[criticman]

Pieter-
UMonitor has been pestering me, as well. Also those damned 69.20.16.183 files, whatever the [bleep] they are... I can't find them and I've been looking. This morning, i hand trimmed my registry for 40 minutes and managed to get rid of 3 of them. Now, they're back. CoolWebSearch is responsible for these browser hijackers, as I'm sure you know. As for UMonitor, I have yet to figure out what it is, aside from just a major annoyance.
It doesn't seem to be anything but a 'work in progress', but I've got additional files you can check out if you'd like. I copy them down as the error messages pop-up. It is a new dll every time.
Here's my list, feel free to contact me, I'll respond.

C:\WINDOWS\System32\ntoskrnl.exe
C:\WINDOWS\System32\fp8s0317e.dll
C:\WINDOWS\System32\md3216.dll
C:\WINDOWS\System32\mrcomput.dll
C:\WINDOWS\System32\ibmp,dll
C:\WINDOWS\System32\j8j60i1.dll
C:\WINDOWS\System32\m5ybg71r.dll
C:\WINDOWS\System32\nJrrhook.dll

There are also a bunch of them (at least 10), which I deleted the other day. I'm sure this isn't the last of it. Haven't tried Killbot yet, sounds like a good idea, though.

Richard

[Advertisements]

Criticman:

Please start your own post and put your hijack log in the Hijack This forum.

[coachwife6]

Criticman:

Please start your own post and put your hijack log in the Hijack This forum.

[tdcook4]

Well pat yourself on the back....I think you've done it! My excitement may be premature, but no errors today and no pop ups so far.

I'll post my hijack, but it did get the strings.exe file. The 69.20.16.183 files were already gone, but I'm not sure why. Could AdAware have gotten them after your last fix? I ran it yesterday when I couldn't access your site. I couldn't believe it when nothing came up after the 3rd scan!!

I was so doubtful that I uninstalled AdAware, reinstalled, updated and ran again. Nothing.....no VX2's...nothing, and that hasn't been the case for almost a month.

I hate to mention anything negative since I'm so ecstatic, but Norton is still picking up 13 entries that it can't get rid of. They're all adware, but I don't know how to fix. Can you help with that?

One last question (yeah, right). Could this UMonitor nightmare have been the reason my wireless router quit working. I've had it out of the loop since this mess started, but thought today might be a good time to try it again.

Can't thank you enough!! It must feel great to have the knowledge to solve problems that can literally disable the rest of us

Logfile of HijackThis v1.99.0
Scan saved at 10:55:54 AM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLHOS~1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\America Online 9.0d\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\110281~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0d\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tammy\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102811785\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /auto:TivoServer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TivoBeacon.exe
O23 - Service: WANMiniportService - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Metallica]

I am so glad it finally worked for you.

Could you post what exactly Norton is having problems with?

Usually flushing your Restore POints after getting cleaned out does the trick.

To do so:
Disable System Restore
Reboot
Re-enable System Restore

More info: http://service1.syma...src=sec_doc_nam

AdAware does clean the hosts file as well, yes.

I do not think this could somehow have effected your wireless router.

Regards,

Pieter

[4fun]

Hi every one and our staff ! I'm a newcomer and English is not my mother tongue, so hope you guys would understand me ....
I find that my problem is exactly the same of tdcook4 , and I'm wondering if i can follow your solution to fix it or i have to post my own situation with something called hijackthis log ?(I'm not using it and have no idea with it)
Hope getting your help . Thanks a lot !

[Metallica]

Hi 4fun,

It is better to start your own thread.
This malware uses random filenames and you would have to be very clever to be able to reconstruct the correct solution for yourself.

Regards,

Pieter

[tdcook4]

I disabled System Restore, etc., but still no luck w/Norton. I'm not even sure how to create a Norton log, but I think this will at least tell you what files I'm dealing with. It has to do with BargainBuddy....Grrrr. I looked it up at Symantec and tried to follow their instructions at this link, but the program isn't in Add/Remove Programs.

http://securityrespo...rgainbuddy.html

Here's what I got from Norton.....

Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/CashBack/bin/flash.exe,Description: The compressed file C:/Program Files/CashBack/bin/flash.exe within C:\WINDOWS\SYSTEM32\psis80ex.ax is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/CashBack/bin/cb.exe,Description: The compressed file C:/Program Files/CashBack/bin/cb.exe within C:\WINDOWS\SYSTEM32\psis80ex.ax is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/CashBack/bin/cashback.exe,Description: The compressed file C:/Program Files/CashBack/bin/cashback.exe within C:\WINDOWS\SYSTEM32\psis80ex.ax is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/mscb.dll,Description: The compressed file C:/WINDOWS/System32/mscb.dll within C:\WINDOWS\SYSTEM32\psis80ex.ax is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/javexulm.vxd,Description: The compressed file C:/WINDOWS/System32/javexulm.vxd within C:\WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/exul.exe,Description: The compressed file C:/WINDOWS/System32/exul.exe within C:\WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/mqexdlm.srg,Description: The compressed file C:/WINDOWS/System32/mqexdlm.srg within C:\WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/exdl.exe,Description: The compressed file C:/WINDOWS/System32/exdl.exe within C:\WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adx.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adx.exe within C:\WINDOWS\SYSTEM32\mac80ex.idf is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adv.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adv.exe within C:\WINDOWS\SYSTEM32\mac80ex.idf is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/bargains.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/bargains.exe within C:\WINDOWS\SYSTEM32\mac80ex.idf is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.BargainBuddy,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:/WINDOWS/System32/msbe.dll,Description: The compressed file C:/WINDOWS/System32/msbe.dll within C:\WINDOWS\SYSTEM32\mac80ex.idf is a Adware threat."
1/1/2005 4:38:47 PM,Virus scanner,Adware.WinFetch,Delete failed,File,N/A,N/A,200412300008,10.0.1.13,Tammy,MOM,",Threat category: AdwareSource: C:\Documents and Settings\Tammy\Local Settings\Temp\AZ7M2Ozhd.exe,Description: The file C:\Documents and Settings\Tammy\Local Settings\Temp\AZ7M2Ozhd.exe is a Adware threat."

Thanks so much!

[Metallica]

Can you send me a copy of this file:
C:\WINDOWS\system32\psis80ex.ax

pieterATwilderssecurity.org (replace AT with @)

The rest looks to be in your Temp files:
Use the DiskCleanup Tool to empty all your Temp folders.

Regards,

Pieter

[4fun]

ah, i got it . but it's my bad, i even don't know how to start telling you about my problem . Do I have to download the Hijackthis to send you my log ?I used Ad-aware and also Webroot spy sweeper to clean my PC . The Adaware always find the three malware VX[...] ,and the Sweeper always find the Ad Look2me . I tried using Norton and it didn't find anything...
I also note that every time when my PC starts up , the Startup Shield of Webroot alerts me to a programme named "AWW" . I select this AWW to remove .But this alert keeps on poping up after my every removing.
Please tell me which steps I should do .
Thank you very much !

[Metallica]

4fun,

Scroll up, find the New Topic button, start one and post a HijackThis log:
http://home.planet.n...xplanation.html

Regards,

Pieter

[tdcook4]

Pieter,

I ran DiskCleanup yet again, then went exploring to try and figure out why it wasn't finding or deleting the file that Norton was picking up.....C:\Documents and Settings\Tammy\Local Settings\Temp\AZ7M20zhd.exe.

Here's what I found, and don't really know if it means anything. C:\Documents and Settings\Tammy\Local Settings is marked as "Read Only" and "Hidden". I'm assuming this is why DiskCleanup isn't working there?

Can I manually delete all temp files under C:\Documents and Settings\Tammy\Local Settings, or change from ReadOnly/Hidden so that DiskCleanup will get them? Should that file always be marked as ReadOnly or Hidden in the future?

I've learned from experience not to delete anything without being told, so sorry if this seems like overkill on my part

A little more info on the file you asked me to send, as well as the two others from the Norton log. All 3 are within System32 and are dated the same...12/11/04...which is when my problem seems to have started. The one you asked for...psis80ex.ax occurred at 12:36:57, netut80ex.vxd at 12:37:05 and mac80ex.idf at 12:36:57. Can I just delete them??

Thanks!

[Metallica]

Only the temp files that belong to zip files are supposed to be hidden and read only in that folder.

Those are made when you look or run anything from within a zip file.

The rest can be deleted freely.
Don't hold back.

Regards,

Pieter