Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could Use Some Help


  • This topic is locked This topic is locked
14 replies to this topic

#1 Danny M

Danny M

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 09 May 2006 - 06:28 PM

So there's a crapload of stuff going on with my computer. A few weeks ago I clicked one of those IM virus links without thinking, usually I'm good about not doing that but bleep happens, and then everything went to hell. pop-ups and slowed performance led to more pop-ups and now, unless i start in safe mode, my computer will only stay on for a minute or two before blue screening and shutting down. I've run norton anti-virus corporate many times (in safe mode) and also spy sweeper (also in safe mode). So I decided to run HijackThis and look to you guys for help. So here goes:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:26 PM, on 5/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\stnvu.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,dotyfdv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard16.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad16.exe
O4 - HKLM\..\Run: [newname] c:\\newname16.exe
O4 - HKLM\..\Run: [mvkqlewA] C:\WINNT\mvkqlewA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [win32081612189291] C:\WINNT\win32081612189291.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinrqag.exe CORN004
O4 - HKLM\..\Run: [hzwmvc] C:\WINNT\system32\hzwmvc.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINNT\pop06ap2.exe
O4 - HKLM\..\Run: [guarnset] C:\WINNT\system32\guarnset.exe
O4 - HKLM\..\Run: [xopgcc] C:\WINNT\system32\xopgcc.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\ckvrux.exe reg_run
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinrqag.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28b34a0b6fdaf9...ip/RdxIE601.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\l4l60e3seh.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\mvlql9351.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmVmZg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hkapeaa - Unknown owner - C:\WINNT\system32\hkapeaa.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\mvkqlew.exe (file missing)

Thanks.

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 10 May 2006 - 05:28 AM

Hello,

I see you posted your log made in safe mode. Next time when I ask a log, post one made in normal mode.
Also, next instructions should be performed in normal mode..

This is a really nasty looking log, so we won't be able to deal with this all in once... so this has to be done step by step.

Please perform next in the right order:

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report Together with the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 10 May 2006 - 02:07 PM

Here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:09 PM, on 5/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\SmVmZg\command.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\svchost.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Navnt\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\SYSC00.exe
C:\WINNT\win32081612189291.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard16.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad16.exe
O4 - HKLM\..\Run: [newname] c:\\newname16.exe
O4 - HKLM\..\Run: [mvkqlewA] C:\WINNT\mvkqlewA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [win32081612189291] C:\WINNT\win32081612189291.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinrqag.exe CORN004
O4 - HKLM\..\Run: [hzwmvc] C:\WINNT\system32\hzwmvc.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINNT\pop06ap2.exe
O4 - HKLM\..\Run: [xopgcc] C:\WINNT\system32\xopgcc.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinrqag.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28b34a0b6fdaf9...ip/RdxIE601.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmVmZg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hkapeaa - Unknown owner - C:\WINNT\system32\hkapeaa.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\mvkqlew.exe (file missing)

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 10 May 2006 - 02:19 PM

Hi I see you didn't run the Panda online scan.

You have to run it afterwards - because I really need that log. But let's clean up first.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Reboot into Safe Mode`: ( without networking support !)
įTo get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard16.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad16.exe
O4 - HKLM\..\Run: [newname] c:\\newname16.exe
O4 - HKLM\..\Run: [mvkqlewA] C:\WINNT\mvkqlewA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [win32081612189291] C:\WINNT\win32081612189291.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinrqag.exe CORN004
O4 - HKLM\..\Run: [hzwmvc] C:\WINNT\system32\hzwmvc.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINNT\pop06ap2.exe
O4 - HKLM\..\Run: [xopgcc] C:\WINNT\system32\xopgcc.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinrqag.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28b34a0b6fdaf9...ip/RdxIE601.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmVmZg\command.exe
O23 - Service: hkapeaa - Unknown owner - C:\WINNT\system32\hkapeaa.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\mvkqlew.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\SmVmZg <= folder
C:\WINNT\svchost.exe <== DON'T try to delete the svchost.exe present in your C:\Winnt\system32-folder, because that one is legit/ok
C:\WINNT\SYSC00.exe
C:\WINNT\win32081612189291.exe
c:\windows\keyboard16.exe
c:\windows\mousepad16.exe
c:\\newname16.exe
C:\WINNT\mvkqlewA.exe
C:\Program Files\Internet Optimizer <== folder
C:\WINNT\system32\lwinrqag.exe
C:\WINNT\system32\hzwmvc.exe
C:\WINNT\pop06ap2.exe
C:\WINNT\system32\xopgcc.exe
C:\WINNT\system32\lwinrqag.exe
C:\WINNT\system32\hkapeaa.exe

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

* Open hijackthis > click config (bottom right) > misc Tools > 'delete an NT service'
In the field, copy and paste next names one by one and click OK after pasting each name:

Windows Overlay Components
NetDDEdsma
hkapeaa
cmdService


* Still in safe mode... * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 10 May 2006 - 08:23 PM

Here's the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:54:51 PM, 5/10/2006
+ Report-Checksum: 58CBED45

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf2 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf3 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf4 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\WSE\cf5 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\Bho8.adlog -> Adware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\Classes\Bho8.adlog\CLSID -> Adware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\Classes\Bho8.adlog\CurVer -> Adware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\Classes\Bho8.adlog.1 -> Adware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1 -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1343024091-436374069-1957994488-500\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1343024091-436374069-1957994488-500\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1343024091-436374069-1957994488-500\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@project2.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Default User\Application Data\Mozilla\Firefox\Profiles\ntnnwdva.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\drsmartload46a[1].exe -> Downloader.Adload.aw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\drsmartload[1].exe -> Downloader.VB.aad : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\keyboard13[1].exe -> Downloader.VB.abj : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\mousepad13[1].exe -> Hijacker.VB.mo : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\nem220[1].dll -> Downloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4V2XYPQP\WHCC2[1].exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IVYFUPIT\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IVYFUPIT\Installer[2].exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7WHGF49\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K7WHGF49\newname13[1].exe -> Downloader.VB.aaf : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\SDCDWTG7\drsmartload45a[1].exe -> Downloader.Adload.aw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\SDCDWTG7\icomanager[1].bom -> Downloader.Adload.az : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\SDCDWTG7\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINNT\nem220.dll -> Downloader.Dyfuca : Cleaned with backup
C:\WINNT\pf79.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\SmVmZg\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINNT\SmVmZg\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINNT\system32\hcibeeg.sys -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\hciqyfb.vxd -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\hiauycd.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\hiipybg.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\hnimygi.dll -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\hzwmv.dll -> Adware.Adstart : Cleaned with backup
C:\WINNT\system32\hzwmvd.exe -> Adware.Adstart : Cleaned with backup
C:\WINNT\system32\hzwmvf.exe -> Adware.Adstart : Cleaned with backup
C:\WINNT\system32\MPSTKPRP.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\SNP32.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\unpack.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINNT\system32\xopgc.dll -> Adware.Adstart : Cleaned with backup
C:\WINNT\system32\xopgcd.exe -> Adware.Adstart : Cleaned with backup
C:\WINNT\system32\xopgcf.exe -> Adware.Adstart : Cleaned with backup


::Report End

And the Panda:

Incident Status Location

Adware:adware/commad Not disinfected c:\winnt\system32\atmtd.dll
Adware:adware/adlogix Not disinfected c:\winnt\system32\pacifisy.dll
Adware:adware/sqwire Not disinfected c:\winnt\system32\tsuninst.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/deskwizz Not disinfected Windows Registry
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/e2give Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/popupsearches Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/dollarrevenue Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adopt.hbmediapro[2].txt
Spyware:Cookie/aff504 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@aff504[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/FindtheWebsiteYouNeed Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.findthewebsiteyouneed[1].txt
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IVYFUPIT\installer[1].exe
Virus:Trj/Downloader.HPZ Not disinfected C:\WINNT\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINNT\pf78.exe[SYSC00.exe]
Adware:Adware/CommAd Not disinfected C:\WINNT\SmVmZg\mApAt0.vbs
Adware:Adware/AdLogix Not disinfected C:\WINNT\system32\install_id6.exe[adstartup.exe]
Adware:Adware/AdLogix Not disinfected C:\WINNT\system32\install_id6.exe[modgxyz.exe]
Adware:Adware/AdLogix Not disinfected C:\WINNT\system32\install_id6.exe[adupdater.exe]
Adware:Adware/SearchAid Not disinfected C:\WINNT\uninstall_nmon.vbs
And the HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:09 PM, on 5/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\SmVmZg\command.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\svchost.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Navnt\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\SYSC00.exe
C:\WINNT\win32081612189291.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard16.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad16.exe
O4 - HKLM\..\Run: [newname] c:\\newname16.exe
O4 - HKLM\..\Run: [mvkqlewA] C:\WINNT\mvkqlewA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [win32081612189291] C:\WINNT\win32081612189291.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\lwinrqag.exe CORN004
O4 - HKLM\..\Run: [hzwmvc] C:\WINNT\system32\hzwmvc.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINNT\pop06ap2.exe
O4 - HKLM\..\Run: [xopgcc] C:\WINNT\system32\xopgcc.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zeno.lnk = C:\WINNT\system32\lwinrqag.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28b34a0b6fdaf9...ip/RdxIE601.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\SmVmZg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: hkapeaa - Unknown owner - C:\WINNT\system32\hkapeaa.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\mvkqlew.exe (file missing)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 11 May 2006 - 12:26 AM

Hello,

You posted the same hijackthislog as the previous one. I need a new hijackthislog, so rescan with hijackthis and save the log. If it asks if you want to overwrite the previous log, click yes/ok. :thumbsup:

Post the new hijackthislog in your next reply.

Edit... also perform next:

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files and folders:

c:\winnt\system32\atmtd.dll
c:\winnt\system32\pacifisy.dll
c:\winnt\system32\tsuninst.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
C:\WINNT\pf78.exe
C:\WINNT\SmVmZg <== folder, this is a hidden folder, so make sure your hidden files and folders are shown as I asked you previously.
C:\WINNT\system32\install_id6.exe
C:\WINNT\uninstall_nmon.vbs

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Perform this step again:

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of some leftovers if still present.
If you don't have those programs yet, you can find the downloadlocations in my signature.

Then post your new hijackthislog.

Edited by miekiemoes, 11 May 2006 - 12:29 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 11 May 2006 - 03:11 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:14:28 PM, on 5/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Navnt\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [guarnset] C:\WINNT\system32\guarnset.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Network ICE Corporation - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 11 May 2006 - 03:18 PM

Hello,

almost there...
Check and fix next entry in hijackthis:

O4 - HKLM\..\Run: [guarnset] C:\WINNT\system32\guarnset.exe

Open Hijackthis again, > click config (bottom right) > misc Tools > 'delete an NT service'
In the field, copy and paste next name click OK after pasting it:

NetDDEdsma

Reboot once again and let me know how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 11 May 2006 - 03:24 PM

There is a message that says that NetDDEdsma is enabled/running and it will not delete. It says to disable it using the HijackThis scan, which I tried to do but it still claimed it to be enabled. Things are already running much better. There are no pop-ups, things are going faster and the computer actually stays on instead of shutting down within moments of logging in. On a side note, upon start up there is a floppy disk(s) fail message, I am not sure what this is, so if you could enlighten me there that would be great.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 11 May 2006 - 03:26 PM

Ah ok, that's a bug in hijackthis - hijackthis can't disable the service first because the file is missing..

Ok, try next first..

*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service Network DDE DSMA
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

Then try this step again:

Open Hijackthis again, > click config (bottom right) > misc Tools > 'delete an NT service'
In the field, copy and paste next name click OK after pasting it:

NetDDEdsma


Let me know if that worked. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 11 May 2006 - 03:34 PM

That got it. So everything seems to be back to normal, which is excellent. The only thing that is still weird is the floppy disk(s) fail (40) message that I get in the startup of the computer.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 11 May 2006 - 03:37 PM

Concerning the floppy disk error upon startup - I guess it's because of this entry in your log:

O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"

Since you don't have XP, you don't have Msconfig either to disable programs from starting up. I don't want you to fix it in your log, because once it's fixed, the startup entry is deleted and not disabled. Hijackthis also has the backup option though, so you can restore that line again afterwards - but in that case you may not delete the backup folder from hijackthis.
But we can create a backup also in another way, so perform next...

Go to start > run and copy and paste next line in the field:

regedit /e C:\backup.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Then look on your C:\ if the file backup.reg is created.
Then check and fix next entry in hijackthis:

O4 - HKLM\..\Run: [\\Jabbawocky\EPSON Stylus Photo R300 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P43 "\\Jabbawocky\EPSON Stylus Photo R300 Series" /O19 "epson printer port:" /M "Stylus Photo R300"

Reboot.

Let me know if that solved the problem with the floppy disk error. In case it doesn't, doubleclick the backup.reg to restore that entry again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Danny M

Danny M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 11 May 2006 - 03:46 PM

That didn't seem to fix it. But thats ok because it is not much of a problem. More importantly everything else is fixed and running normally. So thank you very much, you have been a tremendous help.

Thanks again,
Dan

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 11 May 2006 - 04:22 PM

That's what I thought it didn't fix, because that entry is running from your C:\ - I've properly read afterwards it's the floppy causing that error
The error you get is probably because the floppy disk drive could not be found.
Make sure both the power and data cables are connected properly into the back of the floppy drive. Or just try to re insert them.
If that doesn't work, then maybe your floppy drive is faulty. :thumbsup:

In case you don't have a floppy drive, then look in your BIOS if its enabled
there will be a setting for a floppy drive.

Also read here how to disable disable Floppy Drive Seek.
http://www.pcmech.com/show/diskette/84/

But if you're unsure, or don't really have the knowledge to do this, its better to leave it alone and let someone else with the knowledge doing it for you.

And glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:06 PM

Posted 13 May 2006 - 10:52 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users