Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spoolsrv32, hijack


  • This topic is locked This topic is locked

#1
TylerB

TylerB

    New Member

  • Member
  • Pip
  • 3 posts
I need help removing the aforementioned problem. My desktop has been changed into a stern warning, I get frequent pop up ads, an icon in my system tray reminds me that my system is at risk, my homepage is constantly redirected to www.daosearch.com and I cannot get rid of something called Security iGuard.

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:37 PM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\mshelp32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\mocih.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cmdtel.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ide325.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Services\{1759CF7D-1738-4086-8D2D-16AA9AD988F9}\SVCHOST.EXE
C:\Program Files\MyIE2\MyIE.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.mchsi.com;<local>
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ttpgxjzztlfjs] C:\WINDOWS\System32\rzpqjn.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\default\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{1759CF7D-1738-4086-8D2D-16AA9AD988F9}\SVCHOST.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: M-soft Office .hta
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\system32\mocih.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe

Thank you very much for your time and help.

Tyler
  • 0

Advertisements


#2
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi TylerB

Sorry for the delay in response. The forum has been very busy lately.

Since your original post is over a week old, could you please post a fresh HijackThis log for review.

If you have already fixed your machine or received help elsewhere please post back and let us know.

Thank you
  • 0

#3
TylerB

TylerB

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Not a problem at all. This is my most current HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 5:00:55 PM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mocih.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\system32\cmdtel.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\ssaghru.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MyIE2\MyIE.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.mchsi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.mchsi.com;<local>
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ttpgxjzztlfjs] C:\WINDOWS\System32\rzpqjn.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [jlaldto] c:\windows\awxrjnq.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: M-soft Office .hta
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6A8C8270-6FA1-4E73-8980-022AB4EA4140} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6A8C8270-6FA1-4E73-8980-022AB4EA4140} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D071C056-CBDE-40AC-B3FD-EC8B44BC33B6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D071C056-CBDE-40AC-B3FD-EC8B44BC33B6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\system32\mocih.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe
  • 0

#4
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi TylerB

Download CWShredder, if you don't already have it from here http://www.geekstogo...=download&id=17

Install it into its own folder but don't use it yet.

Disable Microsoft Antispyware - right click the icon in the system tray and select Shutdown - it can interfere with the removal procedures. It will startup automatically the next time you boot into normal mode.

Click on Start > Control Panel > Performance and Maintenance > Administrator Tools > Services

The Services Management screen will come up. Scroll down through the listing in the right hand window and find these two services

Loading Outpost Connections (KDE) - right click the name and click on "stop". Right click again and go to Properties. Go to the "Startup Type" box and select "Disabled". OK

Trace network connections (ACCRA) - Follow the same procedure with this service.

Then File > Exit to close the Services window. Close Control Panel.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the steps when you are working in Safe Mode and not connected to the internet.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that may be similar but that are genuine files. Don't worry if they aren't all listed - just "Kill" the ones that are.

mocih.exe
cmdtel.exe
ssaghru.exe
awxrjnq.exe
rzpqjn.exe


Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, AIM, ICQ and anything else that is not essential and click on Fix checked.

O4 - HKLM\..\Run: [ttpgxjzztlfjs] C:\WINDOWS\System32\rzpqjn.exe
O4 - HKCU\..\Run: [jlaldto] c:\windows\awxrjnq.exe
O4 - Global Startup: M-soft Office .hta -
O9 - Extra button: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2FCFD255-74D8-414D-9EA4-291638F563D3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40BDED0E-BB27-454D-A0FD-1CDDF0F394B8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6A8C8270-6FA1-4E73-8980-022AB4EA4140} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6A8C8270-6FA1-4E73-8980-022AB4EA4140} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D3EE6A3-A345-4567-9C97-3EA248EF1CBA} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B80B1685-18B1-4695-9233-C55F86391866} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BEA0EAD2-E97B-4730-9AC4-B3268335D370} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C4C9C641-055E-41D6-A7B6-F7EBBBAFA04D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C83EA8A4-3A33-46DE-BF42-03149CB80A71} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D071C056-CBDE-40AC-B3FD-EC8B44BC33B6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D071C056-CBDE-40AC-B3FD-EC8B44BC33B6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC95A1F9-399F-4097-96A1-1553D1EC9281} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F28827E5-41A6-482B-A4DD-EA7FDD1F4B8A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FDE526F5-2D52-48A1-A940-AF9474A022FF} - (no file) (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINDOWS\system32\mocih.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe



Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

If you aren't confident with Safe Mode read this first http://service1.syma...src=sec_doc_nam

In Safe Mode open Windows Explorer and configure it to Show all files
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Then find and delete these files.

Deletions
C:\WINDOWS\System32\rzpqjn.exe
c:\windows\awxrjnq.exe
C:\WINDOWS\system32\cmdtel.exe
C:\WINDOWS\system32\mocih.exe
C:\windows\ssaghru.exe

Find CWShredder and open it. Click "Fix" then OK.

Reboot into normal mode. Disable Microsoft Antispyware again so it doesn't interfere with the online virus scan removals - if there are any.

Do another online virus scan here http://housecall.tre.../start_corp.asp
Select your country from the drop-down list and click > Go
Yes at the ActiveX Security Warning prompt. The Housecall engine will update.
Select the drives to be scanned by placing a check in their respective boxes.
Check the "Auto Clean" box. Click "SCAN". Let the scan complete.

Reboot. Make sure Microsoft Antispyware is updated click on Scan Options in the Scan screen and select a full system scan with ticks in each option. Let it clean anything it finds.

Reboot after the scan is complete. Do a fresh HijackThis and post it so we can check.
  • 0

#5
TylerB

TylerB

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for your help so far. This is my new HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:26:47 AM, on 4/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\MyIE2\MyIE.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ttpgxjzztlfjs] C:\WINDOWS\System32\rzpqjn.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [qfxpsue] c:\windows\ewmxkrh.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C0DC31B-0E49-417A-9597-F438A0D59F7B}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C0DC31B-0E49-417A-9597-F438A0D59F7B}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#6
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi TylerB

Download http://www.davehigha...ds/xphidden.zip
Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Download and install ccleaner from here: http://www.ccleaner.com/ Don't run it just yet.

Download and install TDS-3 from here: http://www.diamondcs.com.au Download the most recent radius updates from the site and install them manually. The instructions for doing so are on the webpage. Don't run it yet.

Boot into Safe Mode and open HijackThis. Click on Do System Scan only. When the scan is complete check these. Close all open windows and click on Fix Checked.

O4 - HKLM\..\Run: [ttpgxjzztlfjs] C:\WINDOWS\System32\rzpqjn.exe
O4 - HKCU\..\Run: [qfxpsue] c:\windows\ewmxkrh.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe


Open Windows Explorer and find these two files and delete them.

C:\WINDOWS\System32\rzpqjn.exe
c:\windows\ewmxkrh.exe

Reboot into Normal Mode and open TDS-3. It will go through some preliminary system checking and then go to the black screen. Go to System on the top menu bar and click on Full system scan. It will let you know if it detects a known trojan or trojan process.

Reboot after the scan is complete and any action has been taken. The diamondcs website has lots of information about the program. It works a little differently from most other scanners. It is one of the best trojan scanners around though.

Open ccleaner. On the first Windows tab all the ticks are green. You may like to untick Recent Documents if you use that feature of Windows. Click on Analyze. When the Analyzer has finished. Click on Run Cleaner. That will clear all the leftover and unnecessary things that your computer accumulates. It will also clear your cookies so if you have remembered passwords for some website you might need to make sure you know them.

Reboot and do a new HijackThis log so I can check.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP