Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Janelle needs help [RESOLVED]

Started by gjanelle , Jul 12 2005 11:00 PM

  • This topic is locked This topic is locked

#1
gjanelle
Posted 12 July 2005 - 11:00 PM

gjanelle

    Member

  • Member
  • PipPip
  • 15 posts
Help! I have a problem with multiple popups. I have run multiple virus/trojan scans and done the following steps according to your website's instructions:
Run cleanup!: About 6 gigs of data removed
Run ad-aware SE: More files removed via custom settings provided
Run CWShredder: More gone
Run Spybot S&D: More gone the first time, second time it stopped and froze (repeatedly) after 637/25378 of bot check
Run TDS-3: More gone
Attempted to download SP1a: I got two downloads, but it would not download the complete SP1a pack
I believe I was able to erase both the DrPMon.dll and the DrWatson.dll and exe files from my system with a program called Killbox
Multiple reboots- always get popups when connecting
Even when not connected, I get popups during boot that refer to bhomonitor.dll and actcookie.dll, both of which I found in my system under c:program files\spyware doctor\tools; spyware doctor is another program I had previously downloaded (months ago) without incident.
Downloaded firefox at recommendation of a friend, but haven't used it yet
I have also done hijack this. The following is my log, but I have not removed any hosts yet.
Logfile of HijackThis v1.99.1
Scan saved at 12:44:57 AM, on 7/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\yditsvc.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\devldr32.exe
c:\windows\system32\yrumwo.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\phomine.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\ogkvenc.EXE
C:\WINDOWS\System32\apisvc.exe
C:\WINDOWS\System32\secserv.exe
C:\WINDOWS\System32\rapnjk.exe
C:\WINDOWS\xzoldll.EXE
C:\WINDOWS\system\ommbk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\secserv.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\paqntz.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\dkggc.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Owner\LOCALS~1\Temp\afcpqzyrwhc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\dkggc.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [t77i3tP] phomine.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [ovzjdll] C:\WINDOWS\ovzjdll.EXE
O4 - HKLM\..\Run: [ogkvenc] C:\WINDOWS\ogkvenc.EXE
O4 - HKLM\..\Run: [qssadll] C:\WINDOWS\qssadll.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [secserv.exe] C:\WINDOWS\System32\secserv.exe
O4 - HKLM\..\Run: [SetupExeDll] hyandex.exe
O4 - HKLM\..\Run: [Preliminary] pizda.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rapnjk.exe reg_run
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [xzoldll] C:\WINDOWS\xzoldll.EXE
O4 - HKLM\..\Run: [ndlnxts] c:\windows\system32\yrumwo.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [cwosRjj3V] paqntz.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [cmon14] ATLIEHELPER.exe
O4 - HKCU\..\Run: [prgsys0984] PasswdMon.exe
O4 - HKCU\..\Run: [init32] ActionScr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83...hm::/update.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...budsinc1001.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D79AF272-7FA4-41C8-861A-B303F26A29F2}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD39DFD8-78F5-4431-B17A-164BA1BFD866}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O20 - Winlogon Notify: Welcome - C:\WINDOWS\system32\QBENCLIB.DLL (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\yditsvc.exe
I'd appreciate any advice.
Thanks,
Greg
  • 0

Advertisements

#2
Buckeye_Sam
Posted 14 July 2005 - 08:25 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

You've got a log full of nasty malware there so this is going to take a few steps. But you are going to really like the way your computer runs when we are done. :tazz:


========


Download Hoster.

http://www.funkytoad...load/hoster.zip

This will restore your original Host files.
Run the program and press Restore Original Hosts and press OK.


=========


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


==========


Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post.



==========


In your next reply please post:

- log from Ewido scan
- uninstall list
- new hijackthis log
  • 0

#3
gjanelle
Posted 17 July 2005 - 09:30 AM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Buckeye Sam,
Thanks for your help. I have done the things that you asked, and the results are attached. :tazz: Kind of eyepopping. I look forward to your next reply!
Thanks,
Greg
Attached File  ewido_Scan_report_20050717.txt   73.9KB   176 downloadsAttached File  hijackthis_log_7.17.txt   16.84KB   134 downloadsAttached File  hijackthis_uninstall_list_7.17.txt   3.54KB   196 downloads


Logfile of HijackThis v1.99.1
Scan saved at 11:15:50 AM, on 7/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\yditsvc.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\jnbara.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\windows\system32\rtxuee.exe
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Owner\LOCALS~1\Temp\wpmvojkrezg.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [t77i3tP] phomine.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [ovzjdll] C:\WINDOWS\ovzjdll.EXE
O4 - HKLM\..\Run: [ogkvenc] C:\WINDOWS\ogkvenc.EXE
O4 - HKLM\..\Run: [qssadll] C:\WINDOWS\qssadll.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [secserv.exe] C:\Program Files\Common Files\System\secserv.exe
O4 - HKLM\..\Run: [SetupExeDll] hyandex.exe
O4 - HKLM\..\Run: [Preliminary] pizda.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [xzoldll] C:\WINDOWS\xzoldll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [lbbwygd] c:\windows\system32\rtxuee.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [cwosRjj3V] paqntz.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [cmon14] ATLIEHELPER.exe
O4 - HKCU\..\Run: [prgsys0984] PasswdMon.exe
O4 - HKCU\..\Run: [init32] ActionScr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83...hm::/update.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...budsinc1001.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D79AF272-7FA4-41C8-861A-B303F26A29F2}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD39DFD8-78F5-4431-B17A-164BA1BFD866}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O20 - Winlogon Notify: Welcome - C:\WINDOWS\system32\QBENCLIB.DLL (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\yditsvc.exe (file missing)





Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop CS
Adobe Photoshop Elements 2.0
ArcSoft ShowBiz
ArcSoft Software Suite
Blasterball Wild
BroadJump Client Foundation
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Citrix ICA Web Client
CleanUp!
ClinAne by Skyscape
Content Delivery Module
Dark Orbit
Data Access Objects (DAO) 3.5
Detto IntelliMover Demo
DiamondCS TDS-3
Dig'nRigs
Disney's Mickey Mouse Toddler
Disney's Winnie the Pooh Toddler
Documents To Go
DVDXCopy 1.3.1 b631 (remove only)
Easy Internet Sign-up
EndNote
Epocrates Essentials
ewido security suite
Finding Nemo: Nemo's Underwater World of Fun
Freedom Security && Privacy Suite
Garfield - Kindergarten Numbers Vol 1
GemMaster 2
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp center
HP DLA
hp instant support
HP Memories Disc
hp officejet d series
HP Photo Printing Software
HP RecordNow
HP Share-to-Web
Inactive HP Printer Drivers (Remove only)
Intel® 845G Chipset Graphics Driver Software
Internet Connection Update and HomeP KB234087
InterVideo WinDVD
KBD
Kublox
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
MARGI Presenter-to-Go
Maxtor OneTouch
McAfee VirusScan
MediaFACE 4.0
MediaFACE 4.0 Business Image Library
MediaFACE 4.0 General Image Library
MediaFACE 4.0 Lifestyle Image Library
MediaFACE 4.0 Music Image Library
MediaFACE 4.0 Special Occasion Image Library
MediaFACE 4.0 Spiritual Image Library
Microsoft Broadband Networking
Microsoft Encarta 98 Encyclopedia
Microsoft Office 2000 SR-1 Standard
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
MKSAP 12 CD-ROM
Mozilla Firefox (1.0.5)
MUSICMATCH Jukebox
MyDVD
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
PC-Doctor for Windows
PCFriendly
PigPen
powerOne Personal v2.0.9 for Handhelds
PremiumSearch Startpage
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken 2004
Quicken Financial Center
QuickTime
Related Sites Toolbar
Retrospect 6.0
SabreWing 2
Shockwave
Shrek Activity Center
Sonic Foundry Super Duper Music Looper XPress
Sound Blaster Live!
Space Rocks
Speedway
Spybot - Search & Destroy 1.4
Spyware Doctor 3.2
Tcl 8.0.5 for Windows
TContext
The ABI Network- A Division of Direct Revenue
VERITAS StorageGuard
Virtual Warfare
VPN Client
WeatherBug
WeirdOnTheWeb
WildTangent Channel Manager
Windows VisFx Components
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q308387 for more information]
Windows XP Hotfix (SP1) [See Q308676 for more information]
Windows XP Hotfix (SP1) [See Q308677 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q309691 for more information]
Windows XP Hotfix (SP1) [See Q311842 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q312370 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
You Know What 2 - Arts and Entertainment
You Know What 2 - History and Geography
You Know What 2 - Potpourri
You Know What 2 - Science and Nature
You Know What 2 - Sports and Games

Edited by Buckeye_Sam, 17 July 2005 - 09:39 AM.

  • 0

#4
Buckeye_Sam
Posted 17 July 2005 - 09:57 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
For ease of reveiwing your logs, always try to copy and paste the text into your reply as opposed to attaching them as a file. Your Ewido log may have been too large, but I copied and pasted the other two for you.


We've got a lot of cleaning up to do, so let's get to it. :tazz:


Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\Owner\LOCALS~1\Temp\wpmvojkrezg.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [t77i3tP] phomine.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [stb] C:\WINDOWS\System32\stb.exe
O4 - HKLM\..\Run: [ovzjdll] C:\WINDOWS\ovzjdll.EXE
O4 - HKLM\..\Run: [ogkvenc] C:\WINDOWS\ogkvenc.EXE
O4 - HKLM\..\Run: [qssadll] C:\WINDOWS\qssadll.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - HKLM\..\Run: [secserv.exe] C:\Program Files\Common Files\System\secserv.exe
O4 - HKLM\..\Run: [SetupExeDll] hyandex.exe
O4 - HKLM\..\Run: [Preliminary] pizda.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [xzoldll] C:\WINDOWS\xzoldll.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [lbbwygd] c:\windows\system32\rtxuee.exe r
O4 - HKCU\..\Run: [cwosRjj3V] paqntz.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [cmon14] ATLIEHELPER.exe
O4 - HKCU\..\Run: [prgsys0984] PasswdMon.exe
O4 - HKCU\..\Run: [init32] ActionScr.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83...hm::/update.exe
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D79AF272-7FA4-41C8-861A-B303F26A29F2}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD39DFD8-78F5-4431-B17A-164BA1BFD866}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{32184114-09D9-46A0-A850-C063AE84537E}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,85.255.112.5
O20 - Winlogon Notify: Welcome - C:\WINDOWS\system32\QBENCLIB.DLL (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\AuroraHandler.dll
C:\WINDOWS\wupdt.exe
C:\WINDOWS\xzoldll.EXE
C:\WINDOWS\ovzjdll.EXE
C:\WINDOWS\ogkvenc.EXE
C:\WINDOWS\qssadll.EXE
C:\WINDOWS\System32\apisvc.exe
C:\WINDOWS\system32\QBENCLIB.DLL
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\stb.exe
C:\WINDOWS\System32\jnbara.exe
c:\windows\system32\rtxuee.exe
C:\Program Files\Common Files\System\secserv.exe
C:\Program Files\SurfSideKick 3
C:\Program Files\AutoUpdate
C:\Program Files\Cas
C:\Program Files\WareOut
ATLIEHELPER.exe
phomine.exe
AUNPS2.DLL
PasswdMon.exe
ActionScr.exe
hyandex.exe
pizda.exe
paqntz.exe


Reboot your computer to go back to normal mode.


Download and unzip http://metallica.gee...m/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill I have looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.

Also post a new hijackthis log.
  • 0

#5
gjanelle
Posted 18 July 2005 - 09:49 PM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sam,
I did what you detailed. All of the Host files were gone when I re-ran hijack this to fix them...I assume that's because of the host repairer you asked me to run? The rest were fised.
I did not find many of the files or folders you detailed when operating in the safe mode, but deleted what I found.
My Metallica and hijack this logs are as follows (and thanks for your continued help):
Greg

**These are the hidden files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is 401C-B943

Directory of C:\DOCUME~1\Owner\LOCALS~1\Temp

07/18/2005 10:24 PM <DIR> Temporary Directory 1 for hijackthis.zip
07/12/2005 11:25 PM <DIR> Temporary Directory 1 for last try KillBox.zip
07/18/2005 11:27 PM <DIR> Temporary Directory 1 for MADEbyOSC.zip
0 File(s) 0 bytes
3 Dir(s) 90,462,453,760 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is 401C-B943

Directory of C:\DOCUME~1\Owner\LOCALS~1\Temp

09/06/2003 09:14 PM <DIR> History
09/06/2003 09:14 PM <DIR> Temporary Internet Files
0 File(s) 0 bytes
2 Dir(s) 90,462,449,664 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 11:29:50 PM, on 7/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\windows\system32\ovibbs.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\jnbara.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [urabwav] c:\windows\system32\ovibbs.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...budsinc1001.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#6
Buckeye_Sam
Posted 19 July 2005 - 03:31 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Good job! :tazz: We are making excellent progress!

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Step 1
Please download and install Cleanup 4.0, but do not run it yet.

Step 2
Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)
Unzip it to the desktop but do NOT run yet.

Step 3
Reboot your computer into Safe Mode

Step 4
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Step 5
Please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step 6
Run CleanUp 4.0 that you installed earlier.

Step 7
Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.

Step 8
Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [urabwav] c:\windows\system32\ovibbs.exe r
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...budsinc1001.cab
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Step 10
Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
c:\windows\system32\ovibbs.exe
C:\WINDOWS\System32\jnbara.exe



Restart your computer and please post a new HijackThis log and the Ewido log.
  • 0

#7
gjanelle
Posted 20 July 2005 - 07:07 AM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sam,
Thanks. I'll work on it as soon as I get home. Incidentally, in the meantime, I have a wireless network at home to which I connect when using my laptop. I have turned off my wi-fi on my laptop at home ever since I knew I was infected for fear that my laptop would get as sick as my desktop currently is. Is this a correct assumption, or can I still use the laptop on my home network? My laptop appears to be running fine, but should I run anything in particular on my laptop to find out if something is hiding there (it is supposedly protected by McAfee...but then again, so was my desktop!)?
Thanks,
Greg
  • 0

#8
Buckeye_Sam
Posted 20 July 2005 - 07:22 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You had a load of trojans on this computer and if it didn't infect your laptop through your network before then you are probably ok now. I doubt that you had anything that would spread through a wireless network.

When we are done with your infected computer you can post a hijackthis log from your laptop and I'll take a look at it for you.
  • 0

#9
gjanelle
Posted 20 July 2005 - 10:28 PM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sam,
Continued thanks. This is the first time in about 2 weeks I've been connected (for about 5 minutes now) and not gotten popups. The last couple of days it was mostly through the aurora downloader. I am still getting messages about bhomonitor.dll and artcookies.dll whenever I reboot (while unplugged from the DSL line). The others are less consistent...but those two have been there multiple times. To those of us out here who are fairly computer illiterate, that's a good thing, right? :tazz:
I've done the steps you asked and removed what I found...some of the files from the hijack this log weren't there (in addition to some in step 10 of your directions). Here are the ewido and hijack logs (thanks):
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:52:09 PM, 7/20/2005
+ Report-Checksum: 851F7DB6

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1943663836-3286411353-1906211764-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096802.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096803.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096804.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096805.exe -> Heuristic.Win32.Hijacker2 : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096806.exe -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096807.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096808.exe -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096809.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096810.dll -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096811.exe -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096812.exe -> TrojanDropper.Agent.mu : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096813.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096814.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096815.exe -> TrojanDownloader.VB.hj : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096816.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096817.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096818.exe -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096819.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096820.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096821.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096822.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096823.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096824.dLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096825.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096826.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096827.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096828.Dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096829.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096830.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096831.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096832.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096833.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096834.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096835.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096836.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096837.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096838.exe -> Trojan.Popmon.a : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096839.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096840.exe -> Spyware.Serpo : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096841.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096842.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096843.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096844.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096845.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096846.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096847.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096848.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096849.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096850.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096851.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096852.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096853.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096854.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096855.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096856.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096857.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096858.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096859.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096860.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096861.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096862.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096863.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096864.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096865.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096866.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096867.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096868.dll -> TrojanDownloader.WarSpy.e : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096869.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096870.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096871.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096872.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096873.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096874.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096875.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096876.exe -> Heuristic.Win32.Hijacker2 : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096877.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096878.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096879.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096880.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096881.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096882.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096883.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096884.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096885.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096886.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096887.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096887.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096888.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP481\A0096889.exe -> TrojanDownloader.VB.hj : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096897.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096898.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096905.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096908.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096910.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096911.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096912.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096913.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096933.exe -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096934.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096935.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096950.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096951.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096953.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096960.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096966.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096974.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP483\A0096975.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP484\A0096986.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP484\A0096987.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0096994.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0096996.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0097001.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0097004.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0097007.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP485\A0097008.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\system\__delete_on_reboot__ommbk.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\WINDOWS\system32\xfnfhop.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__apisvc.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__yditsvc.exe -> TrojanDropper.Agent.mu : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:16:16 AM, on 7/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\devldr32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\xemmdll.EXE
c:\windows\system32\kctuurz.exe
C:\WINDOWS\xemmenc.EXE
C:\WINDOWS\System32\jnbara.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [xemmdll] C:\WINDOWS\xemmdll.EXE
O4 - HKLM\..\Run: [xemmenc] C:\WINDOWS\xemmenc.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [mscpns] c:\windows\system32\kctuurz.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
  • 0

#10
Buckeye_Sam
Posted 21 July 2005 - 07:47 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's clean up your log a little bit more and then we'll take a closer look for something that is hiding out.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [xemmdll] C:\WINDOWS\xemmdll.EXE
O4 - HKLM\..\Run: [xemmenc] C:\WINDOWS\xemmenc.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [mscpns] c:\windows\system32\kctuurz.exe r


===========


Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.


===========


Reboot your computer into Safe Mode

Once in Safe mode, delete these files.

C:\WINDOWS\wupdt.exe
C:\WINDOWS\xemmdll.EXE
C:\WINDOWS\xemmenc.EXE
C:\WINDOWS\System32\jnbara.exe
c:\windows\system32\kctuurz.exe


==============


While still in Safe mode, Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply along with a new hijackthis log.
  • 0

Advertisements

#11
gjanelle
Posted 24 July 2005 - 10:06 PM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sam,
Done as instructed. Log files to follow. Incidentally, do I have to do any of these steps individually for all users of my home computer? My wife has a separate login prompt...when she logs in, even when not connected (DSL unplugged from wall) she gets a ton of warnings from Spydoctor about violations at the artcookie.dll and bhomonitor.dll. I still get a couple of these when I log on, but they have otherwise stopped. Similarly, I haven't had an unwanted popup the last couple of times I've connected for replied to you :tazz:
Anyway, here are the logfiles:
C:\Documents and Settings\Owner\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\RDBios32.DLL: UPX!
C:\WINDOWS\system32\urhdoib.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\odbyjoyemip.exe: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\visfxun.exe: UPX!
C:\WINDOWS\xemmsvc.exe: UPX!
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 11:53:34 PM, on 7/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\System32\jnbara.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
c:\windows\system32\ftlmuvz.exe
C:\WINDOWS\explorer.exe
C:\Palm\HOTSYNC.EXE
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [dmkah.exe] C:\WINDOWS\System32\dmkah.exe
O4 - HKLM\..\Run: [tbjcmsb] c:\windows\system32\ftlmuvz.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#12
Buckeye_Sam
Posted 25 July 2005 - 06:12 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We may have to do a little cleanup in the other users on your computer. But we should be able to get most of it from yours.


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [dmkah.exe] C:\WINDOWS\System32\dmkah.exe
O4 - HKLM\..\Run: [tbjcmsb] c:\windows\system32\ftlmuvz.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\system32\RDBios32.DLL
      C:\WINDOWS\system32\urhdoib.exe
      C:\WINDOWS\System32\hclean32.exe
      C:\WINDOWS\System32\dmkah.exe
      C:\WINDOWS\System32\jnbara.exe
      c:\windows\system32\ftlmuvz.exe
      C:\WINDOWS\odbyjoyemip.exe
      C:\WINDOWS\svcproc.exe
      C:\WINDOWS\visfxun.exe
      C:\WINDOWS\xemmsvc.exe

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.



Please post a new hijackthis log and a new log from rkfiles.
  • 0

#13
gjanelle
Posted 27 July 2005 - 08:43 PM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks again. 2 of the files would NOT copy into the killbox list, no matter how many times I tried. I don't know if this is important, but it was these 2:
C:\WINDOWS\system32\urhdoib.exe
and
c:\windows\system32\ftlmuvz.exe
I entered them manually, and it seemed to work.
I appreciate your continued patience. Are we getting close?
Here are the updated log files:
Thanks,
Greg

C:\Documents and Settings\Owner\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ododmv.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\dsr.exe: UPX!
C:\WINDOWS\Nail.exe: UPX!
C:\WINDOWS\svcproc.exe: UPX!
Finished
bye


Logfile of HijackThis v1.99.1
Scan saved at 10:36:29 PM, on 7/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
c:\windows\system32\ododmv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\naip.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack this virus scanner\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [cbzxbqc] c:\windows\system32\ododmv.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://help.bellsout...oad/tgctlpw.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://scf021.shand...ents/wficat.cab
O16 - DPF: {4025F9BF-E95A-4F42-87A3-D74ABCC520D9} (ISiteNonVisual Control 3.0) - https://159.178.60.179/iSite3_0.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121228485889
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://vaww.north-fl...tsweb/msrdp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...529/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#14
Buckeye_Sam
Posted 28 July 2005 - 04:55 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You have an Epolvy Trojan.

First you should know that the main bad file that we need to kill is the 04 line in your hijackthis log that ends in a lower case r. This filename can change frequently so it will probably be different than what you posted in your last log. In the fix below I call it randomfile.exe, but it will always be that file that shows up in your current hijackthis that ends in a lower case r.


=======


Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for c:\windows\system32\randomfile.exe
  • Open your C:\Windows\system32 folder and search for randomfile.exe .
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select c:\windows\system32\randomfile.exe and Click Kill3
  • Then immediately delete randomfile.exe from your system32 folder.
Close APT.


========


Next fix these lines with Hijackthis:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [hhevpdr] c:\windows\system32\randomfile.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jnbara.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


========


Use Killbox to delete these files:

C:\WINDOWS\dsr.dll
C:\WINDOWS\dsr.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\System32\jnbara.exe
C:\WINDOWS\system32\ododmv.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe


========


Reboot into Safe mode.

Run Nailfix and Ewido while in Safe mode.


========

Reboot back to normal mode and post a new hijackthis log.
  • 0

#15
gjanelle
Posted 29 July 2005 - 08:44 AM

gjanelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks. I'll try it tonight when I get home. I'll be gone for the following week on vacation...so after I post logs, if you answer, and I don't respond...please don't think I'm ignoring your advice. I'll be back a week from Monday.
Thanks,
Greg
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP