[dr_pyser]

hi all, i'm a n00b to this forum, but am having some bad troubles with malware, so any help that anybody has would be greatly, greatly appreciated. i keep getting spotresults.com and desktop search popups, and haven't been able to remove them. i've used adaware and spybot s&d a number of times each, running windows in normal and safe mode, and nothing has removed them. i think i had azesearch for a while as well, but i think i've managed to remove it. anyway, here's my hijackthis log, i hope someone knows what to do! any advice would leave me forever in your debt!

Logfile of HijackThis v1.99.1
Scan saved at 9:25:24 PM, on 1/06/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\eohdysn.exe
C:\WINDOWS\sysupudt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijak\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zeromusta...12&default=sols
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au*;*.primus.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O1 - Hosts: 69.50.166.13 cracks.am
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SjxFEhUf8] C:\WINDOWS\eohdysn.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AdUpdater] C:\WINDOWS\sysupudt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co.../azesearch3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B7FA27-5F98-4FFD-90DC-BC0D64510B04}: NameServer = 203.134.64.66 203.134.65.66
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\l86o0ij3e8o.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Edited by dr_pyser, 01 May 2005 - 05:31 AM.

[Advertisements]

Hi dr_pyser

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Using windows add remove program file's uninstall the following:
C:\Program Files\ISTsvc\istsvc.exe
Exit when finished.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O1 - Hosts: 69.50.166.13 cracks.am
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [SjxFEhUf8] C:\WINDOWS\eohdysn.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AdUpdater] C:\WINDOWS\sysupudt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co.../azesearch3.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\eohdysn.exe
C:\WINDOWS\sysupudt.exe
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\zeta.exe
Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINDOWS\eohdysn.exe
C:\WINDOWS\sysupudt.exe
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\zeta.exe
End off killbox file's

Reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc

[dr_pyser]

hi thatman! thankyou so much for your help, i deleted all those registry files and desktop search has now gone. i'm still getting spotresult popups tho, and it looks like i have a lot more spyware. i ran the pandasoftwware activescan, and got this log:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Program Files\C2Media
Adware:Adware/PowerScan No disinfected C:\Program Files\Power Scan
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Ron Ron\Favorites\Gambling
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\twaintec.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exdl.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\Aklsp.dll
Adware:Adware/Transponder No disinfected Windows Registry
Virus:W32/Spybot Disinfected C:\Documents and Settings\All Users\Documents\explore.exe
Virus:Trj/Downloader.BQX Disinfected C:\Documents and Settings\Ron Ron\Desktop\crack_64587.exe
Virus:Trj/Downloader.YD Disinfected C:\Documents and Settings\Ron Ron\Desktop\SPSS_v12[1].0.zip[cbp.exe]
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Ron Ron\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/Lop No disinfected C:\Program Files\aimscr\3502.exe
Adware:Adware/Lop No disinfected C:\Program Files\aimscr\wipe data.dll
Adware:Adware/Lop No disinfected C:\Program Files\C2Media\Setup.exe
Possible Virus. No disinfected C:\Program Files\GameSpy Arcade\fpupdate.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar[isearch.js]
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll]
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe]
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe]
Possible Virus. No disinfected C:\WINDOWS\azentretien.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\mxTarget.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\preInsMt.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\preInsTT.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akcore.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\aklsp.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akrules.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akupd.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\angelex.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\apycfilt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ayi2dvag.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\bbchk.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cegmgr32.dll
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dqsrslvr.dll
Virus:Trj/Delprot.A Disinfected C:\WINDOWS\system32\drivers\delprot.sys
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dsmasf.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dyserial.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\e0020adoed0c0.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exclean.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl0.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exul.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\gpn6l35s1.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\hr0o05d3e.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\hrn0055me.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\hrp0057me.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javexulm.vxd
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\k4nole531h.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ktdpo.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mac40.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mhr.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mqexdlm.srg
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\msexreg.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[exdl.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[msexreg.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exclean.exe]
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\sjcfiles.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\svcfiles.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\uzerenv.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\vx0.nls
Virus:Trj/Downloader.AUP Disinfected C:\WINDOWS\VT17.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\watlgvmo.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\wsem300.dll
eeek!