Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About Blank and CoolWebSearch(resolved)


  • This topic is locked This topic is locked

#1
ljbh

ljbh

    Member

  • Member
  • PipPip
  • 14 posts
I am having problems with about:balnk continuing to show up in my MS Internet Explorer browser homepage. I change the page and the about:balnk keeps returning. My computer also has advertisements that continually popup and and I cannot control them. This problem may possibly be CoolWebSearch.

I have tried to do my homework before submitting this log.

(01) I have read the "Things To Do Before Posting A Hijackthis Log"

(02) I have run the latest updates of Ad-Aware Per SE, CWShredder, Spybot S&D, MS Antispyware BETA1, Spyblaster

(03) Norton Antivirus. I tired Micro Trend Housecall. It would scan but it would not clean.

(04) I have windows updated to SP2

(05) WinPatrol is running.

I still have the About:blank and the popups are driving me crazy. I've done all I know how to do. I have been trying to solve this problem for two days and I can not seem to get anywhere. I would really appreciate some help. Thank you in advance.

ljbh

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 9:38:45 PM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\crbf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbotl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uwixa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sbotl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbotl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbotl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbotl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {8C677779-4FD3-169D-BA8E-E71421ADE371} - C:\WINDOWS\apihr32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crbf.exe] C:\WINDOWS\crbf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\addcn32.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ljbh,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Wellhere are the results.

In the beginning I was excited because my startup page was google.com.

Right after we finished cleaning the computer a popup ad showed up.

Also unfortunately another WinPatrol Program Alert said a new Internet Explorer Add-On has been installed on your system. Do you approve the addition of this IE Helper (C:\Windows\apihr32.dll). Press YES if this Internet Explorer Add-On is allowed. I clicked NO.

Winpatrol also showed up with A change has been detected in your Internet Explorer Search Page. Your new page is res//C\WINDOWS\system32\rhogt.dll/sp.html#28129. If this is ok, then click Yes or press Enter. Click no or press ESC and well restore your page to res://C:\WINDOWS\system32\uwixa.dll/sp.html#28129.

I then tried to log onto Kaspersky Online Scan, TrendMicro, and BitDefender. I was not able to do so. Just for your info, I was able to scan on Trend Housecall on my other computer.(so I know how to do it, but it will not allow me to do it on this computer).

A new box just started. When you send information to the Internet, bit might be possible for others to see that information. Do you want to continue? I changed Internet Options / Security to medium.

After trying to log onto these online programs I got the about:blank page in the Internet Browser. I guess I am back to square one.

I will post the logs (About:Buster, SpSeHjfix, and HiJackThis Log) that I received directly after following your instructions. I have tried to clean the computer 3 times, but it obviously has not worked.

Any other suggestions, or things I may be doing wrong.

Thank you again for your help.

ljbh


ABOUT BUSTER LOG:
Scanned at: 10:14:07 AM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\setupapi.log.0.old:ienlj


Removed 2 Random Key Entries
Removed! : C:\WINDOWS\selkp.dat
Removed! : C:\WINDOWS\system32\cvnex.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\setupapi.log.0.old:ienlj


Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 10:20:08 AM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 11:07:07 AM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 11:10:52 AM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 7:23:40 PM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

SPSEHIJIX LOG

(5/9/05 10:28:00 AM) SPSeHjFix started v1.1.2
(5/9/05 10:28:00 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/9/05 10:28:00 AM) Language: english
(5/9/05 10:28:00 AM) Win-Path: C:\WINDOWS
(5/9/05 10:28:00 AM) System-Path: C:\WINDOWS\system32
(5/9/05 10:28:00 AM) Temp-Path: C:\DOCUME~1\LINDAH~1\LOCALS~1\Temp\
(5/9/05 10:28:15 AM) Disinfection started
(5/9/05 10:28:15 AM) Bad-Dll(IEP): (not found)
(5/9/05 10:28:15 AM) Bad-Dll(IEP) in BHO: (not found)
(5/9/05 10:28:15 AM) UBF: 5 - UBB: 4 - UBR: 27
(5/9/05 10:28:15 AM) UBF: 5 - UBB: 4 - UBR: 27
(5/9/05 10:28:15 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/9/05 10:28:15 AM) Stealth-String not found
(5/9/05 10:28:15 AM) Not infected->END


(5/9/05 6:18:38 PM) SPSeHjFix started v1.1.2
(5/9/05 6:18:38 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/9/05 6:18:38 PM) Language: english
(5/9/05 6:18:38 PM) Win-Path: C:\WINDOWS
(5/9/05 6:18:38 PM) System-Path: C:\WINDOWS\system32
(5/9/05 6:18:38 PM) Temp-Path: C:\DOCUME~1\LINDAH~1\LOCALS~1\Temp\
(5/9/05 6:19:18 PM) Disinfection started
(5/9/05 6:19:18 PM) Bad-Dll(IEP): (not found)
(5/9/05 6:19:18 PM) Bad-Dll(IEP) in BHO: (not found)
(5/9/05 6:19:18 PM) UBF: 5 - UBB: 4 - UBR: 27
(5/9/05 6:19:18 PM) UBF: 5 - UBB: 4 - UBR: 27
(5/9/05 6:19:18 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/9/05 6:19:18 PM) Stealth-String not found
(5/9/05 6:19:18 PM) Not infected->END


(5/9/05 7:29:09 PM) SPSeHjFix started v1.1.2
(5/9/05 7:29:09 PM) OS: WinXP Service Pack 2 (5.1.2600)
(5/9/05 7:29:09 PM) Language: english
(5/9/05 7:29:09 PM) Win-Path: C:\WINDOWS
(5/9/05 7:29:09 PM) System-Path: C:\WINDOWS\system32
(5/9/05 7:29:09 PM) Temp-Path: C:\DOCUME~1\LINDAH~1\LOCALS~1\Temp\
(5/9/05 7:29:19 PM) Disinfection started
(5/9/05 7:29:19 PM) Bad-Dll(IEP): (not found)
(5/9/05 7:29:19 PM) Bad-Dll(IEP) in BHO: (not found)
(5/9/05 7:29:19 PM) UBF: 5 - UBB: 3 - UBR: 27
(5/9/05 7:29:19 PM) UBF: 5 - UBB: 3 - UBR: 27
(5/9/05 7:29:19 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/9/05 7:29:19 PM) Stealth-String not found
(5/9/05 7:29:19 PM) Not infected->END

HIJAXTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 8:17:02 PM, on 5/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\mfcph.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\crbf.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uwixa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {8C677779-4FD3-169D-BA8E-E71421ADE371} - C:\WINDOWS\apihr32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crbf.exe] C:\WINDOWS\crbf.exe
O4 - HKLM\..\RunOnce: [mfcph.exe] C:\WINDOWS\mfcph.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O23 - Service: Network Security Service (NSS) ( 11F #`I) - Unknown owner - C:\WINDOWS\system32\addcn32.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ljb,

Don't dispair we have only just started on the fix, what you have done so far is just the beginning.


PLEASE COPY OUT THESE INSTRUCTIONS SO THAT YOU HAVE THEM HANDY WHEN YOU NEED TO REBOOT.

Please disable Winpatrol whilst we fix your PC as it may interfere with what we need to do.

Next download a free 14 day trial of Ewido from the link below

Ewido. Install it, start it by double clicking on the big E icon, update it then close it down.

Set up your PC to show hidden files. (click link below if you do not know how))

Show hidden files

Next reboot your PC into SAFE MODE by tapping the F8 key whilst your PC starts up. Select Safe Mode.

Press Ctrl/Alt/Delete and then processes and if the folllowing are running, end task them.

mfcph.exe
crbf.exe


Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Rescan with HJT, check the following entries , if present, making sure you get them all:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uwixa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\aedsg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Class - {8C677779-4FD3-169D-BA8E-E71421ADE371} - C:\WINDOWS\apihr32.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [crbf.exe] C:\WINDOWS\crbf.exe
O4 - HKLM\..\RunOnce: [mfcph.exe] C:\WINDOWS\mfcph.exe
O23 - Service: Network Security Service (NSS) ( 11F #`I) - Unknown owner - C:\WINDOWS\system32\addcn32.exe (file missing)


Ensure no windows except HJT are open and click FIX CHECKED

Now using windows explorer locate the following files and if found delete them.

C:\WINDOWS\system32\aedsg.dll/sp.html#28129
C:\WINDOWS\system32\uwixa.dll/sp.html#28129
C:\WINDOWS\apihr32.dll
C:\WINDOWS\gpl.dll
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\crbf.exe
C:\WINDOWS\mfcph.exe
C:\WINDOWS\system32\addcn32.exe


Now run the Cleanup program to clean up temp files, junk etc.

Next Run the Ewido program and scan. This may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Then reboot your PC normally, rescan with HJT and post the log back together with the log from Ewido
  • 0

#5
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I uninstalled Winpatrol.

I downloaded Ewido and updated it.

I setup computer to show hidden files.

I rebooted in Safe Mode. Neither mfcph.exe or crbf.exe were there.

I ran CW Shredder. It said no CoolWebSearch was found.

I rescanned with HJT.

R1s with #28129 were not present.

I checked the following and fixed them:
R1 HKLM\Software\Micorsoft\Internet Exploere\Main,Default_Page_URL = about:blank
R-3 Default URLSearchHook is missing
F2 REF:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 BHO.apihr32.dll
O2 BHO: GetPostLog module gpl.dll
O4 HKLM\..\Run [iexplore.exe] C:Program files \ Internet Exploere \ iexplore.exe (This one seem scary to me, but I did it.)
04 HKLM\..\Run: [crbf.exe]
04 HKLM \ .. RunOnce: [mfcph.exe]
023 Service: Network Security Service

I Fix checked

Now with Windows, If files were found, I deleted them.

Not present and therefore did not delete
all with#28129 were not present
apihr32.dll was not present. apirh32.exe was present but I did not delete it
gpl.dll
addcn32.exe

Deleted
C:\Program Files \ Internet Explorer \ iexplore.exe
C:\WINDOWS\crbf.exe
There is a Windows\Prefetch \ CRBF.EXE 20367CA4.pf, but I did not delete it.
C:\WINDOWS \ mfcph.exe

I then ran Cleanup.

I then ran Ewido. I saved the report. There were 82 infected files.

I rebooted normally, rescanned with HJT and here are the posts from Ewido and HJT.

I tried to log onto the computer, and I was not able to using the Internet Explorer. I know I deleted the iexplore.exe and assume this is the reason that I can not sign onto the Internet. In the bottom left is an icon asking me to Launch Internet Explorer Browser. I am so suspicious of anything that I do not want to launch something that I should not. I am submitting this information on my other computer.

Should I launch the Internet Explorer from my computer? Ive worked so hard at this. I do not want to mess anything up if I can avoid it.

Thanks again for all your help.

ljbh


EWIDO LOG

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:04:30 AM, 5/10/2005
+ Report-Checksum: 300575D3

+ Date of database: 5/10/2005
+ Version of scan engine: v3.0

+ Duration: 52 min
+ Scanned Files: 94121
+ Speed: 29.74 Files/Second
+ Infected files: 82
+ Removed files: 82
+ Files put in quarantine: 82
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@30454849[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@37287909[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@6844036[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@75401068[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@ads.quicken[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@bannerspace[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@buy.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@dcsew60m1oifwznbkznc6j9ix_5x7j[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@mediamgr.ugo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\C_DILLA\Documents and Settings\Linda Hurd\Application Data\Earthlink\6.0\ljbh@ix.netcom.com\Cookies\linda hurd@www.affiliatefuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\backups\backup-20050510-074713-889.dll -> TrojanSpy.Agent.dr -> Cleaned with backup
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\backups\backup-20050510-074713-966.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256065.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256068.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256071.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256108.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256112.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256123.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256125.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00256134.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP366\A0062136.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062901.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062902.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062903.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062904.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062905.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0062906.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0063335.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0063385.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP371\A0063387.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP374\A0063459.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP374\A0063460.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP374\A0063462.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP374\A0063473.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063521.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063634.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063635.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063636.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063638.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063639.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063640.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063641.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP375\A0063642.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063849.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063850.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063851.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063852.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063853.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP376\A0063854.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066112.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066135.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066178.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066276.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066277.dll -> TrojanSpy.Agent.dr -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066284.dll -> Spyware.SearchPage -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066286.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP377\A0066287.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\addjo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\addkr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apias32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apibt.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apidq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apihr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apiwe32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apphb32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\appqb.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\appun.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\WINDOWS\atlkq32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atlkv32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\crju.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\crkl32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\crmu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\crnq32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\d3ra.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\d3zl.exe -> Trojan.Agent.bi -> Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 9:36:27 AM, on 5/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Dell\Bluetooth Software\btsendto_explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O23 - Service: Network Security Service (NSS) ( 11F #`I) - Unknown owner - C:\WINDOWS\system32\addcn32.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ljbh,

We need to do just one more thing

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Network Security Service (NSS).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

After that you are clean.

If you look down the list below you will see links to alternative browsers that i recommend you to use.

Firefox and Slimbrowser as they are both a lot more secure than internet explorer. We had to remove that file as it was infected. If you really need to use Internet explorer re-install it ;)


From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#7
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I hate to say it but my computer is not clean yet. I hope I did not mess up all the work we had done.

Before you got back to me and told me to type in services.msc I ran Norton antivirus. I had many lefeats (I think that was the name)

I then did what you asked and hit services.msc and changed NSS to Service Status to stop. Beside Startup Type I disabled. I then clicked apply.

I then ran CEShredder and it found CWS.Msconfig again and removed it.

I then repeated the same steps you had told me to do before.

I rebooted in Safe Mode.

Rescanned with HJT. None of the entries that we were dealing with were in the HJT.

I ran Cleanup

I ran Ewido and the scan is below.

I rebooted and rescan with HJT and the log is below.

Should I change NSS back? This is all so frustrating. I do hope this computer is not a hopeless cause.

I no longer have Internet Explorer. Should I install Foxfire before we clean up this computer or wait until all is accomplished?

Thank you again for your help.

ljbh

Here are the logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:16:37 AM, 5/11/2005
+ Report-Checksum: 166EE497

+ Date of database: 5/10/2005
+ Version of scan engine: v3.0

+ Duration: 66 min
+ Scanned Files: 105681
+ Speed: 26.45 Files/Second
+ Infected files: 64
+ Removed files: 64
+ Files put in quarantine: 64
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\RECYCLER\NPROTECT\00257722.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257723.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257724.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257725.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257726.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257727.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257728.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257729.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257730.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257731.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257732.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257733.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257734.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257735.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257736.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257737.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257738.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257739.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257740.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257741.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257742.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257743.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257744.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257745.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257746.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257747.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257748.dll -> TrojanDownloader.Agent.lz -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257749.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257750.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257751.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257752.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257753.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257754.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257755.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257756.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257757.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257758.dll -> Spyware.SearchPage -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257759.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257760.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257761.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257762.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257763.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257764.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257765.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257766.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257767.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257768.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257769.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257770.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257771.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257772.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257773.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257774.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257775.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257776.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257777.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257778.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257779.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257780.dll -> Spyware.SearchPage -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257781.dll -> TrojanDropper.Small.tn -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257782.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257783.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257784.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\RECYCLER\NPROTECT\00257785.exe -> Trojan.Agent.bi -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:28:05 AM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Dell\Bluetooth Software\btsendto_explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ljbh,

From your HJT log your PC is still clean.

The files removed by Ewido, were not in the operating part of your system, but in the recycler file, where old trash is stored and is not a danger to your PC. Ewido has now removed it from there as well now so you are sparkly clean. :tazz: . Do not change the NSS setting in Services.

Go ahead and install Firefox and/or Slimbrowser and also re-install explorer if you want.

Regards,

Usetobe
  • 0

#9
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok, heres my problem.

I scanned my ComputerA (Used to Be Infected) with Ewido and Norton Antivirus. Both said the computer was not infected.

I reinstalled WinPatrol.

I have been working on ComputerA for 4 days to get rid of the virus. I thought long and hard about whether to add Foxfire as my browser or keep MS Internet Explorer. I was afraid that to set up Foxfire and all the changes with it, it would be another 2 days. I also did not want to bother you any more. I decided for ease that I would go back to MS Internet Explorer.

BIG MISTAKE

I doubled clicked on the Launch Internet Explorer on the bottom left next to the Start button.

The Internet Connection Wizard came on and I did not know which option to choose. I closed down the Wizard. I left the ComputerA to do a little research on which option to choose and therefore went back to my other ComputerB (Not Infected) and did the search. When I returned there was an ominous WinPatrol screen. A change has been detected in your Internet Explorer Search Page. Your new page is ______________ (this is blank). If this is ok, then click Yes or Press Enter. Click No or press ESC and well restore your page to res://C:\Windows\system32\uwixa.dll/sp.html#28129.

I know this has to do with the virus. What do I do now? I am not touching a thing until I hear from you.

How do I get rid of the icon in the bottom left next to Start? Why was it not eliminated?

I cant believe how MEAN these people are who invent these viruses!

Also, if I go over to Foxfire, will it entail a lot of changes on my computer. Can I use MS Outlook (not express). What other things will I also have to change? Is it really worth the change? What will I be giving up?

Another question. Can this virus migrate over to ComputerB? We have shared documents, but not authority to look into each others computer.

Again thank you for your help

ljbh
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ljbh,

Lets answer your questions 1 at a time.

1. When you get your winpatrol warning click on yes or enter to allow the change. That will GET RID of res://C:\Windows\system32\uwixa.dll/sp.html#28129, As that is the page that is in win patrol memory. It will set your start up page to about.blank, but that IS NOT the about.blank infection. You will then be able to set your default home page through internet options either on your internet explorer browser tools or through internet options in control panel.

2. To get rid of an icon, right click it and delete it.

3.Installing firefox or slimbrowser will not cause any changes to your PC , other than having more secure browsers. Both are very quick and easy to install and use; like everything else, change can be daunting, but well worth it and who knows you may actually like them ;) . What are you giving up.......well microsoft vulnerabilities for starters :tazz: surely that should be enough to warrant a change.

4. By installing other browsers you still get to use outlook with no problems at all.

5. The sort of malware you had would not migrate to your other puter, unless you moved the infected files across. So nothing to worry about.

Hope that puts your mind at rest.
  • 0

Advertisements


#11
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Usetobe

Per your recommendation I installed the following to Computer A:

Detect and remove programs:

I have adware and spybot and hope I never have to use them again.

Prevention Programs:

I added spywareblaster.

I added spywareguard

I did not add IE/Spyad and MVPS Hosts file they both seemed very complicated. Are they worth my time to install?

Google Toolbar can you have Google Toolbar on Firefox? On my other computer I do have the Google Toolbar but thats still setup with MS Internet Explorer.

Other Programs

I have Norton Antivirus

Re Firewall - I was told I did not have to have a firewall if I use cable is this correct?

I have installed Firefox on one computer and all seems to be working fine I am just having a tough time navigating. Once I am more familiar with this program I will also install it on my other computer (ComputerB)

Any other suggestions?

Once again, I can not tell you how much I appreciate your efforts in helping me solve my problem. You were very patient and never a condescending word. I would never have been able to do it alone. I will be sending a donation to Paypal and I hope it helps with ridding us of these malware and virus problems. Thank you, Thank you, Thank you.

ljbh
  • 0

#12
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ah... and one other question I forgot to ask. What backup program do you recommend?

Thanks

ljbh
  • 0

#13
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Again,

You have being wrongly informed, it is more important to have a firewall on cable, as your PC is online all of the time. Although XP2 does have an inbuilt firewall, this is just oneway, inbound. If you inadvertantly become infected again and malicious programs are installed, XP firewall will not stop it sending info out. A firewall such as Zone Alarm works inbound and outbound, so if something new attempts to send anything out, you will get a warning with the option to allow or deny. (with a tickbox option to allow or deny permanently, so it won't ask again for that program, unless it changes, ie with an update) Zone Alarm has an easy tutorial that pops up on installation.

You can live without IE/Spyads and MVPS if they seem complicated.

With regards to back-ups, you have several options 1. buy a cheap hard drive off the likes of ebay and install as slave drive to copy your important data. 2. If you have a CD or DVD burner you can simply burn your important data onto disc. 3. you can use a back-up program (there are many on the market, and even XP has it's own), and again burn the data to disc or separate drive.

XP Data backup

I hope that answers your questions and concerns, but if you require any more help, please ask.

Happy Safe Surfing,

Regards,

Usetobe
  • 0

#14
ljbh

ljbh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I got the CoolWeb search virus again, but was able to fix it by your instructions.

This was the scenario.

I hooked up my Seagate External Hard Drive to my ComputerA that had an old uncompressed backup (Bounceback Pro) on it.

I then used Ad-aware to scan the whole computer, both drives C and E and believe it or not the program found 57 critical objects. The problems were obviously on Drive E. There was a combination of CoolWebSearch and Malware. Man, was I mad.

Then I thought I had better get rid of the files on Drive E. I manually deleted them (except a new backup made by Genie Soft). The files went to the recycle bin.

I started up the computer and it then tried to change my Internet Explorer page to about:blank but Spyguard warned me first and I knew what to look out for.

I then used your instructions and was able to clean the computer.

Now I am trying to figure out why this happened again!

Were the problems on Drive C just backed up on Drive E and I got them all over again?

Could Internet Explorer iexplore.com be infected?

The Internet Explorer settings on ComputerA (usetobeinfected) are located in C:\WINDOWS\ServicePack\Uninstall$\iexplore.exe

The Internet Explorer settings on ComputerB (notinfected) are located in C:\Program Files \ Internet Explorer \ iexplore.exe

I recall I deleted the iexplore.exe on ComputerA when we got rid of the virus. Is the iexplorer.exe in the correct location? Should I completely reinstall Internet Explorer on ComputerA to get the iexplore.exe in the correct file? Could my problem be caused by the location of iexplore? (PS I have also installed Firefox, which I am using now)

I just do not want to have to clean this computer again.

I am going to put in Zone Alarm, but want this computer to be working correctly first. Should I buy Zone Alarm Plus or just use the regular Zone Alarm?

Here is my Hijack Log. Would you mind checking that I got rid of everything?

Again thanks for everything.

Ljbh

Logfile of HijackThis v1.99.1
Scan saved at 6:29:59 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Dell\Bluetooth Software\btsendto_explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda Hurd\Program Files And Patches\2005\GeekstoGoSpywareControl\HijackThis From Geekstogo\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 8\Web\MCIEContext.hta
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:24:36 PM, 5/14/2005
+ Report-Checksum: AE9BEAD7

+ Date of database: 5/14/2005
+ Version of scan engine: v3.0

+ Duration: 65 min
+ Scanned Files: 108096
+ Speed: 27.44 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End





a
  • 0

#15
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi LJBH,

Your log is nice and clean, you did a good job ;)

The correct location for internet explorer should be C:\Program Files
\Internet Explorer \iexplore.exe, anywhere else could indicate it been malicious, so delete it and reinstall, if you really must have it. As well as Firefox, Slimbrowser is also good.

Incidently, about.blank does not necessarily indicate anything malicious, my browser is set at about.blank and i'm certainly not infected :tazz:

In Firefox, if you click tools then options in general you can set it to blank page and it says about.blank (not infected), slim browser is the same as well as internet explorer, so if that is your default setting then naturally spyguard and winpatrol will give you a warning saying that it is trying to change to about.blank, but it maybe the non-malicious setting..

If you backed up your infected programs and files to a different drive, then yes they will be transferred from one drive to another.

I hope that has helped.

Regards,


Usetobe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP