Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stubborm malware removal [RESOLVED]


  • This topic is locked This topic is locked

#1
Bertz

Bertz

    New Member

  • Member
  • Pip
  • 6 posts
I am not able to open Task Manager, Command Prompt, and Internet access comes and goes. I have run CW Shredder, Spybot, Ad aware, and Avast virus scan. I've eliminated a number of Trojans, Worms, and malware, but something is obviously still lurking in my system. I am not able to install anti-virus programs -- they will download, but not install.

I would appreciate any help!

Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:25:05 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WINPRELOAD.EXE
C:\WINNT\System32\raloded.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\wins0cks.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Betsy Coste\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winsock] WINPRELOAD.EXE
O4 - HKLM\..\Run: [Msn Service] raloded.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Updote] wins0cks.exe
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
  • 0

Advertisements


#2
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

I will need to see the whole scan log if you don't mind.

Please rescan with HijackThis and then post a fresh log in here for me to review.

Thank you,

Snickets

:tazz:
  • 0

#3
Bertz

Bertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the log I received when I ran hijack this -- I hope it's what you need!

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:12:30 PM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WINPRELOAD.EXE
C:\WINNT\System32\raloded.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\wins0cks.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Betsy Coste\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winsock] WINPRELOAD.EXE
O4 - HKLM\..\Run: [Msn Service] raloded.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Updote] wins0cks.exe
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\RunServices: [Microsoft Updote] wins0cks.exe
O4 - HKLM\..\RunServices: [Msn Service] raloded.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\BETSYC~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [Winsock] WINPRELOAD.EXE
O4 - Global Startup: Internet Explorer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2AF638C-9723-4619-A9E9-2F8546EC06F8}: Domain = hawaii.rr.com
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

Edited by Bertz, 23 August 2005 - 05:17 PM.

  • 0

#4
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

Yes it seems you have contracted a good old worm.

Step 1- Downloading Necessary Programs
Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file.

Step 2- The Fix
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINNT\System32\WINPRELOAD.EXE
C:\WINNT\System32\raloded.exe
C:\WINNT\System32\wins0cks.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

While the computer is restarting please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
1.Once in safe mode scan with HJT and place a checkmark next to each of the following items:
O4 - HKLM\..\Run: [Winsock] WINPRELOAD.EXE
O4 - HKLM\..\Run: [Msn Service] raloded.exe
O4 - HKLM\..\Run: [Microsoft Updote] wins0cks.exe
O4 - HKLM\..\RunServices: [Microsoft Updote] wins0cks.exe
O4 - HKLM\..\RunServices: [Msn Service] raloded.exe
O4 - HKCU\..\RunOnce: [Winsock] WINPRELOAD.EXE
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

After checking these entries CLOSE ALL open windows [browsers and programs] EXCEPT HijackThis and click "Fix Checked."
===================================================

2.Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

3.Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

4.Please delete these files and folders using Windows Explorer(if present):
files=blue
folders=red
C:\WINNT\System32\WINPRELOAD.EXE
C:\WINNT\System32\raloded.exe
C:\WINNT\System32\wins0cks.exe

5.Please reboot your computer into normal windows at this time.

6.Click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Thank you,

Snickets

:tazz:

Edited by Snickets, 24 August 2005 - 08:05 AM.

  • 0

#5
Bertz

Bertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I had a whole nest of worms! Roadrunner contacted me to say I had the W32/Mytob.EE@mm worm, so I ran the removal tool they recommended to get rid of that.

Then I followed all the steps you suggested, except that I cannot open Panda ActiveScan -- I get a "This page will not display" message.

Following are the Ewido log and the HiJackThis log. I suspect there is still something lurking in there somewhere. I now have Task Manager, but the command promp only appears for a second. It's very difficult to connect to the wireless network and the Internet.

Thanks for your help --I appreciate your time!
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:18:09 PM, 8/24/2005
+ Report-Checksum: BED559B4

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\Wallpaper.DLL -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Atlnet.HbWebmailSend -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Atlnet.HbWebmailSend\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Atlnet.HbWebmailSend\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00C1117B-AB91-4ADD-9BBF-5D22D099DEBD} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{954814C0-40F3-4249-8528-B4922CD2964E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A54814C0-40F3-4249-8528-B4922CD2964E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DD19D39-2CDC-465B-BB21-1D433590BA3D} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
C:\WINNT\system32\nvhost.exe -> Worm.Mytob.bi : Cleaned with backup
C:\Documents and Settings\Betsy Coste\Cookies\betsy coste@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Betsy Coste\Cookies\betsy coste@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Betsy Coste\Cookies\betsy coste@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Betsy Coste\Cookies\betsy coste@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\mirc.exe -> Worm.Mytob.bi : Cleaned with backup
C:\freemind.exe -> Worm.Mytob.bi : Cleaned with backup
C:\!Submit\raloded.exe -> Worm.Mytob.bi : Cleaned with backup
F:\WINDOWS\SYSTEM\ejcgf.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050328-102051-499.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050328-171230-677.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050330-131140-302.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050331-131714-798.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050401-142824-147.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050402-143617-685.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050404-080220-994.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050405-080509-385.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050406-132635-754.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050407-091421-587.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050408-082138-940.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050408-165156-588.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050409-103144-553.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050410-092308-311.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050411-082336-678.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050411-143328-184.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050412-140110-951.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050413-083933-821.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050413-144335-589.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050414-152408-981.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050416-093359-746.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050416-142541-628.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050417-092032-149.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050418-064603-331.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050418-161945-403.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050419-101423-400.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050419-142630-754.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050420-160930-300.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050422-120616-597.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050422-161523-978.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050423-141110-360.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050424-091532-659.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050424-133004-334.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050425-090859-734.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050426-085808-852.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050426-141343-230.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050428-074002-751.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050429-090439-752.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050429-145805-183.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050430-100614-280.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050501-155256-671.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050502-182726-104.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050505-122352-584.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050507-082822-401.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050513-182040-221.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050514-153838-459.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\backups\backup-20050514-154147-514.dll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\Desktop\Cookies\capt coste@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
F:\WINDOWS\Desktop\Cookies\capt coste@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
F:\WINDOWS\offitews.log -> Trojan.Mersting.C : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:37:17 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hphmon05.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\SoftwareDistribution\Download\44055cbd387c5c1364a7555920fbdc98\update\update.exe
C:\Documents and Settings\Betsy Coste\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\BETSYC~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Internet Explorer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2AF638C-9723-4619-A9E9-2F8546EC06F8}: Domain = hawaii.rr.com
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#6
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

I see one suspicious line in your hijack this log and some other's that don't need to be there but are legitimate files.

1.Run HijackThis and place a check next to the following item.
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\BETSYC~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

Optional Removals -
Fixing them here will not prevent you from opening them manually as needed. Your choice to fix based on your needs:
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)


Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

2.Download: CCleaner
http://www.ccleaner.com/
http://www.filehippo...d_ccleaner.html

Once installed, launch CCleaner:
Do not change any settings, except to make sure on the Options tab>Advanced "Only delete files in Windows Temp folders older than 48 hours" is NOT checked.
Click Run Cleaner (bottom right). When finished> Exit (top right) (reboot)

3.Reboot your computer at this time.

4.Please rescan with HijackThis and post a fresh log in this thread for me to review. At this time also let me know how your system is running.

Thank you,

Snickets

:tazz:
  • 0

#7
Bertz

Bertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Good news, Snickets! The system seems to be working fine. I've even got my command prompt.

Oops -- spoke too soon. I still can't open the Panda software page. What's with that?

My big problem now is connecting to my wireless network, but I suspect that's a separate issue.

My HiJackThis log is below.....thanks for all your help!

Bertz

Logfile of HijackThis v1.99.1
Scan saved at 10:34:33 AM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hphmon05.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Betsy Coste\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Internet Explorer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2AF638C-9723-4619-A9E9-2F8546EC06F8}: Domain = hawaii.rr.com
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

Edited by Bertz, 25 August 2005 - 02:50 PM.

  • 0

#8
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

1.Please go here and download the free trial for SpySweeper.

2.Once installed please open up the program and push on the options tab then click on update definitions.

3.Once the definitions are installed please click on the sweep now tab and do a complete scan and removal of all items found for me.

4.Then please reboot your computer at this time.

5.Then please reopen spysweeper and click on the results tab and copy and paste all of the information that is in this section into your next post.

6.Your log looks clean but there is still something that may be on the machine lets see if we can find it.

Thank you,

Snickets

:tazz:
  • 0

#9
Bertz

Bertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Snickets:

I did as you said, and the SpySweeper log follows. Seems like there's always something being eliminated! I can't believe how many programs it's taken to clean up this machine......and Panda still won't open. Good thing we (you) could work around it.

My computer is working about a thousand per cent better -- faster, and no annoying side trips to unwanted web pages or pop-ups. I was able, finally, to download XP service pack 2, so I thank you for cleaning things up.

I have one last question-- what do you suggest I keep on my computer to prevent future infestations?

Thanks again,
Bertz

********
8:59 AM: |··· Start of Session, Friday, August 26, 2005 ···|
8:59 AM: Spy Sweeper started
8:59 AM: Sweep initiated using definitions version 522
8:59 AM: Starting Memory Sweep
9:06 AM: Memory Sweep Complete, Elapsed Time: 00:06:41
9:06 AM: Starting Registry Sweep
9:06 AM: Found Adware: hotbar
9:06 AM: HKCR\appid\{5ca2095f-e932-48bf-88e1-603094e9331f}\ (1 subtraces) (ID = 127219)
9:06 AM: HKLM\software\classes\appid\{5ca2095f-e932-48bf-88e1-603094e9331f}\ (1 subtraces) (ID = 127382)
9:06 AM: HKLM\software\classes\atlnet.hbwebmailsend.1\ (3 subtraces) (ID = 127391)
9:06 AM: HKU\S-1-5-21-1454471165-484763869-842925246-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe14} (ID = 127575)
9:06 AM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe14} (ID = 127575)
9:06 AM: HKU\S-1-5-21-1454471165-484763869-842925246-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {e77eda01-3c56-4a96-8d08-02b42891c169} (ID = 127576)
9:06 AM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {e77eda01-3c56-4a96-8d08-02b42891c169} (ID = 127576)
9:06 AM: HKU\S-1-5-21-1454471165-484763869-842925246-1000\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:06 AM: Found Adware: limeshop
9:06 AM: HKU\S-1-5-21-1454471165-484763869-842925246-1000\software\microsoft\internet explorer\menuext\limeshop preferences\ (2 subtraces) (ID = 129724)
9:07 AM: Registry Sweep Complete, Elapsed Time:00:00:41
9:07 AM: Starting Cookie Sweep
9:07 AM: Found Spy Cookie: centrport net cookie
9:07 AM: betsy coste@centrport[1].txt (ID = 2374)
9:07 AM: Found Spy Cookie: specificclick.com cookie
9:07 AM: betsy coste@adopt.specificclick[2].txt (ID = 3400)
9:07 AM: Found Spy Cookie: adserver cookie
9:07 AM: betsy coste@z1.adserver[1].txt (ID = 2142)
9:07 AM: Found Spy Cookie: adjuggler cookie
9:07 AM: betsy coste@rotator.adjuggler[1].txt (ID = 2071)
9:07 AM: Found Spy Cookie: 2o7.net cookie
9:07 AM: betsy coste@2o7[2].txt (ID = 1957)
9:07 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:07 AM: Starting File Sweep
9:07 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\system.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\catroot2\edb.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\catroot2\edbtmp.log". The process cannot access the file because it is being used by another process
9:08 AM: Warning: Failed to open file "c:\winnt\system32\catroot2\tmp.edb". The process cannot access the file because it is being used by another process
9:11 AM: Warning: Failed to open file "c:\winnt\softwaredistribution\eventcache\{e888e6ad-a77e-4952-a162-ab79d26fda6b}.bin". The process cannot access the file because it is being used by another process
9:11 AM: Warning: Failed to open file "c:\documents and settings\betsy coste\ntuser.dat". The process cannot access the file because it is being used by another process
9:11 AM: Warning: Failed to open file "c:\documents and settings\betsy coste\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:11 AM: Warning: Failed to open file "c:\documents and settings\betsy coste\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:11 AM: Warning: Failed to open file "c:\documents and settings\betsy coste\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:12 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:16 AM: Found Adware: cws-aboutblank
9:16 AM: blank.htm (ID = 54894)
9:16 AM: File Sweep Complete, Elapsed Time: 00:09:30
9:16 AM: Full Sweep has completed. Elapsed time 00:16:58
9:16 AM: Traces Found: 22
9:39 AM: Removal process initiated
9:39 AM: Quarantining All Traces: hotbar
9:39 AM: Quarantining All Traces: limeshop
9:39 AM: Quarantining All Traces: centrport net cookie
9:39 AM: Quarantining All Traces: specificclick.com cookie
9:39 AM: Quarantining All Traces: adserver cookie
9:39 AM: Quarantining All Traces: adjuggler cookie
9:39 AM: Quarantining All Traces: 2o7.net cookie
9:39 AM: Quarantining All Traces: cws-aboutblank
9:39 AM: Removal process completed. Elapsed time 00:00:09
9:56 AM: Deletion from quarantine initiated
9:56 AM: Processing: hotbar
9:56 AM: Processing: centrport net cookie
9:56 AM: Processing: specificclick.com cookie
9:56 AM: Processing: adserver cookie
9:56 AM: Processing: adjuggler cookie
9:56 AM: Processing: 2o7.net cookie
9:56 AM: Processing: cws-aboutblank
9:56 AM: Processing: limeshop
9:56 AM: Deletion from quarantine completed. Elapsed time 00:00:00
********
8:59 AM: |··· Start of Session, Friday, August 26, 2005 ···|
8:59 AM: Spy Sweeper started
8:59 AM: |··· End of Session, Friday, August 26, 2005 ···|
  • 0

#10
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

Please post one more HijackThis log for me to review and I will go from there.

Just want to be sure that nothing is left on the machine.

Thank you,

Snickets

:tazz:
  • 0

#11
Bertz

Bertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Snickets:

Here is the log. I hope you don't find anything new!

Thanks for your help.

Bertz

Logfile of HijackThis v1.99.1
Scan saved at 10:34:33 AM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hphmon05.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Betsy Coste\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Internet Explorer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2AF638C-9723-4619-A9E9-2F8546EC06F8}: Domain = hawaii.rr.com
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
  • 0

#12
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello Bertz,

Looks like we have done the trick, please read everything below carefully as it will save you alot of heartache in the long run.

Congratulations your log appears to be clean!!!

Please follow these directions below to clear out your system restore points and also make sure to read the prevention tips on how to prevent further infection on your p.c.

1.One last step to take in fixing your computer.
After something like this it is a good idea to purge the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.
Reboot.
Go back in and turn System Restore ON. A new Restore Point will be created.

2.Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Check the following:
Do not Show hidden files and folders
Hide protected operating system files
Click on Apply.
Close out the search window.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Thank you,

Snickets

:tazz:
  • 0

#13
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP