Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Dropper.small viruses & browser hijack

Started by plazaboy , Mar 17 2005 12:27 AM

  • This topic is locked This topic is locked

#1
plazaboy
Posted 17 March 2005 - 12:27 AM

plazaboy

    Member

  • Member
  • PipPip
  • 13 posts
:tazz: I'm running WIN98SE on a Celeron 366. Netscape Browser has been hijacked and I have dropper.small viruses (b.bc,4.ak,13.am and probably more!),tried running AVG, Spybot,Adaware but the viruses keep returning. Not able to do anything with using browser other than Spyspotter that hijacked me.Here's the Hijack log.. any assistance is greatly appreciated ..Plazaboy
Logfile of HijackThis v1.99.1
Scan saved at 9:41:13 PM, on 3/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TELUS ECARE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\TELUS ECARE\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - GlobalUserOffline - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ToniArts EasyCleaner] "C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE" -s -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...CA_ZCxdm413YYCA
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://remote.mccarthy.ca/wfica.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements

#2
Guest_thatman_*
Posted 17 March 2005 - 02:47 PM

Guest_thatman_*
  • Guest
Hi plazaboy

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Kc :tazz:
  • 0

#3
plazaboy
Posted 17 March 2005 - 09:38 PM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you for the quick reply. I got these messages...

Directory already exists
Syntax error

Not compatible with 9X or Windows NT

I'm running Windows 98SE. Is this the problem?

Plazaboy
  • 0

#4
Guest_thatman_*
Posted 18 March 2005 - 11:08 AM

Guest_thatman_*
  • Guest
Hi plazaboy

Please download the following program:
http://castlecops.co.../FindIt9xME.zip

unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

Kc :tazz:
  • 0

#5
plazaboy
Posted 19 March 2005 - 03:19 PM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you. Here are the results..
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is NEW
Volume Serial Number is 3073-16EA
Directory of C:\WINDOWS\SYSTEM

ESSUI32 DLL 227,104 03-15-05 11:58a ESSUI32.DLL
HIZRM309 DLL 227,104 03-15-05 11:58a hizrm309.dll
GCNEICON DLL 227,104 03-15-05 11:58a gcneicon.dll
WXNASPI DLL 227,104 03-15-05 11:58a WXNASPI.DLL
OXPRT400 DLL 227,104 03-14-05 3:46p OXPRT400.DLL
BTACKBOX DLL 227,104 03-14-05 3:46p BTACKBOX.DLL
LMCMP62N DLL 227,104 03-14-05 3:46p LMCMP62N.DLL
DZNPUT8 DLL 227,104 03-14-05 3:46p dznput8.dll
8 file(s) 1,816,832 bytes
0 dir(s) 3,163.93 MB free

------- Hidden Files in System Directory -------


Volume in drive C is NEW
Volume Serial Number is 3073-16EA
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 20,583 02-17-05 12:44a FFASTLOG.TXT
ATI98DEF GID 10,844 09-17-03 4:01p ati98def.GID
ATISETUP LOG 3,626 09-17-03 4:01p ATISETUP.LOG
FOLDER HTT 13,122 09-17-03 3:47p folder.htt
DESKTOP INI 266 09-17-03 3:47p desktop.ini
5 file(s) 48,441 bytes
0 dir(s) 3,163.92 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{82D992AC-1524-3F97-F3A9-C1EC5678C1D3}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ffastlog.txt Thu Feb 17 2005 12:44:44a A..H. 20,583 20.10 K
oxprt400.dll Mon Mar 14 2005 3:46:36p ..S.R 227,104 221.78 K
btackbox.dll Mon Mar 14 2005 3:46:36p ..S.R 227,104 221.78 K
lmcmp62n.dll Mon Mar 14 2005 3:46:36p ..S.R 227,104 221.78 K
essui32.dll Tue Mar 15 2005 11:58:18a ..S.R 227,104 221.78 K
hizrm309.dll Tue Mar 15 2005 11:58:18a ..S.R 227,104 221.78 K
gcneicon.dll Tue Mar 15 2005 11:58:18a ..S.R 227,104 221.78 K
dznput8.dll Mon Mar 14 2005 3:46:36p ..S.R 227,104 221.78 K
wxnaspi.dll Tue Mar 15 2005 11:58:18a ..S.R 227,104 221.78 K

9 items found: 9 files, 0 directories.
Total of file sizes: 1,837,415 bytes 1.75 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP CD-Writer"="C:\\Program Files\\HP CD-Writer\\Mmenu\\hpcdtray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"Motive SmartBridge"="C:\\PROGRA~1\\TELUSE~1\\SMARTB~1\\MotiveSB.exe"
"ToniArts EasyCleaner"="\"C:\\PROGRAM FILES\\TONIARTS\\EASYCLEANER\\EASYCLEA.EXE\" -s -startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#6
Guest_thatman_*
Posted 20 March 2005 - 03:04 PM

Guest_thatman_*
  • Guest
Hi plazaboy

This is a new vx2 infection, I have ask the experts to take a look will post back a.s.ap

Kc :tazz:
  • 0

#7
plazaboy
Posted 20 March 2005 - 03:32 PM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks. Looking forward to a solution.
plaza :tazz: boy
  • 0

#8
Guest_thatman_*
Posted 20 March 2005 - 05:03 PM

Guest_thatman_*
  • Guest
Hi plazaboy

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Both program now have malware removal tools
Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
plazaboy
Posted 21 March 2005 - 05:38 AM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi KC,
This Activescan ran for 4 hours. I didn't remember having this many files (179,000) unless something is propagating very fast like a virus. Here 's the first report.
thanks.
plazaboy :tazz:

Incident Status Location

Adware:Adware/eZula No disinfected C:\ezStub.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Start Menu\Programs\GAIN Publishing
Adware:Adware/KeenValue No disinfected C:\Program Files\PerfectNav
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvm*.dll
Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\asmfiles.cab
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osconfig.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\TEMP\bw2.com
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\Desktop\Remove Spyware.url
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osmim.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osconfig.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OXPRT400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\hqzime09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\BTACKBOX.DLL
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM\dosync.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM\docore.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LMCMP62N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dznput8.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\TEMP\Tvm.upd
Adware:Adware/BrilliantDigitalNo disinfected C:\WINDOWS\Desktop\Kazaa\bdcore.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\MIWQ3WBL\AppWrap[2].exe
Spyware:Spyware/TVMedia No disinfected C:\TV Media\Tvm.exe
Spyware:Spyware/TVMedia No disinfected C:\TV Media\TvmCore.dll
Spyware:Spyware/TVMedia No disinfected C:\TV Media\TvmBho.dll
  • 0

#10
Guest_thatman_*
Posted 21 March 2005 - 08:24 AM

Guest_thatman_*
  • Guest
Hi plazaboy

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

Using add remove program file uninstall the following
C:\TV Media\Tvm.exe
C:\Program Files\PerfectNav
If there is no option to remove them then delete the the folders

Reboot into safemode

Using Windows Explorer delete the following files and folders
C:\ezStub.exe<--Delete the whole folder
C:\WINDOWS\Start Menu\Programs\GAIN Publishing
C:\WINDOWS\Application Data\Lycos<--Delete the whole folder
C:\WINDOWS\Desktop\Kazaa\<--Delete the whole folder
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\MIWQ3WBL\AppWrap[2].exe<Delete this file

Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINDOWS\Application Data\tvm*.dll
C:\WINDOWS\TEMP\Tvm.upd
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\SYSTEM\osconfig.dll
C:\WINDOWS\TEMP\bw2.com
C:\WINDOWS\Desktop\Remove Spyware.url
C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
C:\WINDOWS\SYSTEM\osmim.dll
C:\WINDOWS\SYSTEM\osconfig.dll
C:\WINDOWS\SYSTEM\OXPRT400.DLL
C:\WINDOWS\SYSTEM\hqzime09.dll
C:\WINDOWS\SYSTEM\BTACKBOX.DLL
C:\WINDOWS\SYSTEM\dosync.dll
C:\WINDOWS\SYSTEM\docore.dll
C:\WINDOWS\SYSTEM\LMCMP62N.DLL
C:\WINDOWS\SYSTEM\dznput8.dll
C:\WINDOWS\TEMP\__unin__.exe
C:\WINDOWS\bsx32
[colo=red]End off killbox files[/color]

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

Advertisements

#11
plazaboy
Posted 21 March 2005 - 08:50 AM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi KC,
Housecall couldn't find any viruses per attached screen print. Here's the latest HJC scan as well. Thanks again.
plazaboy

Logfile of HijackThis v1.99.1
Scan saved at 6:47:43 AM, on 3/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TELUS ECARE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\TELUS ECARE\BIN\MPBTN.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - GlobalUserOffline - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ToniArts EasyCleaner] "C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE" -s -startup
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://remote.mccarthy.ca/wfica.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#12
plazaboy
Posted 21 March 2005 - 08:54 AM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi KC,
Just to clarify. I just posted the Housecall and HJC scan results before I saw your last note. I will post another scan after I follow through with your list of instructions.
plazaboy
  • 0

#13
plazaboy
Posted 21 March 2005 - 04:11 PM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi KC,
Here are the reports from Panda and HJT... Housecall found no viruses.
plazaboy


Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\bundle.inf
Adware:Adware/KeenValue No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvm*.dll
Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\asmfiles.cab
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osconfig.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\TEMP\bw2.com
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\Desktop\Remove Spyware.url
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osmim.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osconfig.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OXPRT400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\hqzime09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\BTACKBOX.DLL
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM\dosync.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM\docore.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LMCMP62N.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dznput8.dll
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\TEMP\Tvm.upd
Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLED\DC3\bdcore.dll
Adware:Adware/Look2Me No disinfected C:\RECYCLED\DC5.EXE Logfile of HijackThis v1.99.1
Scan saved at 2:06:38 PM, on 3/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TELUS ECARE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TELUS ECARE\BIN\MPBTN.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - GlobalUserOffline - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rdetvrlg.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ToniArts EasyCleaner] "C:\PROGRAM FILES\TONIARTS\EASYCLEANER\EASYCLEA.EXE" -s -startup
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://remote.mccarthy.ca/wfica.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#14
plazaboy
Posted 23 March 2005 - 02:08 PM

plazaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi KC,
My IE has been acting up and Netscape won't allow me into Hotmail because it can't find the page and cookies need to be enabled (but they are).
Anyways, I've posted the latest reports and am wondering what else I need to do to get rid of the popups and viruses?
thanks,
plazaboy
  • 0

#15
Guest_thatman_*
Posted 23 March 2005 - 04:06 PM

Guest_thatman_*
  • Guest
Hi plazaboy

Boot into safemode

Unistall this prgram with Widows Add Remove Program:
C:\Program Files\Lycos]/b]

C:\WINDOWS\TEMP\Delete all files in the temp folder

C:\WINDOWS\Desktop\Remove Spyware.url<--Delete this file
C:\WINDOWS\Application Data\tvm*.dll<--Delete this file


Empty you recycle bin
C:\RECYCLED\DC3\bdcore.dll
C:\RECYCLED\DC5.EXE Logfile of HijackThis v1.99.1

. Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINDOWS\bsx32
C:\WINDOWS\SYSTEM\osconfig.dll
C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
C:\WINDOWS\SYSTEM\osmim.dll
C:\WINDOWS\SYSTEM\osconfig.dll
C:\WINDOWS\SYSTEM\OXPRT400.DLL
C:\WINDOWS\SYSTEM\hqzime09.dll
C:\WINDOWS\SYSTEM\BTACKBOX.DLL
C:\WINDOWS\SYSTEM\dosync.dll
C:\WINDOWS\SYSTEM\docore.dll
C:\WINDOWS\SYSTEM\LMCMP62N.DLL
C:\WINDOWS\SYSTEM\dznput8.dll

12. Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

[b]Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP