Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware/Spyware Infestation[RESOLVED]

Started by mike1 , Apr 26 2005 08:08 PM

This topic is locked

#16
mike1

Posted 29 April 2005 - 07:43 PM

Member

Topic Starter
Member
24 posts

here is hijackthis ran in normal mode. deleted nroao.dll and winup2date using killbox. ( due I need to concerned about the the lower right box (processes) of killbox? i had to post this from my pc because IE on the notebook kept hanging.
Mircosoft antispyware beta1 will noy even it's in the startup folder.
but no pop ups! hope we get it this time, Ken.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:40 PM, on 04/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\basfipm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\system32\internat.exe
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and Settings\vhabaldixonl\Desktop\AirPlusCFG.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edited by mike1, 29 April 2005 - 08:11 PM.

#17
greyknight17

Posted 29 April 2005 - 08:14 PM

Malware Expert

Visiting Consultant
16,560 posts

No you don't need to do anything else in KillBox. Just enable what's mentioned and leave the other settings alone.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#18
mike1

Posted 29 April 2005 - 08:47 PM

Member

Topic Starter
Member
24 posts

last night, while connected to the internet I berlive i got another nasty. ms antispy doesn't open after start and I've got to manually open sygate firewall, ms update hangs at 66% and mspmspsv.exe in hijack log. all those oemjizxxxx files on hdd. spyspotter short cut was linked to oemji apps. we are so close.

Mike

Edited by mike1, 29 April 2005 - 08:51 PM.

#19
mike1

Posted 29 April 2005 - 10:19 PM

Member

Topic Starter
Member
24 posts

what do i do now?

#20
greyknight17

Posted 30 April 2005 - 09:38 AM

Malware Expert

Visiting Consultant
16,560 posts

What all those oemjizxxxx files? Not sure what you mean there.

OK, post a new HijackThis log. I will take a look at it.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

#21
mike1

Posted 30 April 2005 - 12:52 PM

Member

Topic Starter
Member
24 posts

Had to post this from my pc because the notebook bombs when trying to post to this forum believe ad-aware custom settings or spyware are causing the problem. Ran ad-aware se, mcafee virus scan and spybot sd w/ latest updates. got rid of lots of nasties. I believe mb\s anti spyware not loading and sygate firewall not loading may be due to custom settings in ad-aware se.If we don't get rid of spyspotter all is lost. we had it
cleaned, then I believe spyspotter loaded the crap all over again. all scans ran in safe mode

rkfiles
c:\Documents and Settings\vhabaldixonl\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF

WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye

remv3 safe m ode

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 7CB0-D14C

Directory of C:\WINNT\SYSTEM32

msi.dll

Logfile of HijackThis v1.99.1
Scan saved at 9:21:40 PM, on 04/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\basfipm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\system32\internat.exe
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and Settings\vhabaldixonl\Desktop\AirPlusCFG.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

********************************************************************

#22
mike1

Posted 30 April 2005 - 02:05 PM

Member

Topic Starter
Member
24 posts

yesrterday I did a google search of spyware programs installed on nothebood and discovered spyspotter is a piece of scumware and no way to contact them and no install routine that I can find. It spawned 12 oemji*** on the notebook with many registry entries.

www.mwti.net log 4/30/0o5 4pm I included data from both panes becaasue both show viruses.

Sat Apr 30 15:37:34 2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services
Sat Apr 30 15:37:43 2005 => ERROR!!! Invalid Entry . Removing SYSTEM\CurrentControlSet\Services\vsdatant...
Sat Apr 30 15:37:44 2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services\VxD

Sat Apr 30 15:37:57 2005 => ***** Scanning System32 Folders *****
Sat Apr 30 15:37:57 2005 => Scanning C:\WINNT Directory
Sat Apr 30 15:37:57 2005 => Scanning Folder: C:\WINNT\*.*
Sat Apr 30 15:38:09 2005 => Scanning C:\WINNT\system32 Directory
Sat Apr 30 15:38:09 2005 => Scanning Folder: C:\WINNT\system32\*.*

Sat Apr 30 15:40:03 2005 => Scanning C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp Directory
Sat Apr 30 15:40:03 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\*.*
Sat Apr 30 15:40:03 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\Bases_X\*.*
Sat Apr 30 15:40:06 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\Download\*.*
Sat Apr 30 15:40:11 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\FrontPageTempDir\*.*
Sat Apr 30 15:40:13 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\History\*.*
Sat Apr 30 15:40:13 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\History\History.IE5\*.*
Sat Apr 30 15:40:14 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\ns_temp\*.*
Sat Apr 30 15:40:14 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\ns_temp\xpcom.ns\*.*
Sat Apr 30 15:40:14 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\ns_temp\xpcom.ns\bin\*.*
Sat Apr 30 15:40:14 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\ns_temp\xpcom.ns\bin\components\*.*
Sat Apr 30 15:40:15 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\Temporary Internet Files\*.*
Sat Apr 30 15:40:15 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\*.*
Sat Apr 30 15:40:20 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\Temp\XScanResult\*.*

Sat Apr 30 15:40:22 2005 => Scanning C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5 Directory
Sat Apr 30 15:40:22 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5\*.*
Sat Apr 30 15:40:22 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5\0IPPFRNU\*.*
Sat Apr 30 15:40:24 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5\H658M0SA\*.*
Sat Apr 30 15:40:26 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5\QYJF9VIV\*.*
Sat Apr 30 15:40:28 2005 => Scanning Folder: C:\DOCUME~1\VHABAL~1\LOCALS~1\TEMPOR~1\Content.IE5\YDAASZYC\*.*

Sat Apr 30 15:40:30 2005 => ***** Checking for specific ITW Viruses *****
Sat Apr 30 15:40:30 2005 => Checking for Welchia Virus...
Sat Apr 30 15:40:30 2005 => Checking for LovGate Virus...
Sat Apr 30 15:40:30 2005 => Checking for CodeRed Virus...
Sat Apr 30 15:40:30 2005 => Checking for OpaServ Virus...
Sat Apr 30 15:40:30 2005 => Checking for Sobig.e Virus...
Sat Apr 30 15:40:30 2005 => Checking for Winupie Virus...
Sat Apr 30 15:40:30 2005 => Checking for Swen Virus...
Sat Apr 30 15:40:30 2005 => Checking for JS.Fortnight Virus...
Sat Apr 30 15:40:30 2005 => Checking for Novarg Virus...
Sat Apr 30 15:40:30 2005 => Checking for Pagabot Virus...
Sat Apr 30 15:40:30 2005 => Checking for Parite.b Virus...
Sat Apr 30 15:40:30 2005 => Checking for Parite.a Virus...

Sat Apr 30 15:40:30 2005 => ***** Scanning complete. *****
Sat Apr 30 15:40:30 2005 => Total Objects Scanned: 3091
Sat Apr 30 15:40:30 2005 => Total Virus(es) Found: 8
Sat Apr 30 15:40:30 2005 => Total Disinfected Files: 0
Sat Apr 30 15:40:30 2005 => Total Files Renamed: 0
Sat Apr 30 15:40:30 2005 => Total Deleted Objects: 0
Sat Apr 30 15:40:30 2005 => Total Errors: 5
Sat Apr 30 15:40:30 2005 => Time Elapsed: 00:03:18
Sat Apr 30 15:40:30 2005 => Virus Database Date: 2005/04/29
Sat Apr 30 15:40:30 2005 => Virus Database Count: 127682

Sat Apr 30 15:40:30 2005 => Scan Completed.

File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\atl28733.exe infected by "not-a-virus:AdWare.UrlSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\biU.exe infected by "not-a-virus:AdWare.BiSpy.b" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\cdrtc658.exe infected by "not-a-virus:AdWare.UrlSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

#23
greyknight17

Posted 30 April 2005 - 03:52 PM

Malware Expert

Visiting Consultant
16,560 posts

Donwload FxBinet and run it.

Go to your add/remove panel and see if Lycos SideSearch is listed. Uninstall if it is. Also see if SpySpotter is listed. If not, reinstall it (we need to do this to uninstall again easier). Now try uninstalling it.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\system32\atl28733.exe
C:\WINNT\system32\biU.exe
C:\WINNT\system32\cdrtc658.exe
C:\WINNT\system32\psis80ex.ax
C:\WINNT\tsc.exe
C:\WINNT\vsapi32.dll

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

#24
mike1

Posted 30 April 2005 - 04:19 PM

Member

Topic Starter
Member
24 posts

Just ran fixbinet in safe mode. It didn't find anything. I'm running mcafee av in safe mode now. Will run both in normal mode. Should I run all the progrmas in safe and normal before posting replies or should I look to you for guidance?

k>Go to your add/remove panel and see if Lycos SideSearch is listed.
I believe ad-awre is preventing Lycos SideSearch from installing. something
also stripped out my google toolbar.

Mike

Edited by mike1, 30 April 2005 - 04:22 PM.

#25
greyknight17

Posted 30 April 2005 - 07:56 PM

Malware Expert

Visiting Consultant
16,560 posts

These tools may ask you to run them in safe mode. If they don't, it should be ok to run them in normal mode.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CLASSES_ROOT\clsid\{00000762-3965-4a1a-98ce-3d4bf457d4c8}]
[-HKEY_CLASSES_ROOT\clsid\{000007ab-7059-463e-bd44-101a1750d732}]
[-HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000762-3965-4a1a-98ce-3d4bf457d4c8}]
[-HKEY_LOCAL_MACHINE\software\classes\clsid\{00000762-3965-4a1a-98ce-3d4bf457d4c8}]
[-HKEY_LOCAL_MACHINE\software\lycos\]
[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\explorer bars\{000007ab-7059-463e-bd44-101a1750d732}]
[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{000007c6-17df-4438-92a4-de5537471ba3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000762-3965-4a1a-98ce-3d4bf457d4c8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{00000762-3965-4a1a-98ce-3d4bf457d4c8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{000007ab-7059-463e-bd44-101a1750d732}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\lycos sidesearch]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Is SpySpotter still being detected? Did you reinstall it yet and try uninstalling from there?

#26
mike1

Posted 30 April 2005 - 08:57 PM

Member

Topic Starter
Member
24 posts

ran cleanup and it deleted 57mb of crap. unbelieveable because the notebook was clean a couple of days ago. sygate firewall now loading at boot.Deleted all files using killbox per your post. lycos toolbar not in add/remove soft.
oemji toolbar and spyspotter are listed in add/remove programs. Also spyspotter has a full directory - c:\program files\spyspotter. also see spyware nuker 2004 is installed.
these programs also in add/remove: pizza friendly, pc friendly, ie host rs dynomite deluxe. I suspect one of the kids d/l something innstalled ll of this crap.

Before registry merge should I remove oemji toolbar, spyspotter and spy nuker possibly other junk?

#27
mike1

Posted 30 April 2005 - 09:35 PM

Member

Topic Starter
Member
24 posts

run fixbinet in normal mode but it didn't find anything. did a search for "a better internet" and found nfour zip files in spybot search and destroy recovery named abetterinternet 1 thru 4. a microsworld scan normal mode:File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.

#28
greyknight17

Posted 30 April 2005 - 10:11 PM

Malware Expert

Visiting Consultant
16,560 posts

Please try to use the word crap less here :tazz:

Did you uninstall SpySpotter and SpywareNuker yet? Delete the whole folder for those programs in the Program Files folder if they are found there.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, go to Edit->Find and copy each of the following to find, if found delete the key:

Lycos
Sidesearch
{00000762-3965-4A1A-98CE-3D4BF457D4C8}
{000007AB-7059-463E-BD44-101A1750D732}
{00000762-3965-4A1A-98CE-3D4BF457D4C8}
{000007AB-7059-463E-BD44-101A1750D732}
{000007AB-7059-463E-BD44-101A1750D732}
{000007C6-17DF-4438-92A4-DE5537471BA3}
Lycos Sidesearch
{00000762-3965-4A1A-98CE-3D4BF457D4C8}
{000007ab-7059-463e-bd44-101a1750d732}
{000007c6-17df-4438-92a4-de5537471ba3}

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and delete Belt

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Search and delete these files if found:

Belt.exe
host.dll
biprep.exe
Belt.ini
Belt.dll

Restart and see if anything is still detected.

#29
mike1

Posted 30 April 2005 - 11:08 PM

Member

Topic Starter
Member
24 posts

I deleted spy nuker and spyspotter. Have not registry merge or edit. today has trouble with pc. It;s late here will do registry modifications tomorrow. We're making progress.

Mike

#30
mike1

Posted 01 May 2005 - 09:26 AM

Member

Topic Starter
Member
24 posts

This morning I went to the end of the message thread and completed registry edit and file search (none to delete) in your most recent email message "Today, 12:11 AM" I have not done the registry edit/merge described in your email message "regedit4post Yesterday, 09:56 PM" HiJackThis question - in the lower right hand corner of work screen is button "add checked to ignore list" Is for deleted items? If I add them they won't be reinstalled in the registry?
We are almost there.

hijackthis scan normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 11:59:11 AM, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\basfipm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\system32\internat.exe
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Mike

Edited by mike1, 01 May 2005 - 09:53 AM.