[cronopio]

Hello all,

If anyone can help me with the following problem, I would very much appreciate it.

My brother, who is running WinXP, has been getting a nasty case of spyware/virus.
Here are the symptoms:
-IE start page is always reset to about:blank upon reboot.
-This page shows some search interface and generates endless popups. Popups also appear during surfing with IE. My brother has since been using Firefox, but does need IE for certain sites.
-HijackThis log files show a file c:\windows\system32\xxxxxx.dll/sp.html, where xxxxxx changes every time you remove it with HJT. It reappears again and again.
-E-mails sent to his e-mail address, which he accesses using Outlook Web Access, do not always arrive.
-E-mails sent from this e-mail address sometimes bounce, reporting that they contain a virus. A (Symantec) scan then reveals that his system has no virus.
-E-mails that arrive in this e-mail inbox appear to have been sent to someone else (spam arrives with someone else (known to my brother) in the To:-section).
-Ad-Aware sometimes freezes in mid-scan.
-Forums I've been looking at cite similar problems and suggest that the system is infected with Nibu.D, Backdoor.Agent.B or Bloodhound.Exploit.6. But subsequent virus scans (e.g. using the scanner on securityresponse.symantec.com) turn up zilch, and running removal tools also turns up nothing.

Can anyone suggest a solution for this?

Below is the HJT log,

Thanks a million in advance,

cronopio

-----------
Logfile of HijackThis v1.99.0
Scan saved at 1:16:20, on 9-1-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\javajr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Eigenaar.ZOLA-W82TZZE6NM\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer van Het Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://apc.hetnet.nl/proxy.pac:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://apc.hetnet.nl/proxy.pac:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = reg.hetnet.nl;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5D8C38B8-233D-824F-9C0F-A3EBB2B4824A} - C:\WINDOWS\crjs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [syszb32.exe] C:\WINDOWS\system32\syszb32.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [winwu.exe] C:\WINDOWS\system32\winwu.exe
O4 - HKLM\..\Run: [ieie32.exe] C:\WINDOWS\system32\ieie32.exe
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\System32\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\System32\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\System32\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [netsy32.exe] C:\WINDOWS\netsy32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.rabobank.nl
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\javajr.exe

[Advertisements]

Hey,

I had a similar problem with IE before and a program called spysweeper sorted it for me. The progam has a 30 day trial when you install it which is more than enough time to give it a go. I had the same problem with autoblank and popups and I had to use firefox for a while too. If your gona try this you might have to do 2 scans because it didnt pick up the problem on the first scan for me. I dont know if this will definitly pick up your problem but its worth a go.

Heres the link from download.com: http://www.download....4-10301356.html

[steven bruton]

Hey,

I had a similar problem with IE before and a program called spysweeper sorted it for me. The progam has a 30 day trial when you install it which is more than enough time to give it a go. I had the same problem with autoblank and popups and I had to use firefox for a while too. If your gona try this you might have to do 2 scans because it didnt pick up the problem on the first scan for me. I dont know if this will definitly pick up your problem but its worth a go.

Heres the link from download.com: http://www.download....4-10301356.html

[coachwife6]

This is a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service.

1. Obtain list of irregular services:
* Please download ServiceFilter
* Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
* Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
* If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
* It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
* Press Ctrl + A simultaneously to select all of the text.
* Copy and paste the whole thing into your next post.
* A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[cronopio]

Here's the contents of the POST_THIS.TXT. Please note that my brother is using a Dutch system. So please note: Onwaar = False, Waar = True, Beheert schaduwkopie�n op basis van software, die door de Volume Shadow Copy-service zijn gemaakt. ... = Manages shadow copies on the basis of software, which have been made by the Volume Shadow Copy-service...

Can you help out?

Thanks,

cronopio

---------------------


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
jan 9, 2005 17:16:53


===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Beheert schaduwkopie�n op basis van software, die door de Volume Shadow Copy-service zijn gemaakt. ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{d494f87f-1551-4fb9-bec4-abfb4efb41c7}
State: Stopped
Process ID: 0
Started: Onwaar
Exit Code: 1077
Accept Pause: Onwaar
Accept Stop: Onwaar

Unknown Service # 2
Service Name: �%AF���(
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\javajr.exe /s
State: Running
Process ID: 1824
Started: Waar
Exit Code: 0
Accept Pause: Onwaar
Accept Stop: Waar

---> End Service Listing <---

There are 80 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 3,921875 seconds.

[coachwife6]

Cronopia:

Hold off on this fix until I check with Metallica. He knows Dutch and I want to make sure I got any translation correct.

(OK, Metallica (Pieter) said to go ahead and proceed . I am part-Dutch, but don't know the lingo very well. Thanks Pieter).

1. Prepare AboutBuster for use:
* Download AboutBuster.
* Unzip AboutBuster to a convenient folder such as C:\AboutBuster.
* Run AboutBuster.exe. Click OK, Update, Check For Update. Download the updates if they exist.
* Click Exit as I do not want you to run the program yet.

2. Prepare cwsserviceremove.reg for use:
* Download cwsserviceremove.zip.
* Unzip cwsserviceremove.reg to your desktop but do not run it yet.

3. Print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

4. Reconfigure Windows XP to show hidden files:
* Click Start. Open My Computer.
* Select the Tools menu and click Folder Options. Select the View Tab.
* Under the Hidden files and folders heading select "Show hidden files and folders".
* Uncheck the "Hide protected operating system files (recommended)" option.
* Uncheck the "Hide file extensions for known file types" option.
* Click Yes to confirm. Click OK.

5. Boot into Safe Mode:
* Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
* To get back to normal mode just restart the computer as you normally would.

6. Stop and disable the offending service:
* Start | Run | type services.msc | OK
* Scroll down the list until you find the service called MS Software Shadow Copy Provider and Network Security Service
* Double-click on it and under the General tab click Stop to stop the service.
* Change the Startup Type to Disabled.
* Click Apply and then OK and close any open windows.

7. End the service process:
* Press the Ctrl + Alt + Delete keys simultaneously to open the Task Manager.
* Under the Processes tab find c:\windows\system32\javajr.exe /s
* Click End Process.
* File | Exit Task Manager

8. Fix malicious entries with HijackThis:
* Please close all browsers and windows that you might have open.
* Open HijackThis and click Scan.
* Place checkmarks in the boxes next to these entries(if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmrb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhmrb.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5D8C38B8-233D-824F-9C0F-A3EBB2B4824A} - C:\WINDOWS\crjs.dll

O4 - HKLM\..\Run: [syszb32.exe] C:\WINDOWS\system32\syszb32.exe
O4 - HKLM\..\Run: [winwu.exe] C:\WINDOWS\system32\winwu.exe
O4 - HKLM\..\Run: [ieie32.exe] C:\WINDOWS\system32\ieie32.exe
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\System32\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\System32\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\System32\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [netsy32.exe] C:\WINDOWS\netsy32.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\javajr.exe


* Once you have placed a checkmark next to each one of them, click Fix Checked.

9. Remove malicious folders and files:
* Please delete these folders using Windows Explorer(if present):
o C:\WINDOWS\netsy32.exe
o C:\WINDOWS\System32\Recalculate.exe
o C:\Program Files\ServicePackFiles\reload.exe
o C:\WINDOWS\system32\winwu.exe
o C:\WINDOWS\System32\SuiteOffices.exe
C:\WINDOWS\system32\syszb32.exe
C:\WINDOWS\system32\javajr.exe
C:\WINDOWS\jhmrb.dll
C:\WINDOWS\crjs.dll
C:\WINDOWS\system32\ieie32.exe
C:\Program Files\ServicePackFiles\MEMreaload.exe
C:\WINDOWS\System32\Indexindicator.exe

10. Remove the offending service:
* Double-click the cwsserviceremove.reg file you downloaded at the beginning.
* Answer Yes when prompted to add the contents to the registry.

11. Run AboutBuster and save the logs:
* Browse to where you saved AboutBuster and run AboutBuster.exe.
* Click OK at the directions prompt.
* Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
* Click Yes to allow it to shutdown explorer.exe.
* It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
* When it has finished, click Save Log. Make sure you save it as I need a copy of it.

12. Clean out temporary files:
* Start | Run | type cleanmgr | OK
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

13. Restart your computer normally to return to normal mode.

14. Restore (possibly) deleted files:
* this page - Visit this page.
o Download the version of control.exe that corresponds to your operating system.
o If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
o If you are running Windows 2000 copy it to C:\WINNT\system32.
o If you are running Windows XP copy it to C:\WINDOWS\system32.
* HOSTS - Download the Hoster Hoster.
o Unzip Hoster to a convenient folder such as C:\Hoster.
o Run Hoster.exe, click Restore Original Hosts and then click OK.
o Click the X to exit the program.
o Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
* SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.
o The normal path is C:\Program Files\Spybot - Search & Destroy.
* shell.dll - Visit this page.
o Download the version that corresponds to your operating system.
o If you are running Windows 98 copy it to C:\WINDOWS\System.
o If you are running Windows 2000 copy it to C:\WINNT\System32.
o If you are running Windows XP copy it to C:\WINDOWS\System32.

15. Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

16. Run an online virus scan:
* Run the TrendMicro Housecall online virus scan TrendMicro Housecall.
* Let it remove any infected files found.

17. Prepare your reply:
* Please post a fresh HijackThis log
* Please post the AboutBuster log.
* Please note any complications you had.

Edited by coachwife6, 09 January 2005 - 02:52 PM.

[Metallica]

Spot on cw6

Regards or as we say in Dutch, groetjes,

Pieter

[cronopio]

Wow, what a procedure. I went through the whole thing with my brother yesterday night. The virus scan at the end produced a number of files infected with TROJ_ISBAR.F.Z somewhere in "Temporary Internet Files/Content.IE5" but could not subsequently be found using Windows Explorer.

Here is the HJT log, I should get the AboutBuster one later. I should also get some feedback on whether the system is actually performing better, although I think my brother has become a Firefox convert

Many, many thanks, also to Metallica,
cronopio
Logfile of HijackThis v1.99.0
Scan saved at 4:33:31, on 10-1-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Eigenaar.ZOLA-W82TZZE6NM\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer van Het Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://apc.hetnet.nl/proxy.pac:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://apc.hetnet.nl/proxy.pac:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = reg.hetnet.nl;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.rabobank.nl
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8247F51-B658-488B-A189-AD00883FE27D}: NameServer = 195.121.1.34 195.121.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[cronopio]

update: Here is the AboutBuster log:


Scanned at: 2:04:21 on: 10-1-2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22


Removed Data Streams:
C:\WINDOWS\addcc.exe:hrato
C:\WINDOWS\Blauw 16.bmp:uemej
C:\WINDOWS\bootstat.dat:kmfyq
C:\WINDOWS\cdplayer.ini:sslll
C:\WINDOWS\clock.avi:vkqiw
C:\WINDOWS\comsetup.log:ltwrf
C:\WINDOWS\comsetup.log:ltwrf
C:\WINDOWS\COUNTRY.INI:ffppf
C:\WINDOWS\d3wj32.exe:kdees
C:\WINDOWS\d3wj32.exe:kdees
C:\WINDOWS\dahotfix.log:svzss
C:\WINDOWS\DATAFAX.INI:wcsmb
C:\WINDOWS\desktop.ini:zrian
C:\WINDOWS\ieuninst.exe:yoajl
C:\WINDOWS\iewh32.exe:fnfys
C:\WINDOWS\imsins.BAK:pnhgv
C:\WINDOWS\KB824105.log:aovgy
C:\WINDOWS\KB824141.log:qwnre
C:\WINDOWS\KB826939.log:spoua
C:\WINDOWS\KB833407.log:lqzzu
C:\WINDOWS\KB842773.log:mdnur
C:\WINDOWS\msdfmap.ini:kdgzp
C:\WINDOWS\NOTEPAD.EXE:uholh
C:\WINDOWS\n_axukbo.log:tcbtb
C:\WINDOWS\n_hggzho.log:mvuyd
C:\WINDOWS\n_vkxjxh.txt:ewnmx
C:\WINDOWS\n_vkxjxh.txt:ewnmx
C:\WINDOWS\Patroon.bmp:mcfqw
C:\WINDOWS\Q327979.log:tadqp
C:\WINDOWS\Q329048.log:fcxwq
C:\WINDOWS\Q331953.log:jgbjl
C:\WINDOWS\Q331953.log:jgbjl
C:\WINDOWS\Q815485.log:jwdko
C:\WINDOWS\Q816982.log:jtzcu
C:\WINDOWS\Q819696.log:wsosk
C:\WINDOWS\regedit.exe:dgmos
C:\WINDOWS\Rivier Sumida.bmp:klual
C:\WINDOWS\Santa Fe Stucco.bmp:hmrlg
C:\WINDOWS\system.ini:pzbxk
C:\WINDOWS\twain_32.dll:rxcpn
C:\WINDOWS\uninst.exe:hregl
C:\WINDOWS\vbaddin.ini:vzyjm
C:\WINDOWS\vmmreg32.dll:aspmf
C:\WINDOWS\wininit.ini:amfvc
C:\WINDOWS\Zapotec.bmp:jufrh


Removed 4 Random Key Entries
Removed! : C:\WINDOWS\znfmg.dat
Removed! : C:\WINDOWS\System32\dnnbc.dat
Removed! : C:\WINDOWS\System32\famhp.dat
Removed! : C:\WINDOWS\System32\gjhmr.dat
Removed! : C:\WINDOWS\System32\mzbcu.dat
Removed! : C:\WINDOWS\System32\xirwe.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22


Removed Data Streams:
C:\WINDOWS\addcc.exe:hrato
C:\WINDOWS\Blauw 16.bmp:uemej
C:\WINDOWS\bootstat.dat:kmfyq
C:\WINDOWS\cdplayer.ini:sslll
C:\WINDOWS\clock.avi:vkqiw
C:\WINDOWS\comsetup.log:ltwrf
C:\WINDOWS\comsetup.log:ltwrf
C:\WINDOWS\COUNTRY.INI:ffppf
C:\WINDOWS\d3wj32.exe:kdees
C:\WINDOWS\d3wj32.exe:kdees
C:\WINDOWS\dahotfix.log:svzss
C:\WINDOWS\DATAFAX.INI:wcsmb
C:\WINDOWS\desktop.ini:zrian
C:\WINDOWS\ieuninst.exe:yoajl
C:\WINDOWS\iewh32.exe:fnfys
C:\WINDOWS\imsins.BAK:pnhgv
C:\WINDOWS\KB824105.log:aovgy
C:\WINDOWS\KB824141.log:qwnre
C:\WINDOWS\KB826939.log:spoua
C:\WINDOWS\KB833407.log:lqzzu
C:\WINDOWS\KB842773.log:mdnur
C:\WINDOWS\msdfmap.ini:kdgzp
C:\WINDOWS\NOTEPAD.EXE:uholh
C:\WINDOWS\n_axukbo.log:tcbtb
C:\WINDOWS\n_hggzho.log:mvuyd
C:\WINDOWS\n_vkxjxh.txt:ewnmx
C:\WINDOWS\n_vkxjxh.txt:ewnmx
C:\WINDOWS\Patroon.bmp:mcfqw
C:\WINDOWS\Q327979.log:tadqp
C:\WINDOWS\Q329048.log:fcxwq
C:\WINDOWS\Q331953.log:jgbjl
C:\WINDOWS\Q331953.log:jgbjl
C:\WINDOWS\Q815485.log:jwdko
C:\WINDOWS\Q816982.log:jtzcu
C:\WINDOWS\Q819696.log:wsosk
C:\WINDOWS\regedit.exe:dgmos
C:\WINDOWS\Rivier Sumida.bmp:klual
C:\WINDOWS\Santa Fe Stucco.bmp:hmrlg
C:\WINDOWS\system.ini:pzbxk
C:\WINDOWS\twain_32.dll:rxcpn
C:\WINDOWS\uninst.exe:hregl
C:\WINDOWS\vbaddin.ini:vzyjm
C:\WINDOWS\vmmreg32.dll:aspmf
C:\WINDOWS\wininit.ini:amfvc
C:\WINDOWS\Zapotec.bmp:jufrh


Attempted Clean Of Temp folder.
Pages Reset... Done!

[Metallica]

Excellent.

One more thing left to do I think.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Groetjes,

Pieter

[cronopio]

Great, this indeed removed a suspicious looking web address (IP address) from the list of Trusted Zones (otherwise empty).

I think this did the trick, if any further problems arise I will let you know.

Thanks to all involved for your help, we couldn't have done it without you guys!!!



cronopio (and his brother)

Excellent. 

One more thing left to do I think.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Groetjes,

Pieter