Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

bloodhound.w32.ep [CLOSED]

Started by sillyboy , Aug 06 2005 12:38 PM

This topic is locked

#1
sillyboy

Posted 06 August 2005 - 12:38 PM

New Member

Member
3 posts

Hi there,

I have been battling this virus for the past few days and am at a lost now. Norton antivirus detects bloodhound.w32.ep on my computer a couple of days back and says its unable to repair or access the infected file (C:\WINDOWS\system32\WININET.dll). I have done what you guys suggested before writing up a post, ie, (cleanup, ad-aware, swshredder, spybot, ewido...etc) and have managed to delete some bad stuff on my computer but the norton msg is still popping up every now and then.

Ive done a scan on HijackThis and below is the log. Would definitely appreciate anyones help!! Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:36:01 PM, on 8/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\clbcatex.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\btsendto.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeDevice\PeDev.exe
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11649287&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11649287&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11649287&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11649287&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fd4867813c33] C:\WINDOWS\System32\clbcatex.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [df7ba37ce992] C:\WINDOWS\System32\btsendto.exe
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#2
didom

Posted 07 August 2005 - 06:11 AM

Member 1K

Member
1,919 posts

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

Please download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the "I know what I'm doing" box.
In the Keep box you should see one or more instances of newdotnet6_38.dll.
Select every instance of newdotnet6_38.dll and move each one to the Remove box by clicking the ">>" button.
When you are done click "Finish>>".

-------------------------------------------

Please download miekiemoes' LQfix batch here:
http://users.pandora...atchy/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please run LQfix.bat.

Scan again with HijackThis and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11649287&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11649287&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11649287&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11649287&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\eltt.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fd4867813c33] C:\WINDOWS\System32\clbcatex.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [df7ba37ce992] C:\WINDOWS\System32\btsendto.exe
O4 - HKLM\..\Run: [eltupt] C:\WINDOWS\eltupt.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O4 - Global Startup: winlogon.exe
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete this folder:
Files:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\btsendto.exe
C:\WINDOWS\System32\clbcatex.exe
C:\WINDOWS\System32\intell32.exe

Folders:
C:\Program Files\Common Files\updater
C:\Program Files\NewDotNet
C:\Program Files\PSGuard

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#3
sillyboy

Posted 07 August 2005 - 02:06 PM

New Member

Topic Starter
Member
3 posts

Hi there, first of all, I can't thank you enough for your help!! You guys totally rock!

Rite, back to the issue in hand. I've done what you recommended in your reply post and have listed the logs from Panda Active Scan, HiJackThis, smitRem and Ewido.

P/S: The virus message from Norton is not popping up anymore so thats good.

1) Panda Active Scan
__________________

Incident Status Location

Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\launcher.exe
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/powerstrip No disinfected Windows Registry
Adware:Adware/Imibar No disinfected C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\backups\backup-20050807-170911-526.dll
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied.inf]

2) HiJackThis Log
________________

Logfile of HijackThis v1.99.1
Scan saved at 9:00:56 PM, on 8/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ICQPlus\VPlus.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\VPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Program Files\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{50DB6F7B-FFA9-450F-96B4-37CBDA8FB3F7}: NameServer = 202.188.0.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3449B4B-1D0C-4E00-874F-A167FDF2568B}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

3) Smitfiles.txt Contents
_______________________

smitRem log file
version 2.3

by noahdfear

The current date is: Sun 08/07/2005
The current time is: 17:25:10.48

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed!

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

shopping

~~~ system32 folder ~~~

oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

oleext.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :tazz:

Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~

~~~~ Checking dllcache\wininet.dll for infection ~~~~

~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~

~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!

~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!

~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~

~~~~ C:\WINDOWS\system32\wininet.dll Clean!

~~~~

4) Ewido Log
______________

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:29:58 PM, 8/7/2005
+ Report-Checksum: F948A91A

+ Scan result:

HKLM\SOFTWARE\KMiNT21 -> Spyware.DesktopSpyAgent : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKU\S-1-5-21-776746741-4168701361-813958858-1006\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-776746741-4168701361-813958858-1006\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-776746741-4168701361-813958858-1006\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
[464] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[1920] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\Documents and Settings\Ju-Guang_2\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP358\A0024464.exe.tcf -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP364\A0025593.exe -> TrojanDownloader.Mediket.o : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029253.exe.tcf -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029254.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029255.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029259.exe -> Trojan.Agent.at : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029267.dll -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0029268.ocx.tcf -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0031532.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP398\A0031536.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0031780.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0031781.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0031782.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0031784.exe -> Spyware.IEDriver : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0032536.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0032537.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0033539.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP399\A0033540.exe -> TrojanDownloader.OneClickSearch.k : Cleaned with backup
C:\WINDOWS\NDNuninstall4_50.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe.tcf -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe.tcf -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\adsnds11.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\system32\ied.exe -> TrojanDownloader.Mediket.ar : Cleaned with backup

::Report End

----------------------------------

Please do let me know if there is anything further I should do. Thanks again for your patience and help. Really appreciate it.

Jon

#4
didom

Posted 07 August 2005 - 02:54 PM

Member 1K

Member
1,919 posts

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files (if they are still there):
C:\eied_s7.cab
C:\WINDOWS\launcher.exe
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
C:\Documents and Settings\Ju-Guang_2\Desktop\hijackthis\backups\backup-20050807-170911-526.dll

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Reboot your computer back into normal mode.
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CURRENT_USER\Software\PowerStrip]
[-HKEY_CLASSES_ROOT\AdRotator.Application]
[-HKEY_CLASSES_ROOT\KBBar.KBBarBand]
[-HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter]
[-HKEY_CLASSES_ROOT\LinkMaker.LinkTracker]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\URLLauncher.URLLauncherControl]
[-HKEY_CLASSES_ROOT\URLSearch.URLSearch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Jawa32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\LM]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A6E50DC-BFA8-4B40-AB1B-59E03E829FD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Presentia]
[-HKEY_LOCAL_MACHINE\SOFTWARE\slmss]
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Reboot your computer again. And please scan again with Ewido and Panda ActiveScan and post the logs in your next reply.

Edited by didom, 07 August 2005 - 02:55 PM.

#5
sillyboy

Posted 07 August 2005 - 05:53 PM

New Member

Topic Starter
Member
3 posts

Just finished doing the Ewido and Panda Active Scan. Below are the logs.

Ewido
______

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:53:47 PM, 8/7/2005
+ Report-Checksum: 1A58A4F5

+ Scan result:

C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033582.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033583.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033584.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033585.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033586.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033587.exe -> Spyware.UrlSpy : Cleaned with backup
C:\System Volume Information\_restore{F9E5B6D3-C3DC-4352-AB4D-A6A6ECD2C2D0}\RP400\A0033588.exe -> TrojanDownloader.Mediket.ar : Cleaned with backup

::Report End

Panda Active Scan
________________

Incident Status Location

Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\terabyte.exe
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall5_40.exe
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/powerstrip No disinfected Windows Registry

#6
didom

Posted 08 August 2005 - 04:00 AM

Member 1K

Member
1,919 posts

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files and folders (if they are still there):
C:\WINDOWS\SYSTEM32\terabyte.exe <= this file
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl <= this folder

Reboot your computer back into normal mode.

Please run Notepad and copy the following text into a new file:

%systemdrive%
cd %WinDir%
attrib -r -s -h NDNuninstall*.exe
if exist NDNuninstall*.exe del NDNuninstall*.exe

Save the file as C:\remove.bat and make sure the "Save as type" field says "All files". Then please restart your computer and press F8 as it reboots, as though you were going to start in Safe Mode. At the startup menu, choose "Command Prompt Only" or "Safe Mode with Command Prompt". At the command prompt type cd c:\ and press Enter (make sure to put a space between the "cd" and the "c:\"). Then type remove and press Enter. When that is finished, restart your computer make a new log with Panda and Eiwdo then post the logs and post a new HijackThis log.

#7
didom

Posted 18 August 2005 - 04:40 AM

Member 1K

Member
1,919 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.