Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses and Homepage Hijackers


  • This topic is locked This topic is locked
20 replies to this topic

#1 jupiter

jupiter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 19 June 2004 - 08:45 AM

First, my desktop wallpaper has been replaced by a page that warns I'm "in Danger" and that I need to clean up my system before the FBI (or KGB, most likely) comes to take me away. A click on this page links me to a URL of http://smart-security.info/cffd=DNN-1. Of course they want me to buy their "Smartsecurity Privacy Protection Tool". Also, having trouble with my homepage being hijacked by "coolsearch.biz/. Also, my computer moves at a snail's pace. Additiionally, I can't load my Work Perfect. When I try, I get the message"Unable to to locate SHELL.DLL" (which is present) and then tells me to check the path to be sure it's correct. When trying to reinstall WP, I get the same messages and it goes no further. I have been running untilities until I'm ready to scream, which find all kinds of stuff and either deletes the files or disables the viruses. Yet, nothing changes. It's all still there. I have been running:
Norton AV, Ad-aware 6, HJT, SpyBot, Trojan Hunter, the free versions of Bit defender, Panda AV, and McAfee AV. I'm just about to the point of reinstalling Windows XP, but I don't know if even that will be effective. Please help if you can.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 19 June 2004 - 10:55 AM

Hi jupiter,
Sounds like you may be infested with the VX2 parasite. To find out please do this:

Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Post the contents of that log along with a HijackThis log in your next reply please.

The thing about people

is they change

when they walk away.--Mipso


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 19 June 2004 - 11:01 AM

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

or here:

http://computercops.biz/downloads-cat-14.html

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers & Spyware

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 19 June 2004 - 11:23 AM

Ack, my bad. Hold off on the VX2Finder. We should always look at a HT log first to see what's going on. Suggest you do just as Grinler says.

The thing about people

is they change

when they walk away.--Mipso


#5 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 21 June 2004 - 08:32 AM

Hi, Papakid. Thanks for your reply. Sorry for my delay in getting back. My VX2 log is:

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
AtHome021SI IEAKExcite@Home

My HJT log is:

Logfile of HijackThis v1.97.7
Scan saved at 8:56:12 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\services\exploit.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\dos64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\csrss.exe
C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\xresbcfb.exe
C:\WINDOWS\System32\evwcrt10.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\mstasks2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Preferred Customer\Application Data\ruua.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\fpwrabyte.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\efax\HotTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\VwsJ.exe
C:\WINDOWS\System32\VwsJ.exe
C:\Program Files\WebSiteViewer\121689.dlr
C:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe
O4 - HKLM\..\Run: [WnF9t3rXO] C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [24CHEW55LRXQF5] C:\WINDOWS\System32\Qyr0w1A.exe
O4 - HKLM\..\Run: [gyxkpzvyv] C:\WINDOWS\System32\xresbcfb.exe
O4 - HKLM\..\Run: [pt8k36U] evwcrt10.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [Rtsh] C:\Documents and Settings\Preferred Customer\Application Data\ruua.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [YArqRWYpj] fpwrabyte.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 21 June 2004 - 11:03 AM

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#7 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 21 June 2004 - 03:49 PM

Hi, Grinler. I followed your instructions to the letter. I couldn't do an update on CWS (either it was being blocked or the server was busy), but I downloaded it not too long ago and updated it since. My HJT scan is below:

Logfile of HijackThis v1.97.7
Scan saved at 4:43:33 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\dos64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
C:\WINDOWS\System32\evwcrt10.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\fpwrabyte.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WnF9t3rXO] C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
O4 - HKLM\..\Run: [pt8k36U] evwcrt10.exe
O4 - HKLM\..\Run: [AutoLoaderpErK1IJjcJbP] "C:\WINDOWS\System32\evwcrt10.exe"
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [YArqRWYpj] fpwrabyte.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


I appreciate your help.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:25 AM

Posted 21 June 2004 - 04:07 PM

Please zip up and send the following files to grinler@yahoo.com:

C:\WINDOWS\System32\NDrv.dll
and
C:\WINDOWS\System32\NDrv.exe

Thanks

I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O4 - HKLM\..\Run: [WnF9t3rXO] C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
O4 - HKLM\..\Run: [pt8k36U] evwcrt10.exe
O4 - HKLM\..\Run: [AutoLoaderpErK1IJjcJbP] "C:\WINDOWS\System32\evwcrt10.exe"
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
O4 - HKCU\..\Run: [YArqRWYpj] fpwrabyte.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\WINDOWS\System32\services\
C:\documents and settings\preferred customer\local settings\temp\WnF9t3rXO.exe
C:\WINDOWS\System32\evwcrt10.exe
C:\WINDOWS\System32\wnsintcc.exe
C:\WINDOWS\System32\fpwrabyte.exe
C:\WINDOWS\System32\P2P Networking\

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#9 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 21 June 2004 - 05:16 PM

Hi, again. I followed your instructions again. I couldn't find a file" C:WINDOWS\System32\fpwrabyte.exe", but there was a file of the same name but with the extension .dll. Should I delete that file or leave it as is? Below is my latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 6:10:20 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\dos64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\efax\HotTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Downloads\HijackThis.exe

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab


Thanks, again.

#10 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 21 June 2004 - 06:30 PM

Fix these:

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Reboot into safe mode:

delete the following files:

C:\Program Files\AutoUpdate\

reboot and post a new log

#11 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  

Posted 21 June 2004 - 09:11 PM

Hello, Plimsol. Thanks for your reply and advice. I did as you instructed and below is my latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 10:01:58 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\dos64.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\efax\HotTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab

Things do seem to be clearing up, although I still have that malware problem on my desktop. But that problem seems pretty minor in comparison to the other infestations I had.

Thanks, again.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 21 June 2004 - 09:28 PM

The entries look good buit there are some items that do not look right in the running processes. Please email me the following two files:

C:\WINDOWS\System32\NDrv.dll
C:\WINDOWS\System32\NDrv.exe

Zip them up and email them to grinler@yahoo.com

It is important that you do this so I can see if I should have you delete them

#13 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 21 June 2004 - 09:42 PM

OK. I'll send them immediately.

#14 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 21 June 2004 - 09:54 PM

Hey, guess what. I just received the following email from the Smartsecurity people.

Dear Visitor,
Thanks for your time.

We apologize for actions of several our advertisers.
We are investigating their promotion business.

Please, help us. Please, report all cases of illegal product promotion, such as SPAM.


TO REMOVE DESKTOP ADVERTISEMENT:

- Right click at the very top of the screen it should appear as a standard options menu.
- Select Properties - Desktop tab.
- Click "Customize Desktop" button at the bottom.
- Select "Web" Tab.
- Uncheck "Security" checkbox.

Also we have prepared free desktop removal utility to help
to fight with desktop advertisements of our software:
http://www.smart-security.info/removal.html
--
Regards,
SmartSecurity Team


I tried the first solution they posted, but it didn't work for me. So I downloaded the free desktop removal utility and ran that and IT WORKED!!!!! So here's one for you guys. After all the help you've been giving me, maybe you can use this to help someone else.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,676 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 21 June 2004 - 10:21 PM

Jupiter,

Please post a new log. I would never trust anything these companies send out as their removal tools have been known to make matters worse.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users