Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

msblank and winlogon issues [RESOLVED]


  • This topic is locked This topic is locked

#1
Dragon13

Dragon13

    New Member

  • Member
  • Pip
  • 6 posts
Dear Ma'am or Sir;

I am new to forums, but I really need some help here.
I have been infected with the msblank virus (Spyware?). I also have a possible problem with something else, as my Internet page opens on "www.topotun.com".

I followed the information for msblank that was posted to member "me-not-like-virus". I have only used Killbox to delete C:\Windows\system32\popcorn72.exe and one called C:\WINDOWS\SYSTEM32\dgprpsetup.exe. I still have the annoting toolbar that comes with msblank, though.
I have not made any changes using HJT at this time, pending your advice.

Scans made before deleting above:
Silent Runner
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"rundll32" = "C:\windows\rundll32.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"ccApp" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ["Symantec Corporation"]
"ccRegVfy" = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" ["Symantec Corporation"]
"ControlPanel" = "C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile" [null data]
"Microsoft Helper Service" = "C:\WINDOWS\System32\mstaskm.exe" [file not found]
"dmjbd.exe" = "C:\WINDOWS\System32\dmjbd.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qqykz.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" ["FotoNation Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\default\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Startup items in "default" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"PowerPanel" -> shortcut to: "C:\Program Files\PowerPanel\Program\PcfMgr.exe /launch" ["Phoenix Technologies Ltd."]
"VAIO Action Setup (Server)" -> shortcut to: "C:\Program Files\Sony\VAIO Action Setup\VAServ.exe" ["Sony Corporation"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]
INFECTION WARNING! "winlogon.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]
"ISP signup reminder 2" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /s /2" [file not found]
"Video Reminder" -> launches: "C:\WINDOWS\TUNEUP.EXE /COOL" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qqykz.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll" ["Yahoo! Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qqykz.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll" ["Yahoo! Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qqykz.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{173F3521-8FBE-4D0C-B14D-C4D8513A06C0}\

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{173F3521-8FBE-4D0C-B14D-C4D8513A06C0}\


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.att.net

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DefWatch, DefWatch, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe" ["Symantec Corporation"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton Personal Firewall Accounts Manager, NISUM, "C:\Program Files\Norton Personal Firewall\NISUM.EXE" ["Symantec Corporation"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" ["Symantec Corporation"]
Symantec Proxy Service, ccPxySvc, "C:\Program Files\Norton Personal Firewall\ccPxySvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 46 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 44 seconds.
---------- (total run time: 307 seconds)

RKFiles log
C:\Documents and Settings\default\Desktop\RKF

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\bndmod.exe: UPX!
C:\WINDOWS\SYSTEM32\hlmicro.exe: UPX!
C:\WINDOWS\SYSTEM32\woinst32.exe: PEFSG!
C:\WINDOWS\SYSTEM32\popcorn72.exe: FSG!
C:\WINDOWS\SYSTEM32\dgprpsetup.exe: FSG!

C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe: UPX!
Files Found in all users windows Folder............
------------------------
Finished
bye

HJT log (after deletion of "popcorn" and "dgprpsetup":
Logfile of HijackThis v1.99.1
Scan saved at 11:00:55 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qqykz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\qqykz.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [dmiyq.exe] C:\WINDOWS\System32\dmiyq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F8922A-10B8-4B13-848D-DFC6134C1E3B}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

I thank you for your time and patience.
  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Hello and welcome to Geeks To Go.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Run Ewido Security Suite . Set the program up as follows:[list]
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

+++++ Step 2 +++++

Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

+++++ Step 3 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 4 +++++

After that, I will need to see a Recent HijackThis log (preferrable taken today!)

Post back with those logs and we can continue from there.

If you have received help elsewhere or no longer need our assistance, please let us know.

Edited by skate_punk_21, 25 September 2005 - 08:23 AM.

  • 0

#3
Dragon13

Dragon13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry it took so long to respond. I only have access to the internet at work.

The annoying toolbar is now gone!

Here are the scans:
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:23:40 AM, 9/26/2005
+ Report-Checksum: F44FA52E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -> Spyware.SearchBarCash : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}\TypeLib\\ -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08BEC6AA-49FC-4379-3587-4B21E286C19E}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9388907F-82F5-434D-A941-BB802C6DD7C1} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9388907F-82F5-434D-A941-BB802C6DD7C1}\TypeLib\\ -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer\CLSID\\ -> Spyware.SearchBarCash : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer\CurVer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer.1 -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTactivex.Installer.1\CLSID\\ -> Spyware.SearchBarCash : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{110FA82F-DB6C-3C24-8929-60961D10C56E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-796845957-1606980848-1957994488-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-796845957-1606980848-1957994488-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-796845957-1606980848-1957994488-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-796845957-1606980848-1957994488-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
[480] VM_018B0000 -> Trojan.Small.fb : Error during cleaning
[2204] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\qqykz.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\SYSTEM32\csshc.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\SYSTEM32\hwiper.exe -> Trojan.Qhost.dv : Cleaned with backup
C:\WINDOWS\SYSTEM32\bndmod.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\hlmicro.exe -> Spyware.Msnagent : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll -> TrojanDownloader.IstBar.s : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059733.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059738.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059742.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059749.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059754.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059767.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059781.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059792.exe -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059793.exe -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP576\A0059797.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP579\A0060101.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP577\A0059825.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP578\A0059909.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP578\A0059991.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060164.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP575\A0059711.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP575\A0059716.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP575\A0059720.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP575\A0059727.exe -> Trojan.Small.fb : Cleaned with backup
C:\!Submit\dgprpsetup.exe -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\!Submit\popcorn72.exe -> TrojanDownloader.Agent.sy : Cleaned with backup


::Report End

Panda:

Incident Status Location

Virus:Trj/Downloader.gen Disinfected Operating system
Adware:adware/dloader No disinfected C:\WINDOWS\SYSTEM32\msblank.html
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/worldsearch No disinfected Windows Registry
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20031222-071911.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20031223-143538.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20031224-115533.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20031226-134914.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20031229-070809.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040103-122229.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040105-072438.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040107-230528.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040111-114203.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040112-083428.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040115-081012.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040116-230410.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040126-013337.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040127-093710.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040130-144621.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040203-212042.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040209-144329.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040213-155237.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040215-101521.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040307-134240.backup
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts.20040316-072156.backup
Virus:Trj/Downloader.gen Disinfected C:\WINDOWS\htasys.dll
Adware:Adware/Startpage.CBL No disinfected C:\WINDOWS\secure64.html
Adware:Adware/SBSoft No disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060168.dll
Virus:Trj/Downloader.EQS Disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060169.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060171.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060172.exe
Adware:Adware/Dloader No disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060173.exe
Adware:Adware/Dloader No disinfected C:\System Volume Information\_restore{B63174F6-402D-44F6-9D9C-C2558F81B4B8}\RP580\A0060174.exe
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:27:01 AM, on 9/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [dmnqp.exe] C:\WINDOWS\System32\dmnqp.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_129205] C:\WINDOWS\System32\ActiveScan\pavdr.exe 129205
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F8922A-10B8-4B13-848D-DFC6134C1E3B}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thank you for your help.
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Download Killbox
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\WINDOWS\secure64.html
C:\WINDOWS\SYSTEM32\msblank.html
C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\dmnqp.exe
C:\WINDOWS\System32\popcorn72.exe
C:\WINDOWS\System32\mstaskm.exe

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


REBOOT NOW


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
O4 - HKLM\..\Run: [dmnqp.exe] C:\WINDOWS\System32\dmnqp.exe

the following two entries in red, may be placed there intentionally, but if not please fix in HJT
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - C:\WINDOWS\htasys.dll (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.

REBOOT NOW

Please post a fresh Hijack This log so that we can check if your system is clean.
  • 0

#5
Dragon13

Dragon13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:10:01 AM, on 9/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [dmonz.exe] C:\WINDOWS\System32\dmonz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F8922A-10B8-4B13-848D-DFC6134C1E3B}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

One thing I have noticed. You asked me to "check" 04 - HKLM\...\Run: [dmnqp.exe] C:\WINDOWS\System32\dmnqp.exe. I did not see this file after I ran Killbox. There is, however, a different file on the log O4 - HKLM\..\Run: [dmonz.exe] C:\WINDOWS\System32\dmonz.exe. I looked at a couple of older logs that I have saved, and it appears that this file changes every time I reboot (the file always begins with "dm"). Is this normal?

Thank you again.
  • 0

#6
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts

here is, however, a different file on the log O4 - HKLM\..\Run: [dmonz.exe] C:\WINDOWS\System32\dmonz.exe. I looked at a couple of older logs that I have saved, and it appears that this file changes every time I reboot (the file always begins with "dm"). Is this normal?

NO! this entry is the devil! :tazz: ! next instructions... Run a scan in HijackThis and find that entry. Note the path to that file. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste the path to that file into KillBox (hitting the X button when done- choose YES when it asks if you want to reboot).

REBOOT now,
Open HijackThis, and check that entry that you found before (it shouldnt have changed this time), fix checked, reboot once more, and then get a fresh HijackThis Log. -we should be done now, or [bleep] close! -
  • 0

#7
Dragon13

Dragon13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
That seems to have worked!
My only questions now are: isn't ctfmon.exe bad? do I have to manually fix the registries that show "topotun.com"?

new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:10:20 PM, on 9/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F8922A-10B8-4B13-848D-DFC6134C1E3B}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thank you very much! :tazz:
  • 0

#8
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\windows\rundll32.exe <--must be this file and NOT C:\windows\system32\rundll32.exe

Post a fresh log when done

Edited by skate_punk_21, 28 September 2005 - 05:30 AM.

  • 0

#9
Dragon13

Dragon13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The file did not exist.
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:35:13 PM, on 9/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F8922A-10B8-4B13-848D-DFC6134C1E3B}: NameServer = 85.255.113.132,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{503EB69C-E3C5-4926-B5D5-2FDD73E8F14C}: NameServer = 85.255.113.132,85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

I hope this is it!
  • 0

#10
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
How does it feel to have a clean computer? :tazz:

Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:
How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.
  • 0

#11
Dragon13

Dragon13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you very much for your time and patience, skate_punk_21. I have adjusted the System Restore and Folder settings as instructed. The computer seems to be running quite well now.

PS - I like your icon (go figure)!
  • 0

#12
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Glad everything is well, good luck in the future
Skate
  • 0

#13
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Glad everything is well, good luck in the future
Skate
  • 0

#14
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP