[biggdogg2800]

Thank You bananafanafo!

Logfile of HijackThis v1.99.1
Scan saved at 8:45:37 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\SPROTECT\SpntSvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
E:\SPROTECT\EarthAgent.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
E:\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CpqRcmc.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\2000\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches....h.php?v=6&aff=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches....x.php?v=6&aff=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINNT\System32\SEARCH~1.DLL
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {DD51DCD2-F8D5-41C7-9B67-54BCDFE38F91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD51DCD2-F8D5-41C7-9B67-54BCDFE38F91} - (no file) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINNT\system32\xplugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
O23 - Service: Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - E:\SPROTECT\EarthAgent.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: FairCom Server - Unknown owner - g:\faircom\ctsrvr.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - E:\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - E:\SPROTECT\SpntSvc.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe


ACTIVESCAN LOG


Incident Status Location

Adware:Adware/XPlugin No disinfected C:\WINNT\nsdb
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Adware:Adware/Hotoffers No disinfected C:\WINNT\system32\SEARCHDLL.DLL
Adware:Adware/Admess No disinfected C:\WINNT\system32\TCPService2.exe
Virus:Trj/Agent.OM Disinfected C:\!Submit\wp.exe
Virus:Trj/Dropper.FW Disinfected C:\Documents and Settings\Administrator\Desktop\2000\uninstall.exe
Virus:Trj/Downloader.BQS Disinfected C:\Program Files\Internet Explorer\xcifyrsn.exe
Adware:Adware/XPlugin No disinfected C:\WINNT\Downloaded Program Files\file.exe
Virus:Trj/Downloader.BCK Disinfected C:\WINNT\system32\searchdll.dll
Adware:Adware/Admess No disinfected C:\WINNT\system32\TCPService2.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\uc1362.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\ucsi.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\ucsl.exe
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Virus:Trj/StartPage.I Disinfected C:\WINNT\update13.js

[Advertisements]

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINNT\system32\ucsl.exe
C:\WINNT\system32\wldr.dll
C:\WINNT\system32\SEARCHDLL.DLL
C:\WINNT\system32\TCPService2.exe
C:\WINNT\system32\TCPService2.exe
C:\WINNT\system32\uc1362.exe
C:\WINNT\system32\ucsi.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After it restarts, use Windows Explorer to delete the following folder:

C:\WINNT\nsdb

And while you're doing that I will work on your log.

[Michelle]

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINNT\system32\ucsl.exe
C:\WINNT\system32\wldr.dll
C:\WINNT\system32\SEARCHDLL.DLL
C:\WINNT\system32\TCPService2.exe
C:\WINNT\system32\TCPService2.exe
C:\WINNT\system32\uc1362.exe
C:\WINNT\system32\ucsi.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After it restarts, use Windows Explorer to delete the following folder:

C:\WINNT\nsdb

And while you're doing that I will work on your log.

[Michelle]

You may want to print these instructions before continuing!

Please download the programs listed below, but do not run them yet:

1) CWShredder - Download it and save it to your desktop.
2) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode and post a new HijackThis log.

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 01 May 2005 - 02:01 PM.