Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfixer 2005 and others [RESOLVED]

Started by scturner97 , Aug 14 2005 10:20 AM

  • This topic is locked This topic is locked

#1
scturner97
Posted 14 August 2005 - 10:20 AM

scturner97

    New Member

  • Member
  • Pip
  • 4 posts
Please help. Believe winfixer and possible others have invaded my computer. :tazz: Currently running Windows XP SP2. One user profile will not display desktop items, but can be run through task manager. The other user profile works. Have been running Ad Ware SE weekly for the past several months but seems it missed some items.

Geeks To Go preps listed have been followed prior to post. Information results have been posted below. THANK YOU!

Ad Ware: 221,00 modules scanned no critical infections found

CWSShredder: 1 found and removed (vx2.Look2Me)

Spybot1.4: Immunized against 6661 bad products found no problems to fix.

Spybot DSO: 11 problems found and fixed
Abetterinternet 1 entry
AproposMedia 1 entry
CoolWWWsearch 1 entry
Exact Advertising.BarginsBuddy 1 entry
HotsearchBar 1 entry
SexList 1 entry
SpyHunter 1 entry
Web-Nexus 2 entries
Windows Security Center.AntiVirusOverride
Windows Security Center.FirewallOverride

Ewido: Infected objects found - 32
BarginBuddy
BetterInternet
TrojanDropper.Agent.pb
TrojanDownloader.Qoologic.x
TrojanDownloader.Qoologic.n
TrojanDownloader.Qoologic.p
Look2Me
SafeSurfing
HotSearchBar

Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 11:53:05 AM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\U3VzYW4A\command.exe
F:\WINDOWS\system32\CTSvcCDA.EXE
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\system32\cba\pds.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\cnevsvc.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\cba\xfr.exe
F:\WINDOWS\system32\MsgSys.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\NavNT\vptray.exe
F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\fyyaenc.EXE
F:\Program Files\GhostSurf 2005\DeleteSatellite.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\TrojanHunter 4.2\THGuard.exe
F:\Program Files\orsr\mtts.exe
F:\WINDOWS\system32\l?[bleep].exe
F:\Program Files\GhostSurf 2005\Scheduler daemon.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Verizon Online\bin\mpbtn.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\Susan\My Documents\SpywareKill\hijackthis\HijackThis.exe
F:\WINDOWS\SoftwareDistribution\Download\91e37ce47e8587128bd714d9a2d1d8d2\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01D34265-D186-FC79-D71C-A81851F390CA} - F:\WINDOWS\system32\jzbsbm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - F:\WINDOWS\system32\jzcccqao.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MegaPanel] F:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [fyyaenc] F:\WINDOWS\fyyaenc.EXE
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "F:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "F:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Ltor] F:\Program Files\orsr\mtts.exe
O4 - HKCU\..\Run: [Tpfa] F:\WINDOWS\system32\l?[bleep].exe
O4 - HKCU\..\Run: [LoopRfZES] hneecr40.exe
O4 - Startup: Protector.lnk = F:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = F:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = F:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Verizon Online Support Center.lnk = F:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Define - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://F:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....TestScanner.ocx
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097961956704
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O23 - Service: Command Service (cmdService) - Unknown owner - F:\WINDOWS\U3VzYW4A\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel File Transfer - Intel® Corporation - F:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - F:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows VisFx Components - Unknown owner - F:\WINDOWS\cnevsvc.exe

Ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:50:00 PM, 8/13/2005
+ Report-Checksum: 4A1E3A3E

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1214440339-1677128483-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1214440339-1677128483-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1214440339-1677128483-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\EBKDUXSZ\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup
F:\Documents and Settings\Corey\Local Settings\Temporary Internet Files\Content.IE5\OP25850X\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\3JDV314W\Nail[1].exe -> Adware.BetterInternet : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\4FQBI8GQ\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\GLQ3OXA7\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\IXZOTCNM\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\PD0IN63A\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\PD0IN63A\recinst[1].exe -> TrojanDownloader.Qoologic.x : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\RVM4QBE1\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\W5IVO52Z\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\YZI12ZMN\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
F:\WINDOWS\system32\cvrsrv.dll -> Spyware.Look2Me : Cleaned with backup
F:\WINDOWS\system32\dqxooaq.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
F:\WINDOWS\system32\ekrbb.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
F:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
F:\WINDOWS\system32\jzcccqao.dll -> Spyware.SafeSurfing : Cleaned with backup
F:\WINDOWS\system32\kwallsw.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
F:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned with backup
F:\WINDOWS\system32\nsz73.dll -> Spyware.HotSearchBar : Cleaned with backup
F:\WINDOWS\system32\plqoon.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
F:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
F:\WINDOWS\system32\wygvv.dat -> TrojanDownloader.Qoologic.n : Cleaned with backup
F:\WINDOWS\Temp\labpengs.tmp -> Spyware.SafeSurfing : Cleaned with backup


::Report End
  • 0

Advertisements

#2
Buckeye_Sam
Posted 17 August 2005 - 03:47 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
scturner97
Posted 17 August 2005 - 05:08 PM

scturner97

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sam

Thank you for the help! Still having the issues. Updated HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 7:03:31 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\U3VzYW4A\command.exe
F:\Program Files\NavNT\vptray.exe
F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\fyyaenc.EXE
F:\Program Files\TrojanHunter 4.2\THGuard.exe
F:\WINDOWS\system32\l?[bleep].exe
F:\WINDOWS\system32\CTSvcCDA.EXE
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\system32\cba\pds.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\Program Files\Verizon Online\bin\mpbtn.exe
F:\WINDOWS\cnevsvc.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\cba\xfr.exe
F:\WINDOWS\system32\MsgSys.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\orsr\mtts.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Susan\My Documents\SpywareKill\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01D34265-D186-FC79-D71C-A81851F390CA} - F:\WINDOWS\system32\jzbsbm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MegaPanel] F:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [fyyaenc] F:\WINDOWS\fyyaenc.EXE
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Tpfa] F:\WINDOWS\system32\l?[bleep].exe
O4 - HKCU\..\Run: [LoopRfZES] hneecr40.exe
O4 - Startup: Protector.lnk = F:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = F:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Verizon Online Support Center.lnk = F:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Define - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://F:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....TestScanner.ocx
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097961956704
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O23 - Service: Command Service (cmdService) - Unknown owner - F:\WINDOWS\U3VzYW4A\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel File Transfer - Intel® Corporation - F:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - F:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Buckeye_Sam
Posted 17 August 2005 - 06:05 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Ok, let's see what we can get done for you. :tazz:

Please make sure that you can VIEW ALL HIDDEN FILES.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01D34265-D186-FC79-D71C-A81851F390CA} - F:\WINDOWS\system32\jzbsbm.dll
O4 - HKLM\..\Run: [fyyaenc] F:\WINDOWS\fyyaenc.EXE
O4 - HKCU\..\Run: [Tpfa] F:\WINDOWS\system32\l?[bleep].exe
O4 - HKCU\..\Run: [LoopRfZES] hneecr40.exe
O23 - Service: Command Service (cmdService) - Unknown owner - F:\WINDOWS\U3VzYW4A\command.exe



Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.




Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

F:\WINDOWS\system32\jzbsbm.dll
F:\WINDOWS\fyyaenc.EXE
F:\WINDOWS\U3VzYW4A\command.exe
hneecr40.exe <-- do a search for this file


Reboot your computer to go back to normal mode.



Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.
  • 0

#5
scturner97
Posted 17 August 2005 - 09:35 PM

scturner97

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sam,

Thank you for the very clear and easy directions to follow. :tazz:

HJT lines were deleted. A couple of lines still remain which I question the need for them to still exist , but we can deal with them at the end.

During manual deletion in safe mode only F:\WINDOWS\U3VzYW4A\command.exe was found. There were also two other files in the same folder:

asappsrc.dll
nM4WwWa14NGxA5DHj66 (a VBS script file)

Panda Virus Scan run with the following not removed:

Spyware:Spyware/BargainBuddy
C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\2VSFY7YP\webservice[5].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\EBKDUXSZ\webservice[4].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\EBKDUXSZ\webservice[5].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5UBCDIZ\webservice[3].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5UBCDIZ\webservice[4].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5UBCDIZ\webservice[5].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5UBCDIZ\webservice[6].htm

C:\Documents and Settings\Corey\Local Settings\Temp\Temporary Internet Files\Content.IE5\K5UBCDIZ\webservice[7].htm

F:\WINDOWS\etb\xml\images\casino.bmp
F:\WINDOWS\etb\xml\images\dating.bmp

F:\WINDOWS\etb\xml\images\drugs.bmp

F:\WINDOWS\etb\xml\images\fav.bmp

F:\WINDOWS\etb\xml\images\virus.bmp

F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\casino[1].bmp
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\dating[2].bmp

F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\fav[1].bmp
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\virus[1].bmp
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\virus[2].bmp
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ALAHYBGX\webservice[3].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GLMNWXUB\webservice[2].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GLMNWXUB\webservice[3].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GLMNWXUB\webservice[4].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GLMNWXUB\webservice[5].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IDWHS7MB\drugs[1].bmp

F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IDWHS7MB\webservice[4].htm
F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K52VGHAR\webservice[5].htm

F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K52VGHAR\webservice[6].htm

Adware:Adware/Apropos
C:\Program Files\Aprps\ProxyStub.dll

Spyware:Spyware/SurfSideKick
F:\Documents and Settings\Corey\Local Settings\Temp\i4C.tmp

Possible Virus.
F:\Documents and Settings\Susan\Local Settings\Temp\!update.exe

F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\GLQ3OXA7\!update-2444[1].0000

F:\Program Files\orsr\mtts.exe
F:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

F:\WINDOWS\Temp\ASHeuristic\!update-2444[1].0000.vir

F:\WINDOWS\Temp\ASHeuristic\!update.exe.vir
F:\WINDOWS\Temp\ASHeuristic\mtts.exe.vir F:\WINDOWS\Temp\ASHeuristic\ProcessViewer.exe.vir
Spyware:spyware/surfsidekick
F:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Ssk.log
F:\WINDOWS\Temp\i2E4.tmp F:\WINDOWS\Temp\i48.tmp

Adware:adware/bookedspace F:\WINDOWS\cfgmgr52.dll
Adware:Adware/PurityScan
F:\WINDOWS\Temp\!update.exe

F:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IDWHS7MB\!update-2344[1].0000

Adware:Adware/ISearch F:\WINDOWS\Temp\cmdinst.exe

Bit Defender Was run and deleted all infected files it found. Have the log if you require viewing.

HJT
Logfile of HijackThis v1.99.1
Scan saved at 11:05:39 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\CTSvcCDA.EXE
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\system32\cba\pds.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\cba\xfr.exe
F:\WINDOWS\system32\MsgSys.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\NavNT\vptray.exe
F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\TrojanHunter 4.2\THGuard.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Verizon Online\bin\mpbtn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Documents and Settings\Susan\My Documents\SpywareKill\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MegaPanel] F:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Protector.lnk = F:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = F:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Verizon Online Support Center.lnk = F:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Define - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://F:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....TestScanner.ocx
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097961956704
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O23 - Service: Command Service (cmdService) - Unknown owner - F:\WINDOWS\U3VzYW4A\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel File Transfer - Intel® Corporation - F:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - F:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you :) :)
  • 0

#6
Buckeye_Sam
Posted 18 August 2005 - 02:56 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It's looking much better. Just a little more cleaning up to do and then we can talk about some of the optional stuff.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.



Delete these folders:

F:\WINDOWS\etb
F:\WINDOWS\U3VzYW4A
C:\Program Files\Aprps
F:\Program Files\orsr


Delete this file:

F:\WINDOWS\cfgmgr52.dll




Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.



Click Start -> Run -> (type) services.msc

Scroll down and find the service called Command Service When you find it, double-click on it. In the next window that opens, click the Stop button(if available), then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

cmdService


Reboot back into normal mode and post a new hijackthis log.
Let me know of any problems that you are still having.
  • 0

#7
scturner97
Posted 18 August 2005 - 04:23 PM

scturner97

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sam,

Looking good so far. 30 minutes of surfing the web without pop-ups. Will do some more over then next day to see if anything happens, but its much better! :) THANK YOU!!!!!!!!

The other user profile is working just fine now as well. :tazz: Several unkown icons from casinos, PSP, Xbox, privacy scan were deleted from the desktop.

I do get the following error message at startup:

HP AIO Device Object Server
Register Class Object failed: hRes=0x80004015
The class is configured to run as a security id different from the caller
Maximum retry attempts exceeded.

The printer HP PSC 950 All-in-One appears to be working fine on all accounts.

Is this error related to the HJT line
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe ?

I also wonder about the other following lines as well:
O4 - Startup: Protector.lnk = F:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = F:\Program Files\GhostSurf 2005\Scheduler daemon.exe

GhostSurf 2005 was uninstalled a week ago, should theses lines also be removed?

The last one in question is an active X I do not reconize:
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.../ST/ActiveX.ocx

Should it also be removed?

Updated HJT log
Logfile of HijackThis v1.99.1
Scan saved at 5:44:12 PM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\CTSvcCDA.EXE
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\system32\cba\pds.exe
F:\Program Files\NavNT\rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\cba\xfr.exe
F:\WINDOWS\system32\MsgSys.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\NavNT\vptray.exe
F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\TrojanHunter 4.2\THGuard.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Verizon Online\bin\mpbtn.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Documents and Settings\Susan\My Documents\SpywareKill\hijackthis\HijackThis.exe
F:\Documents and Settings\Susan\My Documents\SpywareKill\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MegaPanel] F:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Protector.lnk = F:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = F:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Verizon Online Support Center.lnk = F:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Define - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://F:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - F:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril....TestScanner.ocx
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097961956704
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...yer5.2AxWin.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel File Transfer - Intel® Corporation - F:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - F:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you so very much! My hats off to you and the staff for the fine work you do against the evil. :)
  • 0

#8
Buckeye_Sam
Posted 18 August 2005 - 06:23 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Each one of the lines that you mentioned are optional and can be removed with Hijackthis. You can safely remove any of the 016 lines that you don't recognize. Some other optional fixes you can make are...

O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] F:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#9
Buckeye_Sam
Posted 04 September 2005 - 07:20 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP