[posty84]

Logfile of HijackThis v1.99.1
Scan saved at 12:32:09 PM, on 6/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Patrick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4441BBBF-79E4-955C-1619-E393F95F1666} - C:\DOCUME~1\Patrick\APPLIC~1\MEDIAA~1\Stupid Ping.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [fjjlwid] C:\WINDOWS\System32\fjjlwid.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Dvd Soft] C:\DOCUME~1\Patrick\APPLIC~1\CDROME~1\FordTrustAcid.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Advertisements]

Welcome posty84 to Geeks to Go!

Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.

[g2i2r4]

Welcome posty84 to Geeks to Go!

Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.

[posty84]

Incident Status Location

Virus:Trj/Downloader.CZM Disinfected Operating system
Adware:Adware/Lop No disinfected C:\DOCUME~1\Patrick\APPLIC~1\MEDIAA~1\Stupid Ping.exe
Adware:Adware/Lop No disinfected c:\docume~1\patrick\locals~1\temp\qpmkpdrj.exe
Virus:Trj/Downloader.CZM Disinfected Operating system
Adware:Adware/Lop No disinfected C:\DOCUME~1\Patrick\APPLIC~1\CDROME~1\FORDTR~1.EXE
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\System32\exdl?.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\stop body chin book\funk ooze.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Patrick\Application Data\cdrom else manager\drawskipthatsupport.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Patrick\Application Data\cdrom else manager\FordTrustAcid.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Patrick\Application Data\cdrom else manager\trnngxcc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Patrick\Application Data\media about\Stupid Ping.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Patrick\installer_MARKETING35.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Patrick\Local Settings\Temp\qpmkpdrj.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Patrick\SSK3_B5 Verticlick 8.exe
Adware:Adware/Neededware No disinfected C:\WINDOWS\system32\acd.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\epx30104.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\epx30105.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl1.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\fjjlwid.exe
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\fjjlwidndw30104lib.dll
Virus:Trj/Downloader.CZM Disinfected C:\WINDOWS\system32\fnemp.exe
Virus:Trj/Downloader.CZM Disinfected

[g2i2r4]

Let's fix the lop infection first.

Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and past it here in your reply.

[posty84]

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A7858AE391AE0427.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\patrick\applic~1\cdrome~1\viewflagactive.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Patrick'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/06/2005 19:00:00
NextRun: 06/13/2005 13:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/26/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'XoftSpy.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\XoftSpy\XoftSpy.exe'
Parameters: '-t'
WorkingDirectory: 'C:\Program Files\XoftSpy'
Comment: 'Runs XoftSpy at Scheduled Time.'
Creator: 'Patrick'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_NOT_SCHEDULED
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

No triggers

[g2i2r4]

Copy and paste the text from the box to an empty file in Notepad.

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h A7858AE391AE0427.job
attrib -r -s -h XoftSpy.job
del A7858AE391AE0427.job
del XoftSpy.job

Save the file:
name : remjob.bat
location: desktop
type : all types

Close Notepad.

Doubleclick remjob.bat on your desktop.

***

RIGHT-CLICK HERE and Save As (In IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Download the Killbox by Option^Explicit.
Save it to your desktop.
Don't use it yet.

***

Reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


***

Use Windows Explorer.
Find this folders (if present):
C:\Documents and Settings\Patrick\Application Data\cdrom else manager\
C:\Documents and Settings\Patrick\Application Data\media about\
C:\Documents and Settings\All Users\Application Data\stop body chin book\
and delete them.

***

Close all programs leaving only HijackThis running. Place a check against each of the following, (if present):

O2 - BHO: (no name) - {4441BBBF-79E4-955C-1619-E393F95F1666} - C:\DOCUME~1\Patrick\APPLIC~1\MEDIAA~1\Stupid Ping.exe

O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll

O4 - HKCU\..\Run: [Dvd Soft] C:\DOCUME~1\Patrick\APPLIC~1\CDROME~1\FordTrustAcid.exe

O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

Click on Fix Checked when finished and exit HijackThis.

***

Run Killbox.exe.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\exdl1.exe
C:\WINDOWS\system32\acd.exe
C:\Documents and Settings\Patrick\SSK3_B5 Verticlick 8.exe
C:\Documents and Settings\Patrick\installer_MARKETING35.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

***

Post me a fresh HijackThis log to check.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 07 July 2005 - 01:56 AM.