Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Qhost / Tmp0374.exe


  • Please log in to reply
14 replies to this topic

#1 Mikz86TA

Mikz86TA

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 25 February 2007 - 06:10 PM

[font=Fixedsys]Hello. I am a newbie here. I came across this site doing a search for a problem I recently encountered. I am slightly knowledgable about the computers but cant figure this one out myself. I read some other post and followed the instructions but still have issues. First let me start off by letting you know about what I have. I am running a Dell 4400 with upgrades and a Windows XP Home OS. I have had Norton 2005 installed(store bought not downloaded) and had HiJack This from a past problem. I mainly use the compuer for internet,E-bay,pics and games. About a week or two ago I started having some issues. The first sign was a application failed to start window at startup on a .tmp file. One time I did a 'tell windows about it' link but most of the time I just let it go. Then I noticed a slower running computer on internet and also slow to open a program. Sometimes freezing up if more than one app was working. Then Norton poped up a warning that comes about every 15-20 min. Even if Norton is disabled. It has a HighRisk Trojan Qhost and C:\WINDOWS\host.sam as the issue. I cannot find the file and it always tells me Norton has deleted it. But it comes again 15min later. Totally a PITA especially while gaming. I followed another post instructions and downloaded AVG AS, ATF Cleaner, Fix Qhost.exe from Norton, Smit fraudFix, SDfix and deleted HiJack This and reloaded the newer version. HiJack located the tmp.exe file(s) but says file deledted. The window no longer comes up at startup, but shows on HiJack This. Also on HiJack this there is another program that also has a file deleted message. Here is a copy of the log-file. I want to know how to disable any unnessesary crap that I dont need to run. Sprint is OK because I use it for internet. ATI stuff I am unsure about due to so many processes. I leave it alone because its my Graphics card stuff. SVC host? Norton I might delete and run something else-any recommendations?I have Logitech for my wireless keyboard and mouse. I just updated IExplorer to the newer version. Id like to eliviate MSMessenger which startsup everytime and is useless to me. I absolutely hate having processes and apps running to slow down my machine that are unnessesary. Please inform me on what and how to eliminate unnessesary garbage. The Qhost fix from norton doesnot find anything when run in either regular or safe mode. Ive tried every program in both modes. The Norton HighRisk window now says access denied to that Qhost file. Also one more complaint is passwrds on some sites. A few sites I am member of with an ID and PW will give me the pop-down option window when I start to type and remember my PW attached to that ID. Some do not. I want them all tofrom this computer consistently. Also If I am on E-Bay, I will type my ID and have to type my PW-it wont remember it. Then after a litle while and still on E-bay, I will have to re-type ID and PW to log on again. What do I do to get that taken care of? Really starting to frustrate me. Please help. Thank you graciously =) Here is a copy of my HiJack This log-file. Need anything else? THX, Michel
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection

Manager\CMSPCSUtilSvc.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\smss.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sprint\Sprint PCS Connection

Manager\CMSPCS.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\bmctl.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NSMdtr.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and

Settings\Mikz\Desktop\Reports\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNisExtBho Class -

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security -

{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI

Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem]

C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Windows Logon Process]

C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI

Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [EPSON Stylus C80 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23

"EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program

Files\ATI Technologies\ATI.ACE\CLI.exe
O10 - Broken Internet access because of LSP provider

'bmnet.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6

DACB46E0}: NameServer = 85.255.114.29 85.255.112.109
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec

Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) -

Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation -

C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner

- C:\Documents and Settings\Mikz\~tmp0374.exe (file missing)
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown

owner - C:\Documents and Settings\Mikz\~tmp0374.exe (file

missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc)

- Symantec Corporation - C:\Program Files\Norton Internet

Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program

Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum,

L.L.C - C:\Program Files\Sprint\Sprint PCS Connection

Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 25 February 2007 - 09:05 PM

Welcome to BC :thumbsup:

Mikz86TA, you cut off part of your hijackthis log. Also, please turn of word wrap in notepad. Please repost. Thanks.
Microsoft MVP Consumer Security--2007-2010

#3 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 February 2007 - 12:55 AM

I apologize for my ignorance but what does this mean? ----->Also, please turn of word wrap in notepad. Also I will try to re-post now. Oh I think I figured out what you were referring to. THX 4 The Help =)
Scan saved at 12:51:31 AM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\smss.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCS.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\bmctl.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mikz\Desktop\Reports\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6DACB46E0}: NameServer = 85.255.114.29 85.255.112.109
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Mikz\~tmp0374.exe (file missing)
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Mikz\~tmp0374.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 26 February 2007 - 07:59 AM

Word wrap causes spaces in the log, you fixed it. Thanks.

Download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
    • C:\WINDOWS\winlogon.exe
      C:\WINDOWS\smss.exe
      C:\Documents and Settings\Mikz\~tmp0374.exe
  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Close the program when done.
  • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.
======================================

In the following quote, please copy (Ctrl+C) and Paste (Ctrl+V) the text in Notepad. Save it as All Files and name it ServicesFix.bat. Save it to your Desktop.

@echo off
sc stop "Microsoft IE Updater"
sc delete "Microsoft IE Updater"
sc stop "Microsoft IE Updater2"
sc delete "Microsoft IE Updater2"
exit


Doubleclick on ServicesFix.bat. It will open and close quickly. That is normal.


=======================================

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6DACB46E0}: NameServer = 85.255.114.29 85.255.112.109

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

=======================================

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads Save the text that will open (report.txt) to your desktop.

1) Go to Start > Control Panel >Network Connections. Right click your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.
* Make a note of the settings before you change them just in case you need to put them back how they were.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.

2) Go to Start > Run, enter CMD and click OK.
  • At the Dos Prompt Screen, type in cd\ and then press <ENTER>.
  • Now type in ipconfig /flushdns and then press <ENTER>. (notice the space after ipconfig)
  • Close the command prompt window.
In your next reply, please include a fresh Hijackthis log and report.txt. Thanks




======================================
Microsoft MVP Consumer Security--2007-2010

#5 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 February 2007 - 10:18 AM

File/Folder C:\WINDOWS\winlogon.exe not found.
C:\WINDOWS\smss.exe moved successfully.
File/Folder C:\Documents and Settings\Mikz\~tmp0374.exe not found.

Created on 02/26/2007 10:10:19
OK here is the first item. No problems moving it in the program downloaded from one side to the other.

#6 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 February 2007 - 10:34 AM

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csndw.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C10D5C717799-E108-AB54-3EFF-CA920190{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "ixbmd" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Microsoft Windows Session Manager Subsystem"="C:\\WINDOWS\\smss.exe"
"Microsoft Windows Logon Process"="C:\\WINDOWS\\winlogon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"EPSON Stylus C80 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_A10IC2.EXE /P23 \"EPSON Stylus C80 Series\" /O5 \"LPT1:\" /M \"Stylus C80\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
FixWareout report for you to see. THX, Michel

#7 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 February 2007 - 10:41 AM

[font=Fixedsys]Ok did all you said and here is the final log file for HiJack--THX
Scan saved at 10:38:16 AM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCS.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\bmctl.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Mikz\Desktop\Reports\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6DACB46E0}: NameServer = 85.255.114.29 85.255.112.109
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\Documents and Settings\Mikz\~tmp0374.exe (file missing)
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Mikz\~tmp0374.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 26 February 2007 - 06:41 PM

Did you run the servicesfix.bat and did you remove those items in Hijackthis???? Just want to make sure because they re-appeared. Thanks.
Microsoft MVP Consumer Security--2007-2010

#9 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 February 2007 - 01:14 AM

I followed the directions given on Fix.bat "Doubleclick on ServicesFix.bat. It will open and close quickly. That is normal. " after creating the file
"In the following quote, please copy (Ctrl+C) and Paste (Ctrl+V) the text in Notepad. Save it as All Files and name it ServicesFix.bat. Save it to your Desktop." . It just opens and quickly closes. I did also indeed do the HiJack and checked the boxes and hit FixChecked. It ask for a confirm and I do. But like always it still shows up. What gives?

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 27 February 2007 - 06:02 AM

Looks like AVG ANti-Spyware's guard is affecting the fix, so lets disable it.
Start > Run > type in services.msc > [OK]

Scroll down to AVG Anti-Spyware anti-spyware 4.5 guard > Right-click on it > Properties > Startup Type > Select Disabled > [OK]

Close the Services window.
Now reboot the machine.


Please delete the old Servicesfix.bat

In the following quote, please copy (Ctrl+C) and Paste (Ctrl+V) the text in Notepad. Save it as All Files and name it ServicesFix.bat. Save it to your Desktop.

@echo off
sc stop "Microsoft IE Updater"
sc delete "Microsoft IE Updater"
sc stop "Microsoft IE Updater2"
sc delete "Microsoft IE Updater2"
exit


Doubleclick on ServicesFix.bat. It will open and close quickly. That is normal.


======================================

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6DACB46E0}: NameServer = 85.255.114.29 85.255.112.109

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

======================================

Download LSPFix from here or here.
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Under Remove, you should see bmnet.dll.
5. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.

LSP-Fix Tutorial


======================================

Download and scan with SUPERAntiSypware Free for Home Users
alternate site
  • Double-click SUPERAntiSypware.exe to install and use the default settings for installation.
  • Run SUPERAntiSypware and update the definitions before scanning by selecting "Check for Udates".
  • When done, select "Scan for Harmful Software".
  • There are three scanning options available. Choose "Perform Complete Scan" and click "Next".
  • When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
  • Place a checkmark next to items you wish to remove/quarantine and Click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to Reboot, please do.
  • After Reboot, double-click on SuperAnti-Spyware icon on your Deskto[
  • Click Preferences, Click the Statistics/Logs Tab.
  • Under Scanner logs, Double-click SuperAnti-Spyware Scan Log.
  • It will open in your default test editor (such as Notepad or WordPad).
  • Please Highlight everything in the Notepad, then right-click and choose copy.
  • In your next reply, please post those results and include a fresh Hijackthis log.
  • Select close to exit the program.
Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.


In your next reply, please include a fresh Hijackthis log and SuperAnti-Spyware log. Thanks.
Microsoft MVP Consumer Security--2007-2010

#11 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 February 2007 - 09:11 PM

[font=Fixedsys]OK I did all that you posted. While SuperASW was running to find stuff, Norton poped up a warning about another threat (red). Cant remember what it was now, but it was a steal your info type. Also Norton posted the QHost again before it finished the scan. It seems to have found a few things on Super ASW. I followed the instructions. I still dont understand what the ServicesFix.bat does other than pop open breifly as B4. Anywho, thanks for the ongoing help and here is the HiJack logfile and SASW copy. SUPERAntiSpyware Scan Log
Generated 02/27/2007 at 07:16 PM

Application Version : 3.5.1016

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 00:37:56

Memory items scanned : 480
Memory threats detected : 0
Registry items scanned : 4778
Registry threats detected : 8
File items scanned : 37424
File threats detected : 29

Adware.Tracking Cookie
C:\Documents and Settings\Mikz\Cookies\mikz@fastclick[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@ehg-cardomain.hitbox[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@atdmt[2].txt
C:\Documents and Settings\Mikz\Cookies\mikz@www.soundclick[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@burstnet[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@hitbox[2].txt
C:\Documents and Settings\Mikz\Cookies\mikz@statcounter[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@soundclick[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@counter2.hitslink[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@2o7[2].txt
C:\Documents and Settings\Mikz\Cookies\mikz@keywordmax[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@media.fastclick[1].txt
C:\Documents and Settings\Mikz\Cookies\mikz@nextag[1].txt

Trojan.BankSteal-Gen
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\3.0
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\3.0\0
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\3.0\0\win32
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\3.0\FLAGS
HKCR\TypeLib\{14A5F3E7-B235-4D98-9264-5C67D2657BC4}\3.0\HELPDIR
C:\WINDOWS\system32\drv32dta

Trojan.DNSChanger-Codec
HKU\.DEFAULT\Software\VideoBox
HKU\S-1-5-18\Software\VideoBox
C:\WINDOWS\SYSTEM32\VIDACCESS1429.EXE

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\MIKZ\FAVORITES\ONLINE SECURITY TEST.URL

Trojan.Downloader-Update/VXPkg
C:\WINDOWS\SYSTEM32\UPDATE13428241.EXE
C:\WINDOWS\SYSTEM32\UPDATE18561603.EXE
C:\WINDOWS\SYSTEM32\UPDATE21677000.EXE
C:\WINDOWS\SYSTEM32\UPDATE33674268.EXE
C:\WINDOWS\SYSTEM32\UPDATE42851695.EXE
C:\WINDOWS\SYSTEM32\UPDATE44105609.EXE
C:\WINDOWS\SYSTEM32\UPDATE62523833.EXE
C:\WINDOWS\SYSTEM32\UPDATE77119758.EXE
C:\WINDOWS\SYSTEM32\UPDATE77526596.EXE
C:\WINDOWS\SYSTEM32\UPDATE80286011.EXE
C:\WINDOWS\SYSTEM32\UPDATE91010333.EXE
C:\WINDOWS\SYSTEM32\UPDATE92380205.EXE

Trojan.Smss/Win
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SMSS.EXE
Logfile of HijackThis v1.99.1
Scan saved at 9:08:10 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\bmwebcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\DOCUME~1\Mikz\LOCALS~1\Temp\SSUPDATE.EXE
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCS.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\bmctl.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Mikz\Desktop\Reports\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{D89D4E95-BA0C-4FD8-92E1-FED6DACB46E0}: NameServer = 68.28.250.11 68.28.242.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 February 2007 - 09:20 PM

A couple questions. Looking at HiJack-what is 010 Broken Internet access because of LSP provider'bmnet.dll and what does it do. Can I get rid of it if its not needed? Also I dont recognize Bytemobile,017 tcpip(which I checked as advised but still it remains) and ctfmon.exe. What are these? FYI, I just re scanned HiJack checking the 017 tcpip box and it is now not on the rescan. I will reboot shortly and verify. Also, how can I get Windows Messenger to not auto run? THX

#13 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 28 February 2007 - 05:52 AM

From my last post did you run LSPfix????
This little program will shutdown Windows messenger http://www.grc.com/stm/shootthemessenger.htm

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Microsoft MVP Consumer Security--2007-2010

#14 Mikz86TA

Mikz86TA
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 08 March 2007 - 12:34 AM

Hey, everything seems to be good now. I always periodically do maintenence and will now use the new scanners andsuch to the regular list. I just wanted to say Thank You for your courtesy and patience in helping me out. I have really appreciated it!! I saw another thread that had like issues. Hope that gets taken care of. If I have any future problems, Ill look you up. Thanks Again, Michel

#15 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:16 PM

Posted 08 March 2007 - 05:59 AM

Okay, but i would still like to see a fresh hijackthis log. Thanks.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users