Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJacked


  • Please log in to reply
17 replies to this topic

#1 gregster

gregster

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 03 December 2004 - 01:32 PM

Operating system XP Home w/ wired Router. I am being HiJacked and need help with this log, PLEASE. Thank you so much in advance. Have Run Spybot, Ad-Aware, and Giant. Still get the HiJack 69.20.16.183 and sometimes 69.20.56.3

Here's the log
Logfile of HijackThis v1.98.2
Scan saved at 9:26:05 AM, on 12/03/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launche r.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wprras.exe
C:\Documents and Settings\Greg\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxdh32.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://corp.alliedhomenet.com/view...tivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub...ash/swflash.cab

Can someone please help me? I've been at this for HOURS with no luck. RoadRunner is my ISP. Alliedhomenet is recognizable to me and should be there.

Thanks so much,
Greg
PS...I ran a security program called Ewido Security Suite which removed the aklsp.dll's, however the problem still exists...

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 04 December 2004 - 08:37 AM

Looking at this one...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 04 December 2004 - 01:24 PM

Hello Greg, Welcome to BleepingComputers.com. Let's see what we can do.

First follow the instructions in the following link to download and use the lsp fix. Read the instructions carefully, then make sure you check the "I know what I am doing" box, then move the bad .dll to the remove box and finish.
c:\windows\system32\aklsp.dll
http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/

This is Virtumundo, so to be sure we have it all, please the download and run the removal tool in this link:
http://securityresponse.symantec.com/avcen...moval.tool.html

You also a VX2 infection. Make sure your Ada-ware is updated, then follow the instruction in this tutorial to download and run it.
http://v2.tlab404.com/news/news_item.asp?NewsID=222

Open Task Manager and under the Processes Tab, end process on these items if they are there:
wprras.exe
kalvxdh32.exe


Using these instructions, enable hidden files:
MANUAL INSTR FOR ENABLE HIDDEN FILES
* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Scan with HijackThis and check each of these line items:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxdh32.exe

close all programs and browser windows and click "Fix Checked"

Open Windows Explorer (Windows key+e), drill down and delete the following files if found, just the files not the folders:

C:\WINDOWS\system32\wprras.exe

C:\windows\system32\kalvxdh32.exe

Run cleanmanager: Start, Run type "cleanmgr" without the quotes then ok. Allow windows to remove anything it locates. Empty the recycle bin, reboot the computer. Using Add Reply to stay in this same thread, post a new log along with your comment on how it is running.

Thanks...pskelley

Edited by pskelley, 04 December 2004 - 01:31 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 04 December 2004 - 07:52 PM

First, pskelley, Thanks for your reply...this is going to be a long one. Follwed your

advice exactly however files kalvxdh.32.exe and wprras.exe not found...I think I have that marked not to load on windows Startup...seems I've seen it before---
Symantec Trojan.Vundo Removal Tool 1.2.4

C:\Documents and Settings\Greg\Local Settings\Temp\Temporary Internet Files\Content.IE5\FH5V9DGT\6searchid%3Dc8a579e94fc8cb34ddab7398d1502830%26search_in%3Dposts%26result_type%3Dtopics%26highlite%3Dhijacked&u_h=600&u_w=800&u_ah=566&u_aw=800&u_cd=32&u_tz=-360&u_his=3&u_java=true (WARNING: not scanned, path to long)
C:\Office11.0\SERVICES\HtmlTransform\BIN\HtmlTrLauncher: (not scanned)
C:\System Volume Information: (not scanned)

Trojan.Vundo has not been found on your computer.

Upon rebooting to run Adaware SE

Ewido Security Suite finds TrojanDowloader.Small.sg bobby.exe and removes it.

Then Giant Spyware engages and says Warning EliteToolbar.dll found.
Searchmiracle EliteBar Plugin Found but NOT ALLOWED to Install to IE.

Then Ad-Aware SE was run with the following results...
Logfile Created on:12/04/2004 5:21:28 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R21 03.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):23 total references
MRU List(TAC index:0):19 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
Redirected hostfile entry(TAC index:4):5 total references
SahAgent(TAC index:9):12 total references
Tracking Cookie(TAC index:3):38 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-04-04 5:21:28 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Greg\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Greg\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 424
ThreadCreationTime : 12-04-04 11:16:10 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 12-04-04 11:16:23 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 540
ThreadCreationTime : 12-04-04 11:16:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 552
ThreadCreationTime : 12-04-04 11:16:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 700
ThreadCreationTime : 12-04-04 11:16:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 820
ThreadCreationTime : 12-04-04 11:16:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1120
ThreadCreationTime : 12-04-04 11:16:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1680
ThreadCreationTime : 12-04-04 11:16:35 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:9 [gcasserv.exe]
FilePath : C:\Program Files\GIANT Company Software\GIANT AntiSpyware\
ProcessID : 1764
ThreadCreationTime : 12-04-04 11:16:36 PM
BasePriority : Idle
FileVersion : 1.00.0349
ProductVersion : 1.00.0349
ProductName : GIANT AntiSpyware Service
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.

#:10 [mainserv.exe]
FilePath : C:\Program Files\APC\APC PowerChute Personal Edition\
ProcessID : 1832
ThreadCreationTime : 12-04-04 11:16:36 PM
BasePriority : Normal
FileVersion : 1, 3, 1, 0
ProductVersion : 1, 3, 1, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : Battery backup management service
InternalName : PowerChute
LegalCopyright : Copyright © 2003
OriginalFilename : PowerChute
Comments : Battery backup management service

#:11 [crypserv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1848
ThreadCreationTime : 12-04-04 11:16:37 PM
BasePriority : High
FileVersion : 5.4.0
ProductVersion : 5.4
ProductName : CrypKey Software Licensing System
CompanyName : Kenonic Controls Ltd.
FileDescription : CrypKey NT Service
InternalName : crypserv
LegalCopyright : Copyright © 2000
LegalTrademarks : CrypKey
OriginalFilename : crypserv.exe
Comments : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths

#:12 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1880
ThreadCreationTime : 12-04-04 11:16:37 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:13 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1892
ThreadCreationTime : 12-04-04 11:16:37 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:14 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1956
ThreadCreationTime : 12-04-04 11:16:37 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:15 [microsoft.office.htmltrans.launcher.exe]
FilePath : c:\office11.0\services\htmltransform\bin\
ProcessID : 368
ThreadCreationTime : 12-04-04 11:16:44 PM
BasePriority : Normal


#:16 [gcasdtserv.exe]
FilePath : C:\Program Files\GIANT Company Software\GIANT AntiSpyware\
ProcessID : 108
ThreadCreationTime : 12-04-04 11:16:47 PM
BasePriority : Normal
FileVersion : 1.00.0411
ProductVersion : 1.00.0411
ProductName : GIANT AntiSpyware
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasDtServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.

#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 916
ThreadCreationTime : 12-04-04 11:16:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 12-04-04 11:17:36 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:19 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2552
ThreadCreationTime : 12-04-04 11:19:06 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:20 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2920
ThreadCreationTime : 12-04-04 11:21:11 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a9b28ef6-abf3-463b-a3d8-4d0d0badfadc}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a9b28ef6-abf3-463b-a3d8-4d0d0badfadc}
Value :

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dbf33e89-1784-42ac-ade4-a428f56550a3}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dbf33e89-1784-42ac-ade4-a428f56550a3}
Value :

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ca9fc31a-6f35-4493-b629-e64bd6170a17}\1.0

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ca9fc31a-6f35-4493-b629-e64bd6170a17}\1.0
Value :

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ca9fc31a-6f35-4493-b629-e64bd6170a17}

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-953129233-1163395192-3403473811-1005\software\lq
Value : AC

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : S-1-5-21-953129233-1163395192-3403473811-1005\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{28CAEFF3-0F18-4036-B504-51D73BD81ABC}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects
Value : {28CAEFF3-0F18-4036-B504-51D73BD81ABC}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 29


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : S-1-5-21-953129233-1163395192-3403473811-1005\Software\Microsoft\Internet ExplorerSearchURLsearchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-953129233-1163395192-3403473811-1005\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "http://searchmiracle.com/sp.php"

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 30


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ehg-rr.hitbox[1].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:greg@ehg-rr.hitbox.com/
Expires : 12-04-05 4:22:06 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@doubleclick[2].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:greg@doubleclick.net/
Expires : 12-04-04 4:59:36 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@zedo[1].txt
Category : Data Miner
Comment : Hits:7
Value : Cookie:greg@zedo.com/
Expires : 12-02-14 2:55:32 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ads.addynamix[2].txt
Category : Data Miner
Comment : Hits:42
Value : Cookie:greg@ads.addynamix.com/
Expires : 12-05-04 5:22:16 PM
LastSync : Hits:42
UseCount : 0
Hits : 42

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@adrevolver[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:greg@media.adrevolver.com/adrevolver/
Expires : 08-30-07 1:37:02 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@mediaplex[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:greg@mediaplex.com/
Expires : 06-21-09 6:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@edge.ru4[1].txt
Category : Data Miner
Comment : Hits:7
Value : Cookie:greg@edge.ru4.com/
Expires : 02-02-05 4:43:24 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@overture[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:greg@overture.com/
Expires : 12-02-14 4:18:22 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@hitbox[1].txt
Category : Data Miner
Comment : Hits:20
Value : Cookie:greg@hitbox.com/
Expires : 12-04-05 4:22:06 PM
LastSync : Hits:20
UseCount : 0
Hits : 20

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@casalemedia[2].txt
Category : Data Miner
Comment : Hits:7
Value : Cookie:greg@casalemedia.com/
Expires : 11-25-05 8:44:30 AM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@maxserving[1].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:greg@maxserving.com/
Expires : 12-02-14 12:37:04 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@trafficmp[1].txt
Category : Data Miner
Comment : Hits:7
Value : Cookie:greg@trafficmp.com/
Expires : 12-04-05 3:24:38 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@revenue[1].txt
Category : Data Miner
Comment : Hits:41
Value : Cookie:greg@revenue.net/
Expires : 06-09-22 11:05:42 PM
LastSync : Hits:41
UseCount : 0
Hits : 41

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 43



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Object "lsp_.dll" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "lsp_.dll" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\


Object "SAHAgent_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "SAHAgent_.exe" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\


Object "SahHtml_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "SahHtml_.exe" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\



Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@adrevolver[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@adrevolver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ads.addynamix[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@ads.addynamix[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@casalemedia[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@casalemedia[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@doubleclick[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@doubleclick[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@edge.ru4[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@edge.ru4[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ehg-rr.hitbox[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@ehg-rr.hitbox[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@hitbox[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@hitbox[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@maxserving[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@maxserving[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@mediaplex[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@mediaplex[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@overture[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@overture[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@revenue[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@revenue[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@trafficmp[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@trafficmp[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@zedo[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@zedo[1].txt
Object "lsp_.dll" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup[1].cab
Category : Data Miner
Comment : Object "lsp_.dll" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\Temporary Internet Files\Content.IE5\FH5V9DGT\


Object "SAHAgent_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup[1].cab
Category : Data Miner
Comment : Object "SAHAgent_.exe" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\Temporary Internet Files\Content.IE5\FH5V9DGT\


Object "SahHtml_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup[1].cab
Category : Data Miner
Comment : Object "SahHtml_.exe" found in this archive.
Object : C:\Documents and Settings\Greg\Local Settings\Temp\Temporary Internet Files\Content.IE5\FH5V9DGT\


Object "lsp_.dll" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "lsp_.dll" found in this archive.
Object : C:\WINDOWS\Downloaded Program Files\


Object "SAHAgent_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "SAHAgent_.exe" found in this archive.
Object : C:\WINDOWS\Downloaded Program Files\


Object "SahHtml_.exe" found in this archive.

SahAgent Object Recognized!
Type : File
Data : bunSetup.cab
Category : Data Miner
Comment : Object "SahHtml_.exe" found in this archive.
Object : C:\WINDOWS\Downloaded Program Files\



SahAgent Object Recognized!
Type : File
Data : lsp_.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : ShopAtHomeSelect LSP
CompanyName : ShopAtHomeSelect
FileDescription : LSP
InternalName : LSP
LegalCopyright : Copyright © 2004
OriginalFilename : LSP.DLL


SahAgent Object Recognized!
Type : File
Data : SAHAgent_.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
FileVersion : 2, 0, 0, 5
ProductVersion : 2, 0, 0, 5
ProductName : ShopAtHomeSelect SahAgent
CompanyName : ShopAtHomeSelect
FileDescription : SahAgent
InternalName : SahAgent
LegalCopyright : Copyright © 2004
OriginalFilename : SahAgent.exe
Comments : Rules, pop-up. without serach and incremental update


SahAgent Object Recognized!
Type : File
Data : SahHtml_.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
FileVersion : 2, 0, 0, 3
ProductVersion : 2, 0, 0, 3
ProductName : ShopAtHomeSelect SAHHtml
CompanyName : ShopAtHomeSelect
FileDescription : SAHHtml
InternalName : SAHHtml
LegalCopyright : Copyright © 2004
OriginalFilename : SahHtml_.exe
Comments : Search engine


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@adrevolver[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@adrevolver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@atdmt[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@atdmt[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@bilbo.counted[2].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@bilbo.counted[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@casalemedia[2].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@casalemedia[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@doubleclick[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@edge.ru4[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@edge.ru4[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@gator[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@gator[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@revenue[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@revenue[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@statcounter[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@statcounter[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@trafficmp[2].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@trafficmp[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@z1.adserver[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@z1.adserver[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@zedo[1].txt
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\greg@zedo[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 80


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
16 entries scanned.
New critical objects:5
Objects found so far: 85




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 14
Objects found so far: 99

5:38:04 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:35.891
Objects scanned:163512
Objects identified:80
Objects ignored:0
New critical objects:80

And Finally, the HJT log

Logfile of HijackThis v1.98.2
Scan saved at 6:43:19 PM, on 12/04/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wprras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Greg\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/index.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://corp.alliedhomenet.com/viewer/activ...tivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

That's as detailed as I can be.

THANK YOU!

Greg

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 04 December 2004 - 08:34 PM

Greg, Did you run the VX2 plug in for Ad-aware? That is a plug in for Ad-aware that removes the infection that causes the 01 lines? Thanks for all of the information, please let me know about the above questions. I will not need any Ad-aware logs. Your log did not indicate you were running in selective startup. I need to see the whole log, please enable all in msconfig, then scan with HJT and post that log. You do not need to reboot, and can disable items you do not want to run. I must see what is there though. Thanks...pskelley

Edited by pskelley, 04 December 2004 - 08:35 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 04 December 2004 - 08:59 PM

Yes, I did install and run VX2 in Ad-aware SE as you instructed...

Here's the latest HJT log....note the 01's are gone, but when I go back into HJT to scan again, they have returned... I did enable all in the Startup...sorry about that.


Logfile of HijackThis v1.98.2
Scan saved at 7:49:05 PM, on 12/04/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wprras.exe
c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Greg\Desktop\New Folder\HijackThis.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServAlert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/index.htm
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://corp.alliedhomenet.com/viewer/activ...tivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

#7 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 05 December 2004 - 06:08 PM

Hi Greg, Please reboot and post a fresh log for us. It appears this:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

is the new Look2Me infection, and our experts want a new look at what the log looks like now. Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 05 December 2004 - 08:38 PM

Here's the new log after reboot.

Logfile of HijackThis v1.98.2
Scan saved at 7:34:09 PM, on 12/05/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\system32\wprras.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\office11.0\services\htmltransform\bin\microsoft.office.htmltrans.launcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJacked\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/index.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://corp.alliedhomenet.com/viewer/activ...tivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

Thank You,
Greg

#9 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 December 2004 - 01:52 AM

Look at this scan report...I thought it might help you. I can't believe all this...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:47:52 AM, 12/06/04
+ Report-Checksum: 40D9FA26

+ Date of database: 12/05/04
+ Version of scan engine: v3.0

+ Duration: 88 min
+ Scanned Files: 148430
+ Speed: 27.93 Files/Second
+ Infected files: 54
+ Removed files: 44
+ Files put in quarantine: 44
+ Files that could not be opened: 0
+ Files that could not be cleaned: 10

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@11199995[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@ads.xtra.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@ehg-rr.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@phg.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@S005-01-5-27-250686-77323[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@S140377[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\5D8374B2-82ED-4909-AE44-26DA32\3FE31940-05C6-4A5C-B8DA-6D0608 -> Spyware.EliteToolBar -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\63500537-D07F-495F-B16B-5F61F6\8DCF68C5-5FA2-4915-95F2-DB5EDC -> Spyware.EliteToolBar -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\7C99962D-66E2-44A8-84F3-50098B\623FD03C-6C3F-4B6C-920E-90F2DF -> Spyware.EliteToolBar -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\A51F807C-555B-4051-AE79-048B39\EB7DE75C-CDB5-491A-8EDD-763D50 -> Spyware.EliteToolBar -> Cleaned with backup
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\Quarantine\AF009F35-C9B6-4ABD-BEBB-32B6ED\D3A870F2-764A-4EBE-BD46-A8A179 -> Spyware.EliteToolBar -> Cleaned with backup
C:\prot.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\sidebDD.exe -> Spyware.EliteBar.v -> Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\sideb.exe -> Spyware.EliteBar.v -> Cleaned with backup
C:\WINDOWS\SYSTEM32\akrules.dll -> TrojanDownloader.Agent.bt -> Cleaned with backup
C:\WINDOWS\SYSTEM32\akupd.dll -> Spyware.Ezula -> Cleaned with backup
C:\WINDOWS\SYSTEM32\carules.dll -> Spyware.CouponAge -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dLtime.dll -> Spyware.Look2Me.r -> Cleaned with backup
C:\WINDOWS\SYSTEM32\doolsav.dat -> Spyware.EliteToolBar -> Cleaned with backup


Greg

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 06 December 2004 - 07:56 AM

Windows Xp SP2

Hi greg, I can say this malware is being worked on at several forums, as it appears the proceedure that has been used is not doing the same job it was. I am waiting for information from experts who are consulting over the fix as it is occuring. The outward signs are the 01 lines in the log.
It looks like much of your log from ewido security suite are cookies and items that have been cleaned by the software. You might want to clean out all cookies and delete the quarantined items then run a new log in ewido security suite to see if that stuff is not all gone. You can do a good clean up with clean manager: Start, Run type "cleanmgr" without the quotes then ok. Allow the program to delete anything it locates. It may take a while for this to be resolved, and they will probably want a new log at the last minute so they can see any changes that have occured, and changes you have make with ewido security suite. Thanks for your patience...pskelley

PS: I would not mind seeing a new ewido security suites log once you have cleaned and emptied quarantine. I am interested if the software will report this VX2 infection.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 December 2004 - 12:21 PM

I deleted cookes and temp files, deleted all quarantined from Ewido Suite, ran cleanmgr which found 32k of data to delete. After running Ewido Suite yesterday, Ad-Aware still showed VX2.

Host file shows 127.0 etc plus the other 01 files from HJT shown earlier.
Ewido Suite is free for 13 more days and then I have to buy it.

Getting a few eblocs pop ups and others as well. I've never had any problems with malware in my life. I run a financial services business that serves 800+ clients a year from home and this is quite annoying.

I have a Peer to Peer network...The other machine is not infected. Any idea how long it might take to get a handle on this?

Here's the log you asked for...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:01:40 AM, 12/06/04
+ Report-Checksum: BEB6240A

+ Date of database: 12/06/04
+ Version of scan engine: v3.0

+ Duration: 71 min
+ Scanned Files: 146160
+ Speed: 34.17 Files/Second
+ Infected files: 8
+ Removed files: 8
+ Files put in quarantine: 8
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@ehg-rr.hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temp\Cookies\greg@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\21SP4ZO1\AppWrap[2].exe -> TrojanDownloader.QDown.m -> Cleaned with backup
C:\WINDOWS\SYSTEM32\carules.dll -> Spyware.CouponAge -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\greg@gator[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\greg@www.xzoomy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\greg@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\greg@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Thanks
Greg

#12 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 06 December 2004 - 12:36 PM

Hi Greg, I wish I could give you more information. We are all volunteers and have jobs to go to and families. I see most activity in the evenings. The folks looking at the infection get email anytime there is a new post, so your last log is waiting for review, and of course you get messaged anytime there is a post.
Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#13 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 December 2004 - 01:37 PM

Please don't misunderstand, I am very grateful for your efforts. If you need help with income taxes, just ask me,...that's my expertise, anywhere in the United States.

Thanks again,
Greg

#14 gregster

gregster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 December 2004 - 05:45 PM

pskelley,

Thank you for all of your assistance with my problem...Today I contacted a local tech support company who eradicated the VX2 from my machine. prior to calling a tech I tried VX2 Finder and it didn't allow me to delete the active files...

15 active DLL's were found and eradicated associated with VX2.

A setting was being changed upon Active Desktop load which ran some of the DLL's.

The fix was done using Bart PE to create a Windows Pre Install CD.

The machine was then booted from the CD which had the uninfected registry files...and the infected files were replaced with the clean ones. I didn't actually watch while it was being done, but it took about half an hour.

I just mention the technique in the hopes it will help someone else.

Thanks again to you for taking your valuable time to work with me.

Your efforts were and are sincerely appreciated.

Greg

#15 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 06 December 2004 - 06:00 PM

Thanks Greg for sharing this information with me. I will pass it along in the hopes that it will prove useful as I know of MANY instances of this problem across the forums. I know that many folks are scrambling to defeat this problem. It seems the malware writers have more resources at their disposal than the malware removers. We will not give up the battle! I will include the links I give to anyone who's log is clean in the event something there will help you stay uninfected.

Thanks to Tony Klein, Texruss and ChrisRLG for this information:
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://www.cjwd.demon.co.uk/compsafetyonline.html

Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 06 December 2004 - 06:31 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users