Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pretty devistating - VX2 [RESOLVED]

Started by gov135 , Jun 04 2005 06:11 AM

  • This topic is locked This topic is locked

#1
gov135
Posted 04 June 2005 - 06:11 AM

gov135

    Member

  • Member
  • PipPip
  • 19 posts
This is my mothers computer - I've been working on it for a few weekends. The stuff that usually works to remove spyware is just not working here.

We've gone through the steps at the forums. We have used:
1. Cleanup!
2. Ad-Aware SE
3. AVG

Unfortunately, the above hasn't help clean up what looks like a pretty major spyware/ hijack job. Th only thing I've been able to do is go through add/delete programs to get rid of two suspicious programs that might have contained spyware. Everything left is real clean, but the spyware remains.

The main problem is excessive pop-ups, probably due to the browser hijack. Looks like something called Aurora - though I can't find anything by that name on the hard drive. AVG also is finding sporatic Trojan horses while we are on-line. Once off-line, an AVG scan comes through clean. This has made me believe the problem is more related to the browser hijack and unwanted spyware.

We'd obviously very much appreciate help.

Below is our hijackthis file:


Logfile of HijackThis v1.99.1
Scan saved at 7:56:15 AM, on 6/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\febbquhw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\seeve.exe
C:\WINDOWS\System32\scrsvc.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system\oneqotxia.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BigFix\BigFix.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nxqek.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.history.last_page_visited", "http://www.turbotax....on/browser.htm");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("browser.toolbars.showbutton.mynetscape", false);
user_pref("browser.toolbars.showbutton.net2phone", false);
user_pref("browser.toolbars.showbutton.search", false);
user_pref("font.name.fantasy.x-western", "Blackadder ITC");
user_pref("general.useragent.contentlocale", "");
user_pref("intl.charsetmen
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("browser.display.screen_resolution", 96);
user_pref("browser.history.last_page_visited", "http://www.turbotax....on/browser.htm");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "www.google.com");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("browser.toolbars.showbutton.mynetscape", false);
user_pref("browser.toolbars.showbutton.net2phone", false);
user_pref("browser.toolbars.showbutton.search", false);
user_pref("font.name.fantasy.x-western", "Blackadder ITC");
user_pref("general.useragent.contentlocale", "");
user_pref("intl.charsetmen
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - C:\WINDOWS\System32\zxvgohbq.dll (file missing)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - C:\WINDOWS\System32\feymmcly.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsi12.dll
O2 - BHO: SDWin32 Class - {A9C3EB4F-E71F-4EB8-9793-B436BE6C5D47} - C:\WINDOWS\System32\rufrw.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [systw.exe] C:\WINDOWS\system32\systw.exe
O4 - HKLM\..\Run: [mset.exe] C:\WINDOWS\system32\mset.exe
O4 - HKLM\..\Run: [mfcnk32.exe] C:\WINDOWS\system32\mfcnk32.exe
O4 - HKLM\..\Run: [febbquhw] C:\WINDOWS\System32\febbquhw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [AutoLoader3F7q1QJLVZaZ] "C:\WINDOWS\System32\wmecert.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [3soW3EU] wmecert.exe
O4 - HKLM\..\Run: [rufrwc] C:\WINDOWS\System32\rufrwc.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Umoe] C:\WINDOWS\System32\hhlw.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0009.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: rjnsztiqvpne (wjbzlzah6) - Unknown owner - C:\WINDOWS\System32\djotdnbx6.exe (file missing)

Edited by gov135, 04 June 2005 - 06:16 AM.

  • 0

Advertisements

#2
Metallica
Posted 05 June 2005 - 12:02 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download, unzip and run: http://www.derbilk.de/SpSeHjfix112.zip
Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Then download and unzip http://metallica.gee...m/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.

So I will get 2 logs from you.

Regards,
  • 0

#3
gov135
Posted 06 June 2005 - 06:08 AM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Metallica,

I really, really appreciate your time. I will certainly be at my mother's this weekend, and I will take the above steps. I will then not reboot and will post the needed logs when I get to work a week from today.

Again, thanks for your time, just wanted you to know that I am following through, it will just take a week.
  • 0

#4
Metallica
Posted 06 June 2005 - 06:16 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
No problem. I'll get notified by mail when you post in this thread. :tazz:

Regards,
  • 0

#5
gov135
Posted 08 June 2005 - 04:40 PM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay, I have downloaded and run the two programs. A few things I noticed:
1. The derbilk program did not restart my computer. The log seems to have successfully executed, though.
2. The Metallica program identifies hidden files, but I changed the settings on my drive to show all files.

Finally, I am posting these two files from the problem computer - and I will then shut it down as you requested and will not reboot. I'll check for your response from work. My question is, since I got on-line after running the two programs, when I reboot, do I need to re-run the two programs before starting the next step?

Here are the two logs. Again, thanks alot.


(6/8/05 6:28:34 PM) SPSeHjFix started v1.1.2
(6/8/05 6:28:34 PM) OS: WinXP Service Pack 1 (5.1.2600)
(6/8/05 6:28:34 PM) Language: english
(6/8/05 6:28:34 PM) Win-Path: C:\WINDOWS
(6/8/05 6:28:34 PM) System-Path: C:\WINDOWS\System32
(6/8/05 6:28:34 PM) Temp-Path: C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\
(6/8/05 6:28:36 PM) Disinfection started
(6/8/05 6:28:36 PM) Bad-Dll(IEP): (not found)
(6/8/05 6:28:36 PM) Bad-Dll(IEP) in BHO: (not found)
(6/8/05 6:28:36 PM) UBF: 4 - UBB: 6 - UBR: 27
(6/8/05 6:28:36 PM) UBF: 4 - UBB: 6 - UBR: 27
(6/8/05 6:28:36 PM) Bad IE-pages: (none)
(6/8/05 6:28:36 PM) Stealth-String not found
(6/8/05 6:28:36 PM) Not infected->END



************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is BCF1-9288

Directory of C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp

09/08/2003 12:09 PM <DIR> Temporary Directory 1 for 394_yatcee.zip
02/01/2004 10:56 PM <DIR> Temporary Directory 1 for CHZZ735Z.ZIP
06/08/2005 06:24 PM <DIR> Temporary Directory 1 for SpSeHjfix112.zip
0 File(s) 0 bytes
3 Dir(s) 66,757,185,536 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is BCF1-9288

Directory of C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp

11/06/2004 08:53 AM <DIR> Cookies
06/06/2004 01:56 PM <DIR> History
06/06/2004 01:56 PM <DIR> Temporary Internet Files
0 File(s) 0 bytes
3 Dir(s) 66,757,181,440 bytes free
  • 0

#6
Metallica
Posted 09 June 2005 - 02:30 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
The rebooting doesn't matter that much since it wsn't what I was afraid of.

So we can deal with the Nail infection.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nxqek.dll/sp.html#96676

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - C:\WINDOWS\System32\zxvgohbq.dll (file missing)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - C:\WINDOWS\System32\feymmcly.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsi12.dll
O2 - BHO: SDWin32 Class - {A9C3EB4F-E71F-4EB8-9793-B436BE6C5D47} - C:\WINDOWS\System32\rufrw.dll

O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [systw.exe] C:\WINDOWS\system32\systw.exe
O4 - HKLM\..\Run: [mset.exe] C:\WINDOWS\system32\mset.exe
O4 - HKLM\..\Run: [mfcnk32.exe] C:\WINDOWS\system32\mfcnk32.exe
O4 - HKLM\..\Run: [febbquhw] C:\WINDOWS\System32\febbquhw.exe

O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [AutoLoader3F7q1QJLVZaZ] "C:\WINDOWS\System32\wmecert.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [3soW3EU] wmecert.exe
O4 - HKLM\..\Run: [rufrwc] C:\WINDOWS\System32\rufrwc.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe

O4 - HKCU\..\Run: [Umoe] C:\WINDOWS\System32\hhlw.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Startup: PowerReg Scheduler V3.exe

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab

O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0009.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: rjnsztiqvpne (wjbzlzah6) - Unknown owner - C:\WINDOWS\System32\djotdnbx6.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Regards,
  • 0

#7
gov135
Posted 10 June 2005 - 07:10 PM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay, I was able to follow your above instructions with one exception - after I had downloaded Ewido and then the definition file my computer was totally overwhelmed. I couldn't reconnect to the internet to get nailfix.

So instead, I went into safe-mode and used Ewido and Hijackthis, as you asked. Then when I went back to normal Windows, my computer was much better, and I downloaded nailfix, went back into safe-mode, and ran it.

So I guess what I am saying is that I did everything you asked but a little backwards - I did nailfix last instead of first. Hope I didn't screw anything up to bad - but by then this computer was running forty-odd processes and it wasn't going to connect to the internet for me.




Here are the two logs you asked for. I will now get off the internet (and stay off) and I'll run Hoster, DelDomains, and Cleanup, as you aked. Thanks for the help so far, I'm starting to feel better.

Logfile of HijackThis v1.99.1
Scan saved at 8:59:01 PM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\uxposvc.exe (file missing)
O23 - Service: rjnsztiqvpne (wjbzlzah6) - Unknown owner - C:\WINDOWS\System32\djotdnbx6.exe (file missing)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:36:43 PM, 6/10/2005
+ Report-Checksum: BDB93F1D

+ Date of database: 6/10/2005
+ Version of scan engine: v3.0

+ Duration: 52 min
+ Scanned Files: 109739
+ Speed: 35.16 Files/Second
+ Infected files: 85
+ Removed files: 85
+ Files put in quarantine: 85
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Charles Averell\Cookies\charles averell@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@bfast[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles averell@search123[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Cookies\charles [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\asfjkk32.tmp -> Spyware.SafeSurfing -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\Cookies\charles averell@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\ICD2.tmp\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\ICD3.tmp\installer_MARKETING11.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\ICD4.tmp\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\motoin.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\sahagent-cdt1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\temp.fr027B -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\temp.fr3B1E -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\temp.fr5533 -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\temp.frC863 -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\temp.frDFC0 -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temp\uppicsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\2HCXOJM7\pcs_0025[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\4H6NO9EF\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\BUW77LCP\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\C3QXUPIB\pcs_0006[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\CH4NGZGR\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\K3EFQOOI\pcs_0002[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\S12FOP2N\abiuninst[1].exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\SLQJC1KN\AproposClientInstaller[1].exe -> Trojan.Pakes -> Cleaned with backup
C:\Documents and Settings\Charles Averell\Local Settings\Temporary Internet Files\Content.IE5\TZ4VMR81\pcs_0009[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Program Files\Common Files\csshare\plugins0942\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\NetMeeting\netmeet.htm -> Worm.Nimda -> Cleaned with backup
C:\Program Files\Netscape\Netscape 6\Plugins\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING11.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD.ah -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0006.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\idkracqag.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\mhrxgsvh.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\mm15201518.Stub.exe -> Spyware.EZula.ah -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\system\oneqotxia.exe -> TrojanDownloader.Small.ayh -> Cleaned with backup
C:\WINDOWS\system32\adstartup.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\drivers\dpbtposh.sys -> Trojan.Agent.aw -> Cleaned with backup
C:\WINDOWS\system32\febbquhw.exe -> Spyware.Agent.cy -> Cleaned with backup
C:\WINDOWS\system32\hpahegr.dll -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\hpijybh.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\htifyah.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\huadycs.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\modgxyz.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\nsi12.dll -> Spyware.HotBar -> Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\system32\PreInstaller_p1.exe -> TrojanDownloader.Keenval.o -> Cleaned with backup
C:\WINDOWS\system32\ps1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\system32\Qool.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINDOWS\system32\rufrwc.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\system32\rufrwf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\system32\scrsvc.exe -> Trojan.WUDisable -> Cleaned with backup
C:\WINDOWS\system32\services\dale.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\unpack.exe -> Trojan.Painwin.a -> Cleaned with backup
C:\WINDOWS\system32\zdmfqjn.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\uxposvc.exe -> TrojanDropper.Agent.mu -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.0.0\files\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\xgxaxadc.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\xzrtdll.exe -> TrojanDownloader.VB.hj -> Cleaned with backup
C:\WINDOWS\xzrtenc.exe -> TrojanDownloader.VB.hj -> Cleaned with backup


::Report End

Edited by gov135, 10 June 2005 - 07:11 PM.

  • 0

#8
Metallica
Posted 11 June 2005 - 03:18 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
This log was made before you ran Hoster, right?

Click Start > Run type services.msc > OK
In the list of services find:
Windows VisFx Components
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: Windows VisFx Components

In the list of services find:
rjnsztiqvpne (wjbzlzah6)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: wjbzlzah6

Post a new log when you are completely finished.

Regards,
  • 0

#9
gov135
Posted 11 June 2005 - 04:44 AM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
>>This log was made before you ran Hoster, right?<<

Yes, the log I had posted previously was before Hoster was run. Here is the new log.



Logfile of HijackThis v1.99.1
Scan saved at 6:38:06 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
Metallica
Posted 11 June 2005 - 05:33 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good. let's see if we can make this final.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Reboot into safe mode and delete:
C:\WINDOWS\System32\tibs3.exe

Post a new log when you are done.

Regards,
  • 0

Advertisements

#11
gov135
Posted 11 June 2005 - 08:24 AM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay, I worked on the above. When I got into safe mode, the file tibs3.exe was gone. I dunno if HijackThis got it in the previous step or not.



Logfile of HijackThis v1.99.1
Scan saved at 10:17:38 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#12
Metallica
Posted 11 June 2005 - 08:44 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Did something go wrong?

Some of the items I listed are still there.

Regards,
  • 0

#13
gov135
Posted 11 June 2005 - 09:17 AM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I dunno what is happening. I have used HijackThis in both safe mode and regular mode and asked it to delete the following, but I can't get rid these:

O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)

Nothing else is running, all Windows are closed. Any thoughts? Here is a new log that has the two offenders.





Logfile of HijackThis v1.99.1
Scan saved at 11:09:14 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#14
Metallica
Posted 11 June 2005 - 09:34 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Maybe you do not have permission for those keys.

Does you useraccount have administrator rights?

If so, ownership may have been changed.

Changing Ownership of a Registry Key
1. Click the key for which you want to change ownership.
2. On the Edit menu, click Permissions.
3. Click Advanced, and then click the Owner tab.
4. Under Change owner to, click the new owner, and then click OK.
Note: You can permit another user to take ownership of a registry key only if you are the current owner of the key. To permit a user to take ownership of a registry key, you must first grant the user Full Control of the key. You can take ownership of a registry key if you are logged on as an administrator, or if you have been specifically assigned the permission to take ownership of the registry key by the current owner.

You will have to look in the regsitry for that.
Click Start > Run > type regedit > OK
In the registry editor navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects

and follow the procedure in italics for the subkeys:
{54053BC0-70BC-BFC1-0ABC-EE6F01D156FF}
{7E375CFB-2AF1-F2B8-51B2-9B506165B090}

Let me know,
  • 0

#15
gov135
Posted 11 June 2005 - 10:03 AM

gov135

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I kinda thought that would work - but no luck. One key was assigned to administrator, and one was assigned to me. I assigned both to me and HijackThis still couldn't get rid of it.

I then logged into safe-mode and tried again with HijackThis. No luck.


Logfile of HijackThis v1.99.1
Scan saved at 11:57:54 AM, on 6/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Juno\exec.exe
C:\Documents and Settings\Charles Averell\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s...ch?r=minisearch
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Charles Averell\Application Data\Mozilla\Profiles\default\196nmzyj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54053BC0-70BC-BFC1-0ABC-EE6F01D156FF} - (no file)
O2 - BHO: (no name) - {7E375CFB-2AF1-F2B8-51B2-9B506165B090} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://csites.secure...va/cfs31218.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP