicated in your instructions before posting (twice). I also ran a few more such as TREND Micro anti-spyware & EWIDO and Norton.

The first time I ran the programs:
Ad-Ware = found nothing,
Search & Destroy = found HKEY_local_machine\software\microsoft\windows\current\versions\ruins,
Housecall = found 3 ?? and Deleted,
Panda = would not work, Right corner always coming down
Bit Defender found 287 files infected said not fixed
Norton = found nothing
Ewido = found Downloader.agent.uj
Trend Micro = change in registry = winnt\system32\ dmgmj.exe & jbrdi.exe
Mcafee = did not indicate any visus.

The second time I ran the programs
Ad-Ware = NO LONGER WORKS ++++ STOPS RESPONING HALF WAY THRU
Search & Destroy = found HKEY_local_machine\software\microsoft\windows\current\versions\ruins,
Panda = would not work, Right corner always coming down
Bit Defender found 48 files infected said mostly Java.trojan.exploit.bytverify
Norton = found nothing
Ewido = found Downloader.agent.uj
Mcafee = did not indicate any visus.

Have gone to Microsoft and had done all updates as indicated.

In the registry my ZONEMAPs had all kinds of entrys. I was told to delete these. Some did point to those search engines indicated above.

I am including the hijackthis log, startuplist and uninstall info.

I notice a few things in startuplist

dmgmj.exe = C:\WINNT\system32\dmgmj.exe
jbrdi.exe = C:\WINNT\system32\jbrdi.exe

and in the uninstall.text I had these 2 entries
CC_ccStart
ccCommon

I readed that these are virus but have been unable to remove after 2 tries.

I would appreciate any help I can get to fix this. And would like to get Adware working again. I tried reinstalling gives same result

Thank You

Serge

Tired of IE but must use, office policy (FOR NOW).


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Logfile of HijackThis v1.99.1
Scan saved at 12:55:03, on 2006-02-17
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\_communications\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\_windows.health\MemTurbo\memturbo.exe
C:\Program Files\_applications\cleanup2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/search.html
R3 - URLSearchHook: (no name) - {501BA93A-6F31-67FB-0E16-61DDFDCD87D3} - media64.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\_communications\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ParisM] Uint32.exe
O4 - HKLM\..\Run: [gabber] ABCXYZ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dmgmj.exe] C:\WINNT\system32\dmgmj.exe
O4 - HKLM\..\Run: [jbrdi.exe] C:\WINNT\system32\jbrdi.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [ssweeper] SysSupport.exe
O4 - HKCU\..\Run: [SysSupport] uio.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\_communications\eprompter\ePrompter.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\_windows.health\MemTurbo\memturbo.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\_organisation\Copernic 2001 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.sunnet.sunlife.com/ceviewer/act...tivexviewer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 85.255.116.18,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 85.255.116.18,85.255.112.185
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

************************************************************************************

StartupList report, 2006-02-17, 12:59:13
StartupList version: 1.52.2
Started from : C:\Program Files\_applications\cleanup2\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\_communications\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\_windows.health\MemTurbo\memturbo.exe
C:\Program Files\_applications\cleanup2\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
ePrompter.lnk = C:\Program Files\_communications\eprompter\ePrompter.exe
MemTurbo.lnk = C:\Program Files\_windows.health\MemTurbo\memturbo.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
C-Media Mixer = Mixer.exe /startup
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
DU Meter = C:\Program Files\_communications\DU Meter\DUMeter.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
ParisM = Uint32.exe
gabber = ABCXYZ.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
dmgmj.exe = C:\WINNT\system32\dmgmj.exe
jbrdi.exe = C:\WINNT\system32\jbrdi.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
UnSpyPC = "C:\Program Files\UnSpyPC\UnSpyPC.exe"
ssweeper = SysSupport.exe
SysSupport = uio.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[CPlayFirstTriJinxControl Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55.dll
CODEBASE = http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINNT\DOWNLO~1\CONFLICT.1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7888.5572337963

[Crystal Report Viewer Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\CRViewer.dll
CODEBASE = https://www.sunnet.sunlife.com/ceviewer/act...tivexviewer.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[TikGames Online Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_...r/goldfever.cab

[PopCapLoader Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\popcaploader.dll
CODEBASE = http://download.games.yahoo.com/games/web_...aploader_v6.cab

[{FE1A240F-B247-4E06-A600-30E28F5AF3A0}]
CODEBASE = file://C:\install.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat||C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\Cookies||C:\WINNT\Downloaded Program Files\ipsupd.dll||C:\WINNT\Downloaded Program Files\ipsupd.dll||C:\WINNT\Downloaded Program Files\oscan8.ocx||C:\WINNT\Downloaded Program Files\oscan8.ocx||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLB1A2B.EXE||C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat||C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat||C:\Documents and Settings\Administrator\Cookies\index.dat||C:\Documents and Settings\Administrator\Cookies


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 8,153 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 19 February 2006 - 05:37 PM

Hello and welcome to the forum. Some nice folks in the Ukraine decided your computer needed hacked, look here and it is safe to do so: http://www.whois.sc/85.255.116.18 Look to the 017 lines in the log to see the hack. This infection, and it is a nasty one is being called Wareout. We have a fix that will work if you follow the directiosn. Then we will clean up anything else that is left, thanks.

Thanks to all of the folks who made this fix for us

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

We will have more to do.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 19 February 2006 - 05:38 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 SSTG

SSTG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 22 February 2006 - 10:58 AM

Thank you for the info. Sorry to get back late, was out with the flu. Not only computers get bugs it seems.

Have run the program you mentioned. Norton gave a warning of Malicious software. Ran the fixwareout\run.vbs anyway.

As for the DNS we do not do it automatically here but put in the value assign by our internet provider.

Here is the report.txt supplied and a new Hijackthis.log.

Waiting to see what is next

Thanks

Serge
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF3748B93E47-9E9A-F044-6564-7161CAA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hdbmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\bdpbj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
C:\WINNT\SYSTEM32\DMBDH.EXE
C:\WINNT\SYSTEM32\CSMTN.EXE
* csr.exe C:\WINNT\System32\CSMTN.EXE

Misc files

Checking for older varients covered by the Rem3 tool
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmbdh.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 10:56:00, on 2006-02-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\_communications\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\_communications\eprompter\ePrompter.exe
C:\Program Files\_windows.health\MemTurbo\memturbo.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\_applications\cleanup2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/search.html
R3 - URLSearchHook: (no name) - {501BA93A-6F31-67FB-0E16-61DDFDCD87D3} - media64.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\_communications\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ParisM] Uint32.exe
O4 - HKLM\..\Run: [gabber] ABCXYZ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [jbovq.exe] C:\WINNT\system32\jbovq.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ssweeper] SysSupport.exe
O4 - HKCU\..\Run: [SysSupport] uio.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\_communications\eprompter\ePrompter.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\_windows.health\MemTurbo\memturbo.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\_organisation\Copernic 2001 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.sunnet.sunlife.com/ceviewer/act...tivexviewer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 85.255.116.18,85.255.112.185
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 22 February 2006 - 11:31 AM

Hi Serge, sorry to hear you had a touch of the bug to :thumbsup: I am slightly concerned as some items I thought would be gone are still in the log. We may need to run the fix again and I will know more after this next phase of the cleanup, thanks. If I did not mention it, it would be best if you keep this computer offline as much as possible until this junk is gone. I also need to say that the junk may be removed as you move through the steps, if you do not see something, not to be concerned, just do not miss anything.

1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

2) You have ewido onboard, open the program and choose updates, allow time for that to complete. Now click on scanner, then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R3 - URLSearchHook: (no name) - {501BA93A-6F31-67FB-0E16-61DDFDCD87D3} - media64.dll (file missing)
O4 - HKLM\..\Run: [ParisM] Uint32.exe
O4 - HKLM\..\Run: [gabber] ABCXYZ.exe
O4 - HKLM\..\Run: [jbovq.exe] C:\WINNT\system32\jbovq.exe
O4 - HKCU\..\Run: [ssweeper] SysSupport.exe
O4 - HKCU\..\Run: [SysSupport] uio.exe
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 85.255.116.18,85.255.112.185

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

These files are part of the wareout infection, you will need to use your search function to locate them. They must be deleted. There is a good chance they are in the C:\Windows\System32\ folder but they could be elsewhere.

ABCXYZ.exe >>>file

SysSupport.exe >>> file

Uint32.exe >>> file

uio.exe >>> file

C:\WINNT\system32\jbovq.exe <<< file This could also be C:\Windows\system32\jbovq.exe <<< you are looking for the file!

4) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan result, a new HJT log and any feedback you think I should have.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 SSTG

SSTG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 22 February 2006 - 04:06 PM

HI Phil

Did all you indicated. Search for those 5 files everywhere but found none. The Hijackthis scan gave me 04-HKLM....system\system32\jbvfi.exe when i did a system scan. I check the box to remove it. In CCleaner in Startup otion it had "jbvfi.exe" and I said to remove it. I tried to remove the file "jbvfi.exe" but windows said it was being used so I rebooted in safe mode and renamed it. ran CCleaner and it says file is missing and hijackthis still has "O4 - HKLM\..\Run: [jbvfi.exe] C:\WINNT\system32\jbvfi.exe". The file is not there on the system when I search for it. Only the rename version of serge.xxx.

Had to put back the DNS that we use to get Internet working. I ran ccleaner before sending this message and it found another cookie. Log attached at end. To get to this site I went by and email I had received so I did not go by the browser and type it but straight here from the email. When I started the IE6 browser and it took me to MSN directly this morning I had no toolbars. If I go to this site directly from my email I get the toolbars. It may not mean anything but just in case I rather indicate it.

I went into regedit to search jbvfi.exe and found the command as indicated in hijack.log. Deleted it manually. Found no other "jbvfi" in regedit. Let me know what else you suggest I do.


Thank You very much

Serge

I will now reboot again after I send this message to see if "vbvfi" comes back in any form. Will let you know


+++++++++++++++++++++++++++++++++++++++
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:14:17, 2006-02-22
+ Report-Checksum: E0CF027E

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\WINNT\system32\csmtn.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINNT\system32\dmbdh.exe -> Trojan.Pakes : Cleaned with backup


::Report End

++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 15:04:06, on 2006-02-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\_communications\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\_communications\eprompter\ePrompter.exe
C:\Program Files\_windows.health\MemTurbo\memturbo.exe
C:\Program Files\_applications\cleanup2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\_communications\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [jbvfi.exe] C:\WINNT\system32\jbvfi.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\_communications\eprompter\ePrompter.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\_windows.health\MemTurbo\memturbo.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\_organisation\Copernic 2001 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.sunnet.sunlife.com/ceviewer/act...tivexviewer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:44:02, 2006-02-22
+ Report-Checksum: 268E6E06

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup


::Report End

#6 SSTG

SSTG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 22 February 2006 - 06:32 PM

Hi

Just to put up to date. Rebooted and ran Norton, Ad-Aware, SpyBot, Ewido and CCleaner and they found nothing. When I ran Trend Micro Anti-spyware it only found one thing and it always finds this everytime I run the program. It deletes it but always comes back. The jbvfi.exe does not seem to have come back anywhere. Will wait to hear from you before using the browser search to see if anything needs to be fixed or removed..

Thanks

Serge

+++++++++++++++++++++++++++++++++++++++++++++++
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows 2000 Professional Service Pack 4 (Build 2195)

Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ruins'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ruins'
Finished Cleaning

#7 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 22 February 2006 - 08:34 PM

OK Serge, I am not real sure what you said but I will look at the logs and see how you did. I should say you will want the DNS set the way your ISP wants it.

ewido anti-malware - Scan report Created on: 13:14:17, 2006-02-22No surprises in the ewido log, looks like it removed everything it found. I want to give you this information about ewido now: ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Logfile of HijackThis v1.99.1 Scan saved at 15:04:06, on 2006-02-22

We have a problem with this item:
O4 - HKLM\..\Run: [jbvfi.exe] C:\WINNT\system32\jbvfi.exe
In the last log it looked like this:
O4 - HKLM\..\Run: [jbovq.exe] C:\WINNT\system32\jbovq.exe
The Ukranians know we are removing their junk and they have found a way to cause that one item to morph during reboot to keep the infection on the computer. The Fix we are using is supposed to kill the item and the only thing I can think is the it is not doing it because you are running Windows 2000. I removed this several times with these instructions and I will post them for you. I suggest you run through the fix again and this part will come at the end of the fix.

this item: jbvfi.exe <<< is going to change but it will be very similiar and you must locate and delete it as stated in the instructions. We will not have a clean computer until that o4 line no longer appears in the HJT log. The balance of the log is clean.

Read this information over several times so you will know what you must do:
NOTE:
With this infection, it is important you tell the victim, when hijackthis opens after reboot, before the rest loads, (s)he needs to check and fix the random O4 entry starting with dm***.exe
This one will always change after reboot. If that entry is not fixed, it will load again and rename, keeping the infection alive.


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Once this is done, then please post a new HJT log and also tell me what other problems you are having.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 SSTG

SSTG
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 23 February 2006 - 11:52 AM

Hi Phil

What I did last night was I found none of the programs would remove jb*exe or remove the line from the register. When I tried to delete it, windows would not let me because it said it was been used. I rebooted in safe mode and renamed the file and removed the line in regedit that said to run jb*exe. I then rebooted in regular mode and run all the anti-virus software that I mentioned in my last message. None of the software found anything except for that 1 message that I mentioned.

This morning after starting my machine I check the register and searched for anything that had DM*exe and JB*exe and found no entries. Also search the hard-drive for DM*exe and JB*.exe and found none.

I read your message this morning and did as you suggested and have included the reports you wanted.

I have tried IE6 search after that to see if it worked properly and it seems to be ok. I get all my toolbars and does not seems to redirect me anywhere I don't want to go. I even did a complete shutdown after and check again the register and files for DM*exe and VB*exe and found nothing.

I think (hope) we got everything.

Let me know if you see anything.

I would like to THANK YOU very much for all your help. Would Firefox have caused me this type of problem if I would have been infected? If all is find I'll start removing some of these anti -softwares. Any suggestion has to what I should keep or get to help prevent or find possible bugs.

Thanks again

Serge

++++++++++++++++++++++++++++++++++++++==


Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool
++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 10:21:52, on 2006-02-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\_communications\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\_communications\eprompter\ePrompter.exe
C:\Program Files\_windows.health\MemTurbo\memturbo.exe
C:\Program Files\_applications\cleanup2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\_communications\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\_communications\eprompter\ePrompter.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\_windows.health\MemTurbo\memturbo.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\_organisation\Copernic 2001 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\_organisation\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\_organisation\Copernic 2001 Pro\Translate.htm
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.sunnet.sunlife.com/ceviewer/act...tivexviewer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...r/goldfever.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F9FB78E-030F-4E44-B308-EAF37E6BD025}: NameServer = 206.47.244.42,206.47.244.138,10.0.0.32
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 PM

Posted 23 February 2006 - 04:32 PM

Sounds good to me and I have not looked at the HJT log yet :thumbsup: I am going to post for you at the end of this information, the link to a very good free registry editor and instructions for using it. You seem to know you way around your computer, you can use the free editor to give the registry a good cleaning or not as you prefer. Here are a few link that may help you with overall ideas. The IE link is excellant and brings to mind the fact that there are many things besides malware that can cause us problems that we can prevent.
http://www.microsoft.com/windows/IE/commun...s/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Ea...rs_article.html

Your DNS: http://www.whois.sc/206.47.244.42 <<< nice to see that :flowers:

You HJT log is clean, great job I know it was some hard work. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Your free registry cleaner: http://www.hoverdesk.net/freeware.htm

With instructions:
Backup Registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

I recommend you download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

If you ever wish to learn more about this process, there are free learning opportunites available.

Safe Surfing...Phil :huh:

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users