Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Maleware trojans worms ohmy! [RESOLVED]


  • This topic is locked This topic is locked

#1
outofwork

outofwork

    New Member

  • Member
  • Pip
  • 7 posts
If some one could point me in the right direction. This is my HiJack log

Logfile of HijackThis v1.99.1
Scan saved at 12:27:15 AM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\systz.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\netke.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
A:\Sweep.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wvofr.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {19C3EBAC-F6BB-CFFA-9CFF-0AADFD4AA47C} - C:\WINDOWS\system32\d3he32.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Chris\LOCALS~1\Temp\appD1.tmp
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Pk2TV1x.exe] C:\documents and settings\wayne\local settings\temp\Pk2TV1x.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [systz.exe] C:\WINDOWS\systz.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi outofwork, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

Please print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click "OK" at the directions Read: Important! prompt.
    • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
    • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
    • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
    • Click "Exit" and "Exit" again to exit AboutBuster.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

Regards,


Trevuren

  • 0

#3
outofwork

outofwork

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks Trevuren,

I used about and shredder but seems problem remains, could not get to trend due to fact of redirect, anything else I could try?

PS there are 3 users on this computer.

Logfile of HijackThis v1.99.1

Scan saved at 11:34:07 AM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\netke.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\systz.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dscdh.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7D8257D3-DF96-9F72-0D9C-EFF1A4661959} - C:\WINDOWS\ipak32.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Chris\LOCALS~1\Temp\appD1.tmp
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [systz.exe] C:\WINDOWS\systz.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-------------------------------------------------------------------------------------------


AboutBuster 5.0 reference file 31
Scan started on [8/22/2005] at [9:44:17 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\31331333.dat:pbvqhp
Removed Stream! C:\WINDOWS\ACDFEIHN.ini:ruavjx
Removed Stream! C:\WINDOWS\akebook.ini:jvsimh
Removed Stream! C:\WINDOWS\apyp.exe.tmp:qhcyqm
Removed Stream! C:\WINDOWS\apyp.exe.tmp:tvdogr
Removed Stream! C:\WINDOWS\basefx.INI:xguyqj
Removed Stream! C:\WINDOWS\brczf.txt:ldplaw
Removed Stream! C:\WINDOWS\BsUDF.tbl:bjfjmg
Removed Stream! C:\WINDOWS\BsUDF.tbl:ihxjed
Removed Stream! C:\WINDOWS\cdPlayer.ini:aiqogg
Removed Stream! C:\WINDOWS\chapter.WAV:tkywoj
Removed Stream! C:\WINDOWS\Christmas Cottage 2.ico:weaeoi
Removed Stream! C:\WINDOWS\clock.avi:anaror
Removed Stream! C:\WINDOWS\clock.avi:ofkjrt
Removed Stream! C:\WINDOWS\cmijack.dat:oovoki
Removed Stream! C:\WINDOWS\d3dx.dat:rpyhyd
Removed Stream! C:\WINDOWS\dhhli.log:kqrmaf
Removed Stream! C:\WINDOWS\DtcInstall.log:yztibe
Removed Stream! C:\WINDOWS\etel3.ini:sdkawe
Removed Stream! C:\WINDOWS\etel7.ini:ikeciz
Removed Stream! C:\WINDOWS\gdx.ini:xhtjqv
Removed Stream! C:\WINDOWS\Gfact.ini:gqijyc
Removed Stream! C:\WINDOWS\gimoo.txt:vxgyvb
Removed Stream! C:\WINDOWS\gojks.dat:faxtds
Removed Stream! C:\WINDOWS\gp.ico:oyydpd
Removed Stream! C:\WINDOWS\Greenstone.bmp:gmhgup
Removed Stream! C:\WINDOWS\IE4 Error Log.txt:rokqrc
Removed Stream! C:\WINDOWS\KB828035.log:ptyzlg
Removed Stream! C:\WINDOWS\KB840315.log:hvtnrs
Removed Stream! C:\WINDOWS\kwv2.dat:zvmslu
Removed Stream! C:\WINDOWS\lclvg.dat:lughmi
Removed Stream! C:\WINDOWS\LEXSTAT(2).INI:iczuyj
Removed Stream! C:\WINDOWS\log2.txt:swfynf
Removed Stream! C:\WINDOWS\log4.txt:cdwvri
Removed Stream! C:\WINDOWS\logfile.txt:ymlbip
Removed Stream! C:\WINDOWS\logo.gif:owkrjv
Removed Stream! C:\WINDOWS\logo.gif:tdkevv
Removed Stream! C:\WINDOWS\lrkio.log:uehils
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:levrxg
Removed Stream! C:\WINDOWS\maxlink(14).ini:rhcnfz
Removed Stream! C:\WINDOWS\msgsocm.log:eirzfv
Removed Stream! C:\WINDOWS\New England Snow.scr:wjkeag
Removed Stream! C:\WINDOWS\NuNinst.cfg:hkdsci
Removed Stream! C:\WINDOWS\ocmsn.log:jtyipb
Removed Stream! C:\WINDOWS\Old-Fashioned Christmas.scr:burojm
Removed Stream! C:\WINDOWS\PreProcess(2).data:jaxfbv
Removed Stream! C:\WINDOWS\Q814995.log:cbqsvy
Removed Stream! C:\WINDOWS\River Sumida.bmp:chighd
Removed Stream! C:\WINDOWS\River Sumida.bmp:unffie
Removed Stream! C:\WINDOWS\savers(2).ini:jgbsxz
Removed Stream! C:\WINDOWS\screen-savers.frz:vsidxa
Removed Stream! C:\WINDOWS\sepsd.bin:fbtrvq
Removed Stream! C:\WINDOWS\setupapi.log:ibmzcr
Removed Stream! C:\WINDOWS\setupapi.log.0(2).old:efotmb
Removed Stream! C:\WINDOWS\setupapi.log.0(2).old:mixqow
Removed Stream! C:\WINDOWS\sneal.dat:tuqkze
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:lbynld
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:lvipbp
Removed Stream! C:\WINDOWS\sysdllwm.reg:odbfhp
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
Removed Stream! C:\WINDOWS\tsoc.log:getlba
Removed Stream! C:\WINDOWS\TWAIN.LOG:bbrjqg
Removed Stream! C:\WINDOWS\Twain001.Mtx:eqcjah
Removed Stream! C:\WINDOWS\ukitf.log:dcqmeg
Removed Stream! C:\WINDOWS\ukitf.log:tbjokq
Removed Stream! C:\WINDOWS\Uninstall Information.txt:xrvpds
Removed Stream! C:\WINDOWS\VDM6BA8.tmp:fhbcqv
Removed Stream! C:\WINDOWS\wbegh.dat:qjevnq
Removed Stream! C:\WINDOWS\wiaservc.log:kcxivx
Removed Stream! C:\WINDOWS\win.ini:kkhjhk
Removed Stream! C:\WINDOWS\wininit.ini:sfinhl
Removed Stream! C:\WINDOWS\winnt.bmp:ueatrj
Removed Stream! C:\WINDOWS\winnt256.bmp:gbvfmt
Removed Stream! C:\WINDOWS\wmsetup.log:nesgtu
Removed Stream! C:\WINDOWS\WMSysPr9.prx:zbosod
Removed Stream! C:\WINDOWS\wsftppro.INI:wzsuqg
Removed Stream! C:\WINDOWS\wusetup.log:opqyoe
Removed Stream! C:\WINDOWS\wxllz.dat:ihgpvv
Removed Stream! C:\WINDOWS\_detmp.1:bkdltf
Removed Stream! C:\WINDOWS\_detmp.1:brjljf
Removed Stream! C:\WINDOWS\_detmp.1:dgnbmt
Removed Stream! C:\WINDOWS\_detmp.1:hjhasm
------------------------------------------------
Removed File! : C:\Windows\cdwpt.dat
Removed File! : C:\Windows\cwkor.dat
Removed File! : C:\Windows\gdsbs.dat
Removed File! : C:\Windows\gojks.dat
Removed File! : C:\Windows\olzkw.dat
Removed File! : C:\Windows\oqgtx.dat
Removed File! : C:\Windows\wbegh.dat
Removed File! : C:\Windows\wxllz.dat
Removed File! : C:\Windows\wxrgb.dat
Removed File! : C:\Windows\yvdiu.dat
Removed File! : C:\Windows\zbhku.dat
Removed File! : C:\Windows\System32\cxmxs.dat
Removed File! : C:\Windows\System32\dbjcr.dat
Removed File! : C:\Windows\System32\drglk.dat
Removed File! : C:\Windows\System32\gstes.dat
Removed File! : C:\Windows\System32\iioyw.dat
Removed File! : C:\Windows\System32\kwyfm.dat
Removed File! : C:\Windows\System32\reqps.dat
Removed File! : C:\Windows\System32\uwvdr.dat
Removed File! : C:\Windows\System32\ythxn.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:45:55 AM
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please rerun the same operations and post the requested reports


Thanks,

Trevuren

  • 0

#5
outofwork

outofwork

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Trevuren,
I did as you instructed, but the house call seemed to go on and on (4 hrs). I aborted the down load, searched all my programs for any that had been created or modified on or near the date of the appearence of this whatever.
Before that I downloaded Microsoft Antispyware (Beta) which for the most part did not allow start pages to change but the notifacations it popped up did get unerving at times.
I updated my SpyBot, Ad Aare, and Norton ran them 2 times each, then searched for the programs or dll's mentioned before.
So far everything seems to be OK, M.Anti. (seems they are on to something there) has not popped up but once to tell me I had disabled my systz.exe.
Thanks for all the guidance and assistance you reallyhelped, I was vey lost at
first.
If you seee anything I need to get rid of please let me know.
outofwork
(Wayne)

Latest and hope lastest Hi Jack log
-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:38:47 PM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://gvtc.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E2FA5ADF-2EE4-349E-8197-095C5E7C1822} - C:\WINDOWS\system32\netvy32.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Chris\LOCALS~1\Temp\appD1.tmp
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [systz.exe] C:\WINDOWS\systz.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by outofwork, 23 August 2005 - 12:41 PM.

  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.
  • Open Microsoft AntiSpyware.
  • Click on Options, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:


    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {E2FA5ADF-2EE4-349E-8197-095C5E7C1822} - C:\WINDOWS\system32\netvy32.dll (disabled by BHODemon)
    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Chris\LOCALS~1\Temp\appD1.tmp
    O4 - HKLM\..\Run: [systz.exe] C:\WINDOWS\systz.exe


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINDOWS\system32\netvy32.dll
    C:\DOCUME~1\Chris\LOCALS~1\Temp\appD1.tmp
    C:\WINDOWS\systz.exe

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

#7
outofwork

outofwork

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Trevuren
This is getting quite lengthy, it seems what ever it ia came back again.
New Log
-------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:24:43 PM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\iedh32.exe
C:\WINDOWS\system32\winqw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xobuo.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {687935EA-83F2-0A00-630D-743E4F5D9B6C} - C:\WINDOWS\cryi.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winqw32.exe] C:\WINDOWS\system32\winqw32.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\iedh32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Sorry to be such a pain!
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Yes, it came back in full force. And I am glad for you that it did right away. At the beginning, the most important part of the infection wasn't visible so I couldn't remove it. It has now stuck out its ugly face.

O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\iedh32.exe" /s (file missing)

===========================================
Your system is infected with a variant of the About:Blank infection.
  • First we must STOP, and Disable a bad Added Service
    • Click Start>Run and type in: services.msc
    • Click OK
    • In the Services window find: Network Security Service
    • Select/highlight and right click the entry, and choose: Properties
    • On the General tab, under Service Status click the Stop button
    • Beside: Startup Type, in the drop menu, select: Disabled
    • Click Apply, then OK
  • Download CWShredder
    Click check for updates. Do not use it yet.

  • Download Aboutbuster 5
    Unzip the file to its own folder (C:\AB) Do not use it yet.

  • Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet.

  • Download Killbox
    Choose save as to your desktop. Unzip the file. Do not use it yet.

    Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark show hidden files en extensions >OK

    Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!

  • Reboot your system intosafe mode for all OS

  • Close all windows and open HijackThis.
    • Click "scan only in the main window
    • Put a checkmark beside the following entries and click FIX checked.

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xobuo.dll/sp.html#55135
      R3 - Default URLSearchHook is missing
      O2 - BHO: Class - {687935EA-83F2-0A00-630D-743E4F5D9B6C} - C:\WINDOWS\cryi.dll
      O4 - HKLM\..\Run: [winqw32.exe] C:\WINDOWS\system32\winqw32.exe
      O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\iedh32.exe" /s (file missing)

  • Run CWShredder and choose FIX

  • Start AboutBuster and press START, and then OK. The program will start scanning.

  • Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.

  • Start Killbox
    • Place a checkmark next to [x] Delete On Reboot.
    • Highlight the following list and Copy it (Ctrl+C) to the windows clipboard.

      C:\WINDOWS\iedh32.exe
      C:\WINDOWS\system32\winqw32.exe
      C:\WINDOWS\xobuo.dll
      C:\WINDOWS\cryi.dll
    • Back in Killbox, go > file > paste from clipboard,
    • Click the red highlighted X button and click yes to the prompt when all the files have been pasted.
    • Then click OK
    • Exit Killbox and Reboot your PC.
  • After the reboot, Start AboutBuster AGAIN and scan AGAIN.

  • Clean temporary files:
    • Go > start > run and type cleanmgr and OK
    • Scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
    • Click OK to remove those files.
    • Click Yes to confirm deletion.
  • Reboot your system into normal mode.

  • Download Ewido scan
    • Check for updates.
    • Let it do a full run.
    • Copy the log. Past it to a blank Notepad file and save it to post here.
  • Finally, run HijackThis, click SCAN, produce a LOG and POST it and the EWIDOscan log in this thread for review.
Regards,

Trevuren

  • 0

#9
outofwork

outofwork

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Trevuren,
Sorry for the delay Computer went on work slow down. Cannoy get cleanmgr to function any suggestions. Also do I need to turn services.msc back on and to what settings.

Latest Hijack log------

Logfile of HijackThis v1.99.1
Scan saved at 3:53:24 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\cleanmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

----------------------------------------------------------------------

AB log
AboutBuster 5.0 reference file 28
Scan started on [8/24/2005] at [9:50:23 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Greenstone.bmp:iyexwu
Removed Stream! C:\WINDOWS\Haunted House Horrors.scr:nisias
Removed Stream! C:\WINDOWS\Q327979.log:uosfcn
Removed Stream! C:\WINDOWS\rbtfh.dat:fpdqzz
Removed Stream! C:\WINDOWS\wininit.ini:jfwddb
Removed Stream! C:\WINDOWS\wjndn.dat:bgojgl
Removed Stream! C:\WINDOWS\_detmp.1:doukks
Removed Stream! C:\WINDOWS\_detmp.1:dpvllf
Removed Stream! C:\WINDOWS\_detmp.1:gbttqe
Removed Stream! C:\WINDOWS\_detmp.1:hoiigz
Removed Stream! C:\WINDOWS\_detmp.1:lojehi
Removed Stream! C:\WINDOWS\_detmp.1:nhfqnq
Removed Stream! C:\WINDOWS\_detmp.1:rdwmmr
Removed Stream! C:\WINDOWS\_detmp.1:slguug
Removed Stream! C:\WINDOWS\_detmp.1:smfgar
Removed Stream! C:\WINDOWS\_detmp.1:tfjpri
Removed Stream! C:\WINDOWS\_detmp.1:tjsirh
Removed Stream! C:\WINDOWS\_detmp.1:tscqdi
Removed Stream! C:\WINDOWS\_detmp.1:ufmngf
Removed Stream! C:\WINDOWS\_detmp.1:wopvep
Removed Stream! C:\WINDOWS\_detmp.1:zjbqkz
------------------------------------------------
Removed File! : C:\Windows\iomrj.dll
Removed File! : C:\Windows\xobuo changed.dll
Removed File! : C:\Windows\System32\llmsi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:51:19 AM


AboutBuster 5.0 reference file 31
Scan started on [8/24/2005] at [10:46:03 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\glpkw.dat:cgpydx
Removed Stream! C:\WINDOWS\plsgb.txt:jupngs
Removed Stream! C:\WINDOWS\_detmp.1:amymlv
Removed Stream! C:\WINDOWS\_detmp.1:eiijcr
Removed Stream! C:\WINDOWS\_detmp.1:mmekqc
Removed Stream! C:\WINDOWS\_detmp.1:snksos
Removed Stream! C:\WINDOWS\_detmp.1:wkjiju
Removed Stream! C:\WINDOWS\_detmp.1:xihnci
Removed Stream! C:\WINDOWS\_detmp.1:zermow
------------------------------------------------
Removed File! : C:\Windows\hehpb.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:48:15 PM


ewido log was lost some how.
let me know hgow it looks
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Your log is perfectly clean.

2. You never turned services.msc on/off, only a bad service that we removed: NO ACTION REQUIRED

3. We would like to remove cleanmgr from automatic startup.
  • Go Start>>Run>>msconfig>>Startup
  • Scroll down the list until you find C:\Windows\system32\cleanmgr.exe
  • Remove the checkmark beside that entry only
  • Click Apply if required and EXIT the program
4. REBOOT your system

5. Run HJT and post a log into this thread.

Regards,

Trevuren

  • 0

#11
outofwork

outofwork

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:tazz:

Did as you said but C:\Windows\system32\cleanmgr.exe not listed. Rebooted and this is the log
---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:41:59 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ange\My Documents\MY STUFF\HI JACK THIS 99 AUG 2005\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://gvtc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://gvtc.com
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-----------------------------------------------------
I want to say a very deep thankyou for all you have done. Usually i can figure these things out on my own but this one had me stumped. Is it ok to turn Microsoft antispy ware back on real time?

Edited by outofwork, 24 August 2005 - 09:53 PM.

  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Go through these steps then it is OK to tweak whatever :tazz:

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP