Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ads234

Started by extreme team , Nov 27 2004 04:16 PM

  • Please log in to reply

#1
extreme team
Posted 27 November 2004 - 04:16 PM

extreme team

    New Member

  • Member
  • Pip
  • 2 posts
Please help me ads234 is taking over our computer here at Video Extreme! I've read quite a few posts about this problem so I figured you could help. I ran Ad-aware 6.0 and Spybot S&D. Here is my hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 1:53:22 PM, on 11/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\jonathon sims\local settings\temp\dvEF.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\zkxfvlwx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\Mrrl425.exe
C:\WINNT\system32\OihL.exe
C:\WINNT\Speech\accdoc.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\HJT\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.video-extreme.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.video-extreme.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - (no file)
O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\codcca.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathon Sims\Local Settings\Temp\VUMzFhI.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TEAM SOFT LITE - {B1DEBFBB-E999-CD4F-2DAF-B5B37723AA1F} - C:\PROGRA~1\UPLOAD~1\idol poll.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [4S5@8J655APDR3] C:\WINNT\System32\Cjp9g.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoLoadervFx61acecPaV] "C:\WINNT\system32\2ndmmgr.exe" /PC="AM.ICMD2" /HideUninstall /HideDir
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [dvEF] C:\documents and settings\jonathon sims\local settings\temp\dvEF.exe
O4 - HKLM\..\Run: [WhenUSearchWHSE] C:\Program Files\WhenUSearch\whse.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [esoizfgclfji] C:\WINNT\system32\zkxfvlwx.exe
O4 - HKLM\..\Run: [*smp3] C:\WINNT\AppPatch\smp3.exe
O4 - HKLM\..\Run: [*imgftp] C:\WINNT\inf\imgftp.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunOnce: [*accdoc] C:\WINNT\Speech\accdoc.exe rerun
O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\djebmm350.exe"
O4 - HKCU\..\Run: [Aoaa] C:\Documents and Settings\Jonathon Sims\Application Data\aeoa.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\java\infokb.exe ren my_time:1101590117
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.c...ers/p365vip.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7471141C-CC9C-4552-884F-077133CB6086}: NameServer = 216.174.194.53,216.174.194.54

please help us!! I'll <_< you forever!!!
  • 0

Advertisements

#2
admin
Posted 27 November 2004 - 04:28 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome to Geeks to Go extreme team. First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal):
http://www.geekstogo...=download&id=18

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - (no file)
O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\codcca.dat
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathon Sims\Local Settings\Temp\VUMzFhI.dll
O3 - Toolbar: TEAM SOFT LITE - {B1DEBFBB-E999-CD4F-2DAF-B5B37723AA1F} - C:\PROGRA~1\UPLOAD~1\idol poll.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [4S5@8J655APDR3] C:\WINNT\System32\Cjp9g.exe
O4 - HKLM\..\Run: [AutoLoadervFx61acecPaV] "C:\WINNT\system32\2ndmmgr.exe" /PC="AM.ICMD2" /HideUninstall /HideDir
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [dvEF] C:\documents and settings\jonathon sims\local settings\temp\dvEF.exe
O4 - HKLM\..\Run: [WhenUSearchWHSE] C:\Program Files\WhenUSearch\whse.exe
O4 - HKLM\..\Run: [esoizfgclfji] C:\WINNT\system32\zkxfvlwx.exe
O4 - HKLM\..\Run: [*smp3] C:\WINNT\AppPatch\smp3.exe
O4 - HKLM\..\Run: [*imgftp] C:\WINNT\inf\imgftp.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunOnce: [*accdoc] C:\WINNT\Speech\accdoc.exe rerun
O4 - HKLM\..\RunOnce: [djebmm350.exe] "C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\djebmm350.exe"
O4 - HKCU\..\Run: [Aoaa] C:\Documents and Settings\Jonathon Sims\Application Data\aeoa.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\java\infokb.exe ren my_time:1101590117
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\localNRD.dll
C:\WINNT\System32\Cjp9g.exe
C:\WINNT\system32\2ndmmgr.exe
C:\installer <- this folder
C:\Program Files\WhenUSearch <- this folder
C:\WINNT\system32\zkxfvlwx.exe
C:\WINNT\AppPatch\smp3.exe
C:\WINNT\inf\imgftp.exe
C:\WINNT\satmat.exe
C:\WINNT\wupdt.exe
C:\Program Files\Ebates_MoeMoneyMaker <- this folder
C:\WINNT\Speech\accdoc.exe
C:\Documents and Settings\Jonathon Sims\Application Data\aeoa.exe
C:\WINNT\java\infokb.exe

I'm sure we'll still have some cleaning to do. Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#3
extreme team
Posted 27 November 2004 - 05:26 PM

extreme team

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I did all that jazz. But I was a little uncertain about the rebooting in safe mode. I still continued though and here is the new log:

Logfile of HijackThis v1.98.2
Scan saved at 3:19:13 PM, on 11/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\zkxfvlwx.exe
C:\WINNT\Speech\accdoc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.video-extreme.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.video-extreme.com/
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\codcca.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [kugpnfd] C:\WINNT\system32\zkxfvlwx.exe
O4 - HKLM\..\RunOnce: [*accdoc] C:\WINNT\Speech\accdoc.exe rerun
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.c...ers/p365vip.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7471141C-CC9C-4552-884F-077133CB6086}: NameServer = 216.174.194.53,216.174.194.54

thanks for the further help! what next?
  • 0

#4
admin
Posted 28 November 2004 - 10:46 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Could you please download Regprot from:
http://www.diamondcs...hp?page=regprot
This program keeps an eye on any new startup keys being added to the registry.
I want to block the making of a new RunOnce key like the *accdoc with it.
After installing it allow all the startups that are already present. You will be asked for these almost immediately adfter installing the program.
When it is done doing that have HijackThis fix:
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\codcca.dat
O4 - HKLM\..\Run: [kugpnfd] C:\WINNT\system32\zkxfvlwx.exe
O4 - HKLM\..\RunOnce: [*accdoc] C:\WINNT\Speech\accdoc.exe rerun

Allow these changes in Regprot but be very carefull NOT to allow any new startup entries.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\multimpp.dll
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\codcca.dat
C:\WINNT\system32\zkxfvlwx.exe
C:\WINNT\Speech\accdoc.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP