Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please decipher Hijackthis log


  • This topic is locked This topic is locked
23 replies to this topic

#1 radiumlight

radiumlight

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 13 January 2005 - 09:33 PM

Hello,

I'm new to your forum. I've used Hijack This twice before, about 6 months ago for two different computers. Cleaning up friends computer now and the usual cleaners aren't getting everything. Looks like Slothbar is one of the culprits. I've googled for other logs but they aren't exact to mine.

Please look at the log below and tell be which ones to delete. I've a pretty good idea on some of them - but I'd rather an expert take a look and give guidance.

Logfile of HijackThis v1.97.7
Scan saved at 7:04:02 PM, on 1/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\mutqiw.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\atlctrs.exe
C:\WINDOWS\system32\atrp2res.exe
c:\progra~1\intern~1\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kqngqyzxratublmtrv.com/EBTFTNca...IJ6oxa4WNx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {3C969E6C-FF80-11F5-8387-CB4765C37E45} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\4support.exe (file missing)
O2 - BHO: (no name) - {67556BCA-625E-15AD-D5BE-D0A1A116E689} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\THATBAGS.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\inetdl_2.exe
O4 - HKLM\..\Run: [ijhgmfedwrsv] C:\WINDOWS\System32\mutqiw.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [32 drive cast dumb] C:\Documents and Settings\All Users\Application Data\Way Ooze 32 Drive\User Log.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [5FEO36T] atrp2res.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KoxERWfFU] atlctrs.exe
O4 - HKCU\..\Run: [Mpeg bias] C:\DOCUME~1\SERENA~1\APPLIC~1\GREATS~1\software okay.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: MUSICMATCH Radio (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/prot...b?1105405146203
O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01068ABAA...94/MMLRadio.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105404186343
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Thanks in advance for taking the time to help. I await your reply.

Radiumlight

ps if i've broken any posting rules, please forgive the newbie :thumbsup:
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:32 AM

Posted 14 January 2005 - 08:47 AM

Hi radiumlight,

You are using an outdated version of hijackthis. Please download the newer version.
Download HijackThis from: HijackThis Download Site If you cannot get version 1.99 to run correctly please use the download link for version 1.92.2. Please overwrite the old version of HijackThis that you have.

Run HijackThis and post a new log here using the Add Reply button.

#3 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 14 January 2005 - 03:23 PM

Penmore et al,

Thanks for pointing that out. New log posted below:

Logfile of HijackThis v1.99.0
Scan saved at 1:13:09 PM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\mutqiw.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\atrp2res.exe
C:\WINDOWS\system32\atlctrs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mbrggeyehiigos.net/EBTFTNcaHrGH...IJ6oxa4WNx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {3C969E6C-FF80-11F5-8387-CB4765C37E45} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\4support.exe (file missing)
O2 - BHO: (no name) - {67556BCA-625E-15AD-D5BE-D0A1A116E689} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\THATBAGS.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\inetdl_2.exe
O4 - HKLM\..\Run: [ijhgmfedwrsv] C:\WINDOWS\System32\mutqiw.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [32 drive cast dumb] C:\Documents and Settings\All Users\Application Data\Way Ooze 32 Drive\User Log.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [5FEO36T] atrp2res.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KoxERWfFU] atlctrs.exe
O4 - HKCU\..\Run: [Mpeg bias] C:\DOCUME~1\SERENA~1\APPLIC~1\GREATS~1\software okay.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01068ABAA...94/MMLRadio.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105404186343
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

I appreciate your help!

Radiumlight :thumbsup:
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#4 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:32 AM

Posted 16 January 2005 - 03:04 AM

Hi radiumlight,

There are a number of steps you need to take in order to clean your machine and the infection that you have can take a number of passes before it finally goes. Please carry out the steps in the order they are given. You may find it helpful to print these instructions out as you will not have access to the Internet whilst you are running in Safe mode.

Please read through all of the steps first to ensure you understand what I'm asking you to do. If you have any questions, please ask before you start the fixes.
  • Download System Security Suite here:
    System Security Suite Download & Tutorial. Unzip it to your desktop.
    Install the program. Don't use it yet.

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • You have PeopleonPage installed which is classed as foistware. Can you please follow these removal instructions PeopleonPage Removal.

  • Restart you machine in Safe Mode:
    • Reboot your computer
    • As the machine starts, continually tap the F8 key
    • You will then be presented with a menu screen
    • Use the the up/down arrow keys to select Safe Mode
    • Press the Enter key to boot in that mode.
  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed below
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mbrggeyehiigos.net/EBTFTNcaHrGH...IJ6oxa4WNx.html
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {3C969E6C-FF80-11F5-8387-CB4765C37E45} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\4support.exe (file missing)
    O2 - BHO: (no name) - {67556BCA-625E-15AD-D5BE-D0A1A116E689} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\THATBAGS.exe
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\inetdl_2.exe
    O4 - HKLM\..\Run: [ijhgmfedwrsv] C:\WINDOWS\System32\mutqiw.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [32 drive cast dumb] C:\Documents and Settings\All Users\Application Data\Way Ooze 32 Drive\User Log.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [5FEO36T] atrp2res.exe
    O4 - HKCU\..\Run: [KoxERWfFU] atlctrs.exe
    O4 - HKCU\..\Run: [Mpeg bias] C:\DOCUME~1\SERENA~1\APPLIC~1\GREATS~1\software okay.exe
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application

  • Please delete the following files or folders (delete item in bold). Please do not be concerned if
    any of the items are not found as they may have been automatically removed by actions I had
    you take earlier in the cleaning process.C:\Program Files\Inet Delivery >>> Folder
    C:\WINDOWS\System32\mutqiw.exe >>> File Only
    C:\WINDOWS\system32\pcs >>> Folder
    C:\Documents and Settings\All Users\Application Data\Way Ooze 32 Drive >>> Folder
    C:\Program Files\AutoUpdate >>> Folder
    C:\WINDOWS\system32\atrp2res.exe >>> File Only
    C:\WINDOWS\system32\atlctrs.exe >>> File Only
    C:\DOCUME~1\SERENA~1\APPLIC~1\GREATS~1\software okay.exe >>> File
  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode, run HijackThis and post a new log here for review.


#5 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 16 January 2005 - 08:47 PM

Hi Penmore,

Thanks so much for your help! I see a difference already. Before I post my new log I have some details for you and a question. The question is: after unzipping System Security Suite to desktop, it left an "uninstal.ini" scrap on the desktop too. What do I do with it?

On the PeopleonPage foistware - it isn't listed at all in "Add/Remove Programs". No POP......
Also, R1 HKCU....the first one you listed that was in my first log - isn't there but a new one (listed below) has taken it's place apparently.

Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 6:32:17 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fenewppcaadxhhqe.com/EBTFTNcaHr...IJ6oxa4WNx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01068ABAA...94/MMLRadio.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105404186343
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

Thanks for taking the time to help. If I may ask, how can I learn more about what does and does not belong in the HijackThis log file? Is there a way to look up some of these things or do you "just know" from experience? I've always been interested in this kind of stuff.

Radiumlight :thumbsup:
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#6 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 16 January 2005 - 09:23 PM

Penmore,

I'd like to add an addendum to my above post:

I now have a "Search200" page hijacker and more popups, however one searchbar is gone now. I was looking in my "add/remove programs" and have found the following:

IE Host
MaxSpeed
PGate Basic

Googling for these makes it sound like spyware. Can you confirm? I have not tried to remove them.

SlotchBar is still there and it does not allow removal.

Also, after this system is cleaned up - could you advise on how to remove folders out of "Favorites" or a different forum that addresses these things. I've tried to delete them several ways to no avail. Folders like "Casino on line, movie, games, webhosting", etc. When clicking on "organize" they don't show. I've deleted them using explorer yet they are still there.

Thanks,
Radiumlight
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#7 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:32 AM

Posted 17 January 2005 - 03:11 PM

Hi radiumlight,

Well spotted on those items sitting in Add/Remove programs. They are malware and can be removed.

This tutorial may help you better understand HijackThis analysis and removal: http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/

Normally, favorites in IE can be deleted by opening the Favorites drop down menu and right clicking on the one you want to remove and choosing the Delete option from the dropdown menu. If that doesn't work let me know and I will try to give you more help when we have cleared that infections from your machine.

You may find it helpful to print these instructions before you tackle them.
  • Remove IE Host MaxSpeed and PGate Basic through Add/Remove Programs.

  • Reboot your computer into Safe Mode.

  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed below

    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fenewppcaadxhhqe.com/EBTFTNcaHr...IJ6oxa4WNx.html
      O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
      O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application.

  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode, run HijackThis and post a new log here. Can you also let me know how things are now with the machine.


#8 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 18 January 2005 - 01:59 AM

Hi Penmore,

I followed your instructions: IE Host and MaxSpeed are gone but PGate Basic will not be removed (nor Slotchbar) - neither of which show up in explorer. Trying to remove PGate opens the browser and changes Home Page to About Blank.

In safe mode R1 was no longer:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fenewppcaadxhhqe.com/EBTFTNcaHr...IJ6oxa4WNx.html

It was something else just as crazy which I checked for fixing, plus the others you indicated. Rebooting however brought the searchbars back and lots of popups. I ran HijackThis again in normal mode and it listed another R1 HKCU with the entire alphabet (or so it seemed).

I went back to safe mode and deleted yet another generated Main Search Bar. Two of the items I deleted yesterday were back also. The Way Ooze 32 drive one and the software okay.exe. I deleted those again then took the liberty of deleting
another extra button: O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) (similar to one you had be delete)
and a BHO:
O2 - BHO: (no name) - {67556BCA-625E-15AD-D5BE-D0A1A116E689} - C:\DOCUME~1\SERENA~1\APPLIC~1\Pokepile\THATBAGS.exe
(also similar to one you had me delete before)

Things seem to be running okay so far. No search bars and no popups. And, by the way, the folders and files I wanted to delete from favorites are gone now. The right click menu would only appear on items I put in there before, not the other ones.

Heres the new log:

Logfile of HijackThis v1.99.0
Scan saved at 11:25:18 PM, on 1/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01068ABAA...94/MMLRadio.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105404186343
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

I'm not sure what to do about the entries in Programs for Pgate Basic and Slotchbar. Please advise. And thanks much for the tutorial link. I haven't had a chance yet to check it out but I'm looking forward to it.

Thanks,
Radiumlight
:trumpet: :thumbsup: :inlove: :flowers: :cool:
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#9 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:32 AM

Posted 18 January 2005 - 02:26 PM

Hi radiumlight,

You had a Lop infection at the start and this is particularly stubborn to remove but you seemed to have managed that now as you log is clean. I suspect that the Slotchbar may just be an entry in Add/Remove Programs with nothing else behind it and may take a registry hack to remove that entry, but lets not worry about that now.

I would like you to try uninstalling the PGATE-BASIC Utility using just the Trend Micro online scan then the add/remove program instructions so as not to get into overkill mode by giving you adware removal runs as well. However, if that proves not to work then perhaps you could try tackling the Terminating the Malware Program section first then running the scan and removal sections again. If you are not confident about it then don't do any registry edits and if you do make sure you backup the registry before you attempt any edits.
  • Run the Trend Micro online virus scan Housecall from the link in the Additional Windows ME/XP Cleaning Instructions of This Page

  • Follow the steps for Removing PGATE-BASIC Utility situated below the link to the Housecall scan.

  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine, run HijackThis and post a new log here together with details on how the removal went.

Edited by penmore, 18 January 2005 - 02:28 PM.


#10 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 18 January 2005 - 07:26 PM

Hi Penmore,

Oh God, everything's back - the search bars, the pop ups, the items deleted from yesterday's HijackThis fix.

I tried to do the free scan with Housecall but since Active X controls need to be used, I wasn't able to do it. So I signed up for the 30 day free trial - received the verifying email and serial number but cannot seem to find the download. It takes me to an update page, then an instructions page, but nothing obvious like "download here".

As for the PGate instructions: trying to remove it give me the following error:
Cannot Find File:
///C:Program%20Files/Common%20Files/Remove-tols.html
Make sure path or internet address is correct.


No uninstall file is loaded that I can find, as Micro Trend's removal says. However, while looking around in the registry I did spot the following:

HKLM>software>microsoft>current version>uninstall
PGate (on the left side) and on the right: default (value not set)
Display Name: PGate Basic
Uninstallstring: C:\ProgramFiles\InternetExplorer\iexplore.exe C:ProgramFiles\CommonFiles\Remove_tools.html

I left this alone since I don't know if deleting this takes away an uninstall program or what I should do with this.

I also noticed in HKLM>Software>Maxspeed (folder) with no values set and connectionType: 0x00000001 (1) I didn't know if I should delete this folder either, so I left it alone.

As per Micro Trend instructions for locating and removing DPI - it isn't listed. Not sure what to do now. Is there another free program similar to Housecall that will locate these Trojans? Or a mirrordownload site or something?

Thanks for your help!

Radiumlight
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#11 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 19 January 2005 - 03:03 AM

Penmore, I've added another addendum to the above post.

I was finally able to get the free version of Housecall to work (after running HijackThis in safe mode again) and it found 12 non-cleanable infected files - which I deleted. Too bad there's no log to show you but I was able to get some info:

TROJ SWIZZOR C:\Documents and Settings\..name..\Application Data\GreatShow\Bows bat one (couldn't scroll any further and couldn't drag window open larger)

TROJ SWIZZOR (same as above...till couldn't scroll)

TROJ DYFUCA.CN C:\System Volume Information\_restore[21D7D692-4992-421F-93BO-877BC3820711]\R (couldn't scroll any more)

TROJ APROPO.C Path exact as above

BKDR RULEDOR.E same path as above

TROJ BDI.A same path

TROJ DLOADER.BE same path

TROJ AGENT.BS

TROJ DLOADER.BE same as above

JS STARTPAG.AD C:\Windows\System32\Secure 32.txt

HTML ADVER.A C:\Windows\System32\ didn't get the rest

TROJ DLOADER.BE same as other DLOADERS above

As mentioned above I deleted this files. During the download and scan the toolbars and popups came back. So I did the safe mode thing again and deleted the RI main search page again - that was the only thing that had come back this time.

What should I do next? Unless for some reason, it actually doesn't come back :thumbsup:

I really appreciate all your help!


Radiumlight
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#12 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:04:32 AM

Posted 19 January 2005 - 03:10 AM

Hi radiumlight,

Can you let me know if the PGate has gone and can you post another log for me to look at.

#13 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 19 January 2005 - 04:07 PM

Hi Penmore,

PGate Basic is still there, darn it. Below is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 12:50:19 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MUSICMATCH Radio - {A12651D6-468F-46B1-B99B-1D61FC39A6A9} - C:\WINDOWS\Downloaded Program Files\MMWebRadioBand.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {640C5F8F-5678-4084-87C6-6ECC0828D9A5} (MMBarCtrl Class) - http://mmdl.vo.llnw.net/llnw_cdn/01068ABAA...94/MMLRadio.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105404186343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


BTW, I did look for those file paths mentioned above, found a folder called PokePile and Great Show and deleted them. Looked for others but couldn't find anything else. I checked running processes also as Housecall suggested but didn't find anything there either. I also tried a "search" but got nothing. After posting this I plan to run Housecall again and see what comes up.

Thanks,
Radiumlight
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 19 January 2005 - 10:44 PM

Hi radiumlight,

Penmore has to be away for a few days, so he has asked me to take over in helping you with this problem.

I'm still doing some research. For now I would like to ask you a few question so it is clear in my mind what you have done and what will need to be done.

1. Did you use Add/Remove programs to attempt to uninstall PGate Basic? If yes, did it take you to a webpage to download an uninstaller? During this procedure is when you got this message?

Cannot Find File:
///C:Program%20Files/Common%20Files/Remove-tols.html

Was tools misspelled that way in the message?

2. Could you use My Computer/Windows Explorer and navigate to the C:ProgramFiles\CommonFiles folder and tell me if the Remove_tools.html file is present? Don't do anything to it, just tell me if it is there.

3. Open the registry editor (START>Run>regedit). Click on the Edit menu and chose Find. Type in PGate Basic and then click on Find Next. If you find a key (folder) on the left with that name, right click on it, choose Export, give the file a name and save it to your desktop or My Documents. Then right click on the saved reg file, choose Open With>Notepad. Copy and Paste the contents of that file into your next reply here.

Again, don't delete anything, and if you take any other actions let me know. I would strongly suggest tho that you not do anything else until you hear back from me. Lop should be gone--that was what was changing that R1 entry--now that you have deleted the PokePile and Great Show folders, but others might replace them. Also,

4. Have you had any more toolbats and such since deleting PokePile and Great Show folders?

Let's go one step at a time. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#15 radiumlight

radiumlight
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:10:32 PM

Posted 20 January 2005 - 04:29 PM

Hi Papakid,

Thanks for filling in. I'll answer all your questions first then I'll tell you what I did almost all of yesterday - PC wise :thumbsup:

Did you use Add/Remove programs to attempt to uninstall PGate Basic? If yes, did it take you to a webpage to download an uninstaller? During this procedure is when you got this message?

Yes I've tried many times w/add/remove to uninstall and get the message below. Misspelling tools was my fault - it is correct in the message. It opens the browser to home page (MSN) every time.
QUOTE
Cannot Find File:
///C:Program%20Files/Common%20Files/Remove-tols.html

Was tools misspelled that way in the message?


Could you use My Computer/Windows Explorer and navigate to the C:ProgramFiles\CommonFiles folder and tell me if the Remove_tools.html file is present? Don't do anything to it, just tell me if it is there.

[COLOR=green]I right click on start to get to explorer and Remove_tools.html is not present in the above mentioned patch.

I found PGate and exported as instructed, here is copy of contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PGate]
"DisplayName"="PGate Basic"
"UninstallString"="C:\\Program Files\\Internet Explorer\\iexplore.exe C:\\Program Files\\Common Files\\remove_tools.html"

No tool bars today - so far.

Yesterday I ran (again) Adaware which found and deleted 5 files, Spybot S&D which found 9 files (3 were in the folder called Avenue A.Inc, 3 were in a folder called Peopleonpage, 1 was a tracking cookie called Atdmt.com, and the others were the usual DSO exploit which I've been told is just a glitch in S&D) - I deleted all of those as well.

NOTE: The Peopleonpage showed locations of the following registry keys: Global Settings: HKLM\Software\Envolo,
Uninstall settings: HKLM\Software\microsoft\Windows\Current Version\uninstall, and Logfile: C:\Windows\System 32\Autoupdate_uninstall log
Searching for these registry keys found nothing.

I ran Housecall again, and it found only 3 trojans this time (first time it found 12). Two were listed as SWIZZOR and one listed as APROPO.C. They were listed as uncleanable and I hit the delete key. Don't know if that actually worked or not.

I then ran the installed Norton Antivirus 2005 which found no infected files but 11 files that are "suspect". They are: Randreco.exe (located in Sys32), sN8meReP6.exe, Systb.exe, WOINSTALL.exe, Wupdsnff.exe. When clicking on details the path is shown but seeking that path finds nothing.

I hope this isn't too confusing. I know I'm getting confused! Let me know what else I can tell you.

Thanks very much,
Radiumlight
"And in the end, it's not the years in your life that count. It's the life in your years."
Abraham Lincoln




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users