Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

hijack this log [RESOLVED]

Started by simplicity , Apr 07 2005 07:43 PM

This topic is locked

#1
simplicity

Posted 07 April 2005 - 07:43 PM

Member

Member
21 posts

my computer has been running slow lately... i have anti virus protection and tried programs such as adaware se, spy sweeper, and spybot.

can someone check this over for me? thanks in advance =)

Logfile of HijackThis v1.98.2
Scan saved at 9:43:34 PM, on 4/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [MFCD30] C:\WINDOWS\SYSTEM\MFCD30.EXE
O4 - HKCU\..\Run: [RASAPI32] C:\WINDOWS\SYSTEM\RASAPI32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE

#2
Kat

Posted 12 April 2005 - 12:36 AM

Retired

Retired Staff
19,711 posts

The first thing we need to tackle is to get you updated to the newest version of HijackThis.Please goHere and download the newest version 1.99.1. Please be sure to save it to a permanent directory, such as C:\Prgram Files\HJT.

Running HJT from your "unzipped' folder, your desktop or a temp folder is not a good idea, as the backups that HJT creates while being used may not be saved.

It is late at night, so I will keep an eye out tomorrow for you to post a new log from the updated version of HJT! :tazz:

#3
simplicity

Posted 12 April 2005 - 01:28 PM

Member

Topic Starter
Member
21 posts

thanks ^^
this is the new log.

Logfile of HijackThis v1.99.1
Scan saved at 3:30:26 PM, on 4/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [MFCD30] C:\WINDOWS\SYSTEM\MFCD30.EXE
O4 - HKCU\..\Run: [RASAPI32] C:\WINDOWS\SYSTEM\RASAPI32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE

#4
Kat

Posted 12 April 2005 - 02:19 PM

Retired

Retired Staff
19,711 posts

Let's take this in a couple of steps if you don't mind. I want to tackle the viruses first, and then we'll go into HJT and remove any other problems left over!

1. Please update, configure, and re-run Ad-aware and Spybot S&D as below:
Make sure you're using the latest version of Ad-aware(Ad-aware SE 1.05) If you're using an older version, download Ad-aware SE Personal 1.05 and install it.

Before scanning with Ad-aware SE Free:
Run a FULL adaware scan using the following configuration below

Update
- Select Check for updates.
- Then Connect and download SE1R28 16.02.2005 .
Click Start
Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
It will list malware files and registry keys. Click Next.
Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
It will ask for verification of checked items-. Choose OK.
Close Ad-Aware, Shut down and reboot your system.

2. Download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
Here is a nice Tutorial http://www.safer-net...p?page=tutorial

Go to Start > Programs >Spybot Search & Destroy and choose 'Spybot S&D'
Close ALL windows except Spybot S&D
Click the button 'Search for Updates' and download and install the Updates.
Next click the button 'Check for Problems'
When Spybot is complete, it will be showing 'RED' entries BLACK entries and GREEN entries in the window
Make sure there is a check mark beside the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.
REBOOT

3. Also, run at least 2 of these online virus scans:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings, save and post the log
RAV online scan<<<Add a check by 'Autoclean', leave everything else as is.
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful
Bitdefender ScanOnline<<<Place a check by everything under 'Scan Options'.
Command on Demand

4. Also run an online trojan scan here: http://www.trojanscan.com/
Reboot when finished.

5. Re-run HijackThis and post the new log.

#5
simplicity

Posted 14 April 2005 - 01:18 PM

Member

Topic Starter
Member
21 posts

this is the new hijack this log and the panda activescan results

Incident Status Location

Virus:Trj/Downloader.ABE Disinfected Operating system
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\swin32.dll
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dealhlpr.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\retpdat32.xml
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Virus:Trj/Downloader.AEE Disinfected Operating system
Adware:Adware/PowerStrip No disinfected C:\WINDOWS\pgtaff?.bin
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\SYSTEM\LMF32.DLL
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\clueacct.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\crtdial.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\wuaelind.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\xen0dal.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\SWin32.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adstartup.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\modgxyz.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adupdater.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\pro3dv2.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\qdvml.exe
Virus:Trj/Downloader.AQI Disinfected C:\WINDOWS\SYSTEM\oipdefui.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\rnrebdvd.exe
Virus:Trj/Downloader.AAU Disinfected C:\WINDOWS\SYSTEM\rsaxpand.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\ksui400.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\mbstilse.exe
Virus:Trj/Downloader.AMT Disinfected C:\WINDOWS\SYSTEM\atlrm24f.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\winupdtl.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\InstaFinder_inst.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\instFindtvmk38megaV2.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\winupdt.exe
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\SYSTEM\setup_silent_17307.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\cmuerold.exe
Virus:Trj/Downloader.AQI Disinfected C:\WINDOWS\SYSTEM\vfpshl.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\wpwrch.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\SYSTEM\awf0dal.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\AutoUpdate1\auto_update_install.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\TEMP\AutoUpdate1\setup.inf
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\TEMP\SskUpdater.exe
Spyware:Spyware/Searchcentrix No disinfected C:\WINDOWS\Downloaded Program Files\instafin.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\BYVNX2CI\install_1000[1].exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\AutoUpdaterInstaller[1].exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\bannerbottom1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\bannerbottom2[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\bannertop2[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\navigation[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\affiliates[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\bannerbottom1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\4DYZOHQB\bannertop1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\4DYZOHQB\bannerbottom2[1].htm
Adware:Adware/PortalScan No disinfected C:\WINDOWS\pgtaff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dealhlpr.dll
Virus:Bck/Agent.K Disinfected C:\WINDOWS\xezi.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhsvr.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhbrwsr.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhp.dll
Virus:Trojan Horse Disinfected C:\WINDOWS\Helper100.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhupdt.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhp2.dll
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Virus:Trj/Downloader.AEE Disinfected C:\RECYCLED\Dc2356\backups\backup-20050407-212600-374.inf

Logfile of HijackThis v1.99.1
Scan saved at 3:16:59 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#6
Kat

Posted 14 April 2005 - 01:57 PM

Retired

Retired Staff
19,711 posts

You may want to print these instructions or save them to a NotePad file on your desktop to make it easier for you to follow each step in order!

1. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\SYSTEM\LMF32.DLL
C:\WINDOWS\SYSTEM\ICSCJI32.EXE
C:\WINDOWS\SYSTEM\PDBLL.EXE
C:\WINDOWS\System\Restore\StateMgr.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE

Now close all windows other than HiJackThis, then click Fix Checked. After that, reboot.

3. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

4. Please post a fresh HJT log here in a reply, so I can see how things look now!

#7
simplicity

Posted 14 April 2005 - 04:37 PM

Member

Topic Starter
Member
21 posts

heres the new log :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:33 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#8
Kat

Posted 14 April 2005 - 04:42 PM

Retired

Retired Staff
19,711 posts

Congratulations! :tazz:

Your log is clean!

While your HJT log is now clean, there is another step that needs to be taken. There will be further instruction soon!

Thanks for being patient!

Edited by ~Kat~, 14 April 2005 - 06:31 PM.

#9
Michelle

Posted 14 April 2005 - 07:00 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Kat did a great job on helping you clean your system, now we're going to use Killbox to delete the files found by ActiveScan that were not disinfected.

I HIGHLY recommend printing this out, so that you can put a check next to the file paths that you put into killbox so that you're sure to get them all!

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\SYSTEM\swin32.dll
C:\WINDOWS\dealhlpr.dll
C:\WINDOWS\SYSTEM\retpdat32.xml
C:\WINDOWS\pgtaff?.bin
C:\WINDOWS\SYSTEM\LMF32.DLL
C:\WINDOWS\SYSTEM\clueacct.exe
C:\WINDOWS\SYSTEM\crtdial.exe
C:\WINDOWS\SYSTEM\wuaelind.exe
C:\WINDOWS\SYSTEM\xen0dal.exe
C:\WINDOWS\SYSTEM\SWin32.dll
C:\WINDOWS\SYSTEM\adstartup.exe
C:\WINDOWS\SYSTEM\modgxyz.exe
C:\WINDOWS\SYSTEM\adupdater.exe
C:\WINDOWS\SYSTEM\pro3dv2.exe
C:\WINDOWS\SYSTEM\qdvml.exe
C:\WINDOWS\SYSTEM\rnrebdvd.exe
C:\WINDOWS\SYSTEM\ksui400.exe
C:\WINDOWS\SYSTEM\mbstilse.exe
C:\WINDOWS\SYSTEM\winupdtl.exe
C:\WINDOWS\SYSTEM\InstaFinder_inst.exe
C:\WINDOWS\SYSTEM\instFindtvmk38megaV2.dll
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\setup_silent_17307.exe
C:\WINDOWS\SYSTEM\cmuerold.exe
C:\WINDOWS\SYSTEM\wpwrch.exe
C:\WINDOWS\SYSTEM\awf0dal.exe
C:\WINDOWS\TEMP\AutoUpdate1\auto_update_install.exe
C:\WINDOWS\TEMP\AutoUpdate1\setup.inf
C:\WINDOWS\TEMP\SskUpdater.exe
C:\WINDOWS\Downloaded Program Files\instafin.dll
C:\WINDOWS\pgtaff.exe
C:\WINDOWS\dealhlpr.dll
C:\WINDOWS\dhsvr.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\dhp.dll
C:\WINDOWS\dhupdt.exe
C:\WINDOWS\dhp2.dll
C:\Program Files\AIM\Sysfiles\WxBug.EXE

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After it restarts, please use Windows Explorer to navigate to this folder (in bold) and DELETE it:

C:\Program Files\cxtpls

#10
simplicity

Posted 14 April 2005 - 07:36 PM

Member

Topic Starter
Member
21 posts

here is my new hijack this log after restoring the statemgr.exe
and you don't need to apologize, it wasn't your fault =)

btw, how do I delete this file? C:\Program Files\cxtpls
I can't seem to find it using the search for files and folders :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:14 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#11
Kat

Posted 14 April 2005 - 07:49 PM

Retired

Retired Staff
19,711 posts

Thanks Simplicity for understanding and patience!

Go to Start>Search and then under the box where you enter the file name, scroll down below that and click on "More advanced options". There..make sure ALL of the first four options are CHECK marked. Then, enter the file name, and try searching again. If it's not there, then that is a GOOD thing!! :tazz: