Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Interpines


  • Please log in to reply
7 replies to this topic

#1 Interpines

Interpines

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 04 December 2004 - 12:56 PM

Logfile of HijackThis v1.98.2
Scan saved at 17:45:45, on 04/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mfcym32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
E:\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sdkqj.exe
C:\WINDOWS\System32\mrtMngr.EXE
E:\Norton AntiVirus\SAVScan.exe
E:\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
E:\SecCopy\SecCopy.exe
C:\Documents and Settings\Vic\Application Data\endi.exe
E:\COMMON~1\tsa\tsm2.exe
C:\WINDOWS\System32\l?gonui.exe
E:\Symantec\WinFax\WFXCTL32.EXE
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
E:\Symantec\WinFax\WFXMOD32.EXE
E:\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\Vic\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
C:\DOCUME~1\Vic\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E73C654-1F01-E183-2A9B-68C20AD02C09} - C:\WINDOWS\system32\sysrb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PRONoMgr.exe] E:\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QAGENT] E:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sdkqj.exe] C:\WINDOWS\system32\sdkqj.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "E:\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Emus] C:\Documents and Settings\Vic\Application Data\endi.exe
O4 - HKCU\..\Run: [Tsa2] E:\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Vxyffcs] C:\WINDOWS\System32\l?gonui.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Controller.LNK = E:\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\2000\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://e:\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c15dcfc0e3c1...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42

Having been :thumbsup: notified by Norton of Hijack, I immediatly closed down. On reboot my Browser (i.e) had a new front page which cannot be changed back to the original, and I'm plague by pop ups all the time. Internet options will not clear. Adaware & Spybot finds the critical files and deletes only for them to replicate theresefs on next browser start up. First posting. Any help please

BC AdBot (Login to Remove)

 


#2 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 04 December 2004 - 02:05 PM

Hi Interpines,

Download: Clear the Cache from here

Once installed, run CCleaner then tick the following:
Posted Image
Then click Run Cleaner (bottom right) then, when it finishes scanning click Exit.

You have a nasty CoolWebSearch infection which requires precise steps to fix:

Please download ServiceFilter.zip. This will reveal potential unauthorized running services in your system. Extract it to a new folder on your desktop. Double-click ServiceFilter.vbs. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here along with a new Hijackthis log.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#3 Interpines

Interpines
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 05 December 2004 - 06:29 AM

Hi Nivana - thanks for such promt help.
This is the Service filter log

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Dec 5, 2004 11:16:36


===> Begin Service Listing <===

Unknown Service #1
Service Name: navapsvc
Display Name: Norton AntiVirus Auto Protect Service
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect ...
Service Type: Own Process
Path: "e:\norton antivirus\navapsvc.exe"
State: Running
Process ID: 1992
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: NetSvc
Display Name: Intel NCS NetService
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: e:\intel\ncs\sync\netsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: e:\norton antivirus\savscan.exe
State: Running
Process ID: 1116
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{a559ca7c-4f8b-425d-95f5-188584a8b066}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: wfxsvc
Display Name: WinFax PRO
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wfxsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #6
Service Name: WinVNC4
Display Name: VNC Server Version 4
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "e:\realvnc\vnc4\winvnc4.exe" -service
State: Running
Process ID: 324


This is the NEW Hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 11:26:11, on 05/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\mfcym32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\RunDll32.exe
E:\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\wfxsnt40.exe
E:\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sdkqj.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\mrtMngr.EXE
E:\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
E:\SecCopy\SecCopy.exe
C:\Documents and Settings\Vic\Application Data\endi.exe
E:\COMMON~1\tsa\tsm2.exe
C:\WINDOWS\System32\l?gonui.exe
E:\COMMON~1\tsa\ts2.exe
E:\Symantec\WinFax\WFXCTL32.EXE
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
E:\Symantec\WinFax\WFXMOD32.EXE
E:\MICROS~1\2000\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E73C654-1F01-E183-2A9B-68C20AD02C09} - C:\WINDOWS\system32\sysrb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PRONoMgr.exe] E:\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QAGENT] E:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [sdkqj.exe] C:\WINDOWS\system32\sdkqj.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "E:\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Emus] C:\Documents and Settings\Vic\Application Data\endi.exe
O4 - HKCU\..\Run: [Tsa2] E:\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Vxyffcs] C:\WINDOWS\System32\l?gonui.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Controller.LNK = E:\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\2000\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://e:\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c15dcfc0e3c1...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42

Your further help will be much appreciated

#4 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 December 2004 - 09:03 AM

You haven't given me the full Service Filter log, it stops at this entry:

Unknown Service #6

There is more below that, including the bad service causing your problem.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#5 Interpines

Interpines
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 05 December 2004 - 09:59 AM

Sorry, Don't know why last bit got left behind. Thought I had copied and pasted all. Hopefully this should be all that was missing[
QUOTE]Unknown Service #6
Service Name: WinVNC4
Display Name: VNC Server Version 4
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "e:\realvnc\vnc4\winvnc4.exe" -service
State: Running
Process ID: 324
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 7
Service Name: %AF
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\mfcym32.exe /s
State: Running
Process ID: 428
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 94 Win32 services on this machine.
7 were unrecognized.

Script Execution Time: 69.625 seconds.
[code=auto:0]

best regards

#6 Nirvana

Nirvana

    In Utero


  • Members
  • 218 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 December 2004 - 12:03 PM

Copy and paste the contents of the quotebox to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop, we'll use it a bit later:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later.

Download AboutBuster. Unzip it to C:\aboutbuster but don't run it yet we'll do that later on down in this list in SAFE MODE.

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode.

You may want to print out the rest of these steps to refer to as you go. IMPORTANT: Please stay offline until instructed otherwise, connecting to the internet could cause this fix to fail.

Next, go to Start => Run and type "Services.msc" (without quotes) then hit Ok.

Scroll down and find the services called:

Network Security Service (NSS)

Double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

mfcym32.exe

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\exymf.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1E73C654-1F01-E183-2A9B-68C20AD02C09} - C:\WINDOWS\system32\sysrb32.dll

O4 - HKLM\..\Run: [sdkqj.exe] C:\WINDOWS\system32\sdkqj.exe
O4 - HKCU\..\Run: [Emus] C:\Documents and Settings\Vic\Application Data\endi.exe
O4 - HKCU\..\Run: [Tsa2] E:\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Vxyffcs] C:\WINDOWS\System32\l?gonui.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11c15dcfc0e3c1...ip/RdxIE601.cab http://software-dl.real.com/11c15dcfc0e3c1...ip/RdxIE601.cab

Navigate to and delete the following files if present (If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.):

c:\windows\system32\mfcym32.exe <-------- Delete this file.
C:\WINDOWS\system32\exymf.dll <-------- Delete this file.
C:\WINDOWS\system32\sysrb32.dll <-------- Delete this file.
C:\WINDOWS\system32\sdkqj.exe <-------- Delete this file.
C:\Documents and Settings\Vic\Application Data\endi.exe <-------- Delete this file.
E:\COMMON FILES\tsa <-------- Delete this folder.

Still in Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of that Temp folder (do this for all usernames).

Finally, go to Control Panel>Internet Options.
On the General tab under: Temporary Internet Files, click: Delete Files
Place a check by: Delete Offline Content when the prompt appears, and click OK.
Next, click on the Programs tab, then click: Reset Web Settings button.
Click Apply, then OK.

Also, empty the Recycle Bin.

Next, we will remove the offending service. Go to Start | Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AF or Network Security Service (NSS)

If any are listed, right-click that entry in and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AF or LEGACY Network Security Service (NSS)

If any are listed, right-click the entry and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Browse to C:\aboutbuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.

Then double-click on the fix.reg file we created earlier on your desktop and when it prompts to merge say yes, this will clear some registry entries left behind by the process.

Now run Ad-Aware.

Reboot into normal mode.

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


Do an online scan at TrendMicro's site. Let it remove any infected files found.

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review.
"Computers are useless. They can only give you answers." <span style='color:red'>Pablo Picasso</span>

#7 Interpines

Interpines
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 05 December 2004 - 04:11 PM

Many thanks (fingers crossed) I think I'm now clear. :flowers: :thumbsup:

Scanned at: 19:37:33 on: 05/12/2004
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\atmoUn.exe:denco
C:\WINDOWS\CMIRmDriver.dll:hyjaf


Removed! : C:\WINDOWS\afmsh.dat
Removed! : C:\WINDOWS\bjwdo.dat
Removed! : C:\WINDOWS\dhbfk.dat
Removed! : C:\WINDOWS\iawej.dat
Removed! : C:\WINDOWS\omaxi.dat
Removed! : C:\WINDOWS\pkcgk.dat
Removed! : C:\WINDOWS\wogks.dat
Removed! : C:\WINDOWS\System32\exymf.dll
Removed! : C:\WINDOWS\System32\iaema.dat
Removed! : C:\WINDOWS\System32\kwfii.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
Logfile of HijackThis v1.98.2
Scan saved at 21:05:43, on 05/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
E:\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\wfxsnt40.exe
E:\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\mrtMngr.EXE
E:\Norton AntiVirus\SAVScan.exe
E:\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
E:\SecCopy\SecCopy.exe
E:\Symantec\WinFax\WFXCTL32.EXE
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
E:\Symantec\WinFax\WFXMOD32.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PRONoMgr.exe] E:\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QAGENT] E:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Second Copy 2000] "E:\SecCopy\SecCopy.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = E:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Controller.LNK = E:\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\2000\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = E:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://e:\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{048CC38B-40E1-42F1-9E2C-6464DA826621}: NameServer = 194.106.56.6,194.106.33.42

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:19 PM

Posted 16 December 2004 - 04:44 PM

Hi if you are still having a problem:

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users