Jump to content


Photo
- - - - -

Smart Security Trojan got me...I think


  • This topic is locked This topic is locked
22 replies to this topic

#1 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 23 May 2005 - 05:02 PM

I don't recognize what I thought was my home PC. The wallpaper is "red" w/ads for SmartSecurity. A "snim.dll" can't be found when I start up. Did some research which lead me to your site. Here's my log and I'd appreciate if you could help me regain control of my PC. Txs.

Logfile of HijackThis v1.99.1
Scan saved at 6:51:06 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crrl.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Cci.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Documents and Settings\John\Application Data\ersh.exe
C:\WINDOWS\System32\dderenv.exe
C:\WINDOWS\System32\?ttrib.exe
C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {99D54368-0118-55BE-9FED-B7883F55C2CF} - C:\WINDOWS\system32\atlht32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appgu.exe] C:\WINDOWS\system32\appgu.exe
O4 - HKLM\..\Run: [Internet Component] C:\WINDOWS\System32\nwapanim.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Ons] C:\WINDOWS\System32\Ahv.exe
O4 - HKLM\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKLM\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKLM\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Mgj] C:\WINDOWS\System32\Lop.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Tka.exe
O4 - HKLM\..\Run: [Hld] C:\WINDOWS\Qkg.exe
O4 - HKLM\..\Run: [Jtf] C:\WINDOWS\System32\Ect.exe
O4 - HKLM\..\Run: [Okr] C:\WINDOWS\Gcj.exe
O4 - HKLM\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKLM\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKLM\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKLM\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKLM\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKLM\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKLM\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKLM\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKLM\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKLM\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKLM\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKLM\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKLM\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKLM\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKLM\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKLM\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Ins] C:\WINDOWS\System32\Fss.exe
O4 - HKCU\..\Run: [Tsdt] C:\Documents and Settings\John\Application Data\ersh.exe
O4 - HKCU\..\Run: [IwoqRib4h] dderenv.exe
O4 - HKCU\..\Run: [Ugqtur] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [xservice] C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
O4 - HKCU\..\Run: [Bud] C:\WINDOWS\Tfa.exe
O4 - HKCU\..\Run: [Ekc] C:\WINDOWS\System32\Sov.exe
O4 - HKCU\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKCU\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKCU\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKCU\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKCU\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKCU\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKCU\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKCU\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKCU\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKCU\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKCU\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKCU\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKCU\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKCU\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKCU\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKCU\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKCU\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKCU\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKCU\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKCU\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKCU\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - Startup: WindowsUpdate40826[1].exe
O4 - Startup: winupdate30769450[1].exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://horse-active....ang/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4604
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O21 - SSODL: Meeting Component - {858D970D-ABF2-4C6A-B744-A0ABD268155A} - C:\WINDOWS\System32\unipjxpw.dll
O21 - SSODL: NTDBGTOOL - {5CE4279B-967E-422E-BF8A-9AA5BEA566CF} - C:\WINDOWS\System32\mmcbidft.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crrl.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 23 May 2005 - 09:05 PM

You have a few different problems in your log, I need you too download a few tools
Try and do all the following I ask, may seem like a bit, but most scans don't take too long to finish, with the exception of Ewidos
But it is a valuable tool to help eliminate the infections

==Download and UNZIP to desktop or a folder Cwsserviceremove.zip so you now have
cwserviceremove.reg extracted
We'll need this later
[attachment=239:attachment]

==Download and UNZIP to desktop or a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

===Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/.../DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
We'll need this later

==Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

==Download and UNZIP to a folder or desktop
Fixdesktop.zip
So you now have Fixdesktop.reg extracted

==Download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
* Save it to your desktop or a folder

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

Killbox file paths to copy and paste to Notepad between dotted lines
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\system32\uqjlv.dll
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\System32\dderenv.exe
C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
C:\WINDOWS\System32\unipjxpw.dll
C:\WINDOWS\System32\mmcbidft.dll
C:\Documents and Settings\John\Application Data\ersh.exe
C:\WINDOWS\system32\atlht32.dll
C:\WINDOWS\system32\appgu.exe
C:\WINDOWS\System32\nwapanim.exe
C:\WINDOWS\System32\Ahv.exe
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\Jlk.exe
C:\WINDOWS\Rnv.exe
C:\WINDOWS\System32\Lop.exe
C:\WINDOWS\Tka.exe
C:\WINDOWS\Qkg.exe
C:\WINDOWS\System32\Ect.exe
C:\WINDOWS\Gcj.exe
C:\WINDOWS\Kdb.exe
C:\WINDOWS\Nkj.exe
C:\WINDOWS\Tlp.exe
C:\WINDOWS\Dtg.exe
C:\WINDOWS\System32\Esm.exe
C:\WINDOWS\System32\Rfq.exe
C:\WINDOWS\Cbl.exe
C:\WINDOWS\System32\Jfj.exe
C:\WINDOWS\Fmj.exe
C:\WINDOWS\System32\Qiu.exe
C:\WINDOWS\Gbd.exe
C:\WINDOWS\System32\Jra.exe
C:\WINDOWS\Etg.exe
C:\WINDOWS\System32\Ifn.exe
C:\WINDOWS\Dnl.exe
C:\WINDOWS\System32\Csd.exe
C:\WINDOWS\Vkl.exe
C:\WINDOWS\Dnk.exe
C:\WINDOWS\System32\Dpu.exe
C:\WINDOWS\System32\Jhd.exe
C:\WINDOWS\Mnb.exe
C:\WINDOWS\System32\Fss.exe
C:\WINDOWS\Tfa.exe
C:\WINDOWS\System32\Sov.exe
C:\WINDOWS\System32\Cci.exe
C:\WINDOWS\Jlk.exe
C:\WINDOWS\Rnv.exe
C:\WINDOWS\Kdb.exe
C:\WINDOWS\Nkj.exe
C:\WINDOWS\Tlp.exe
C:\WINDOWS\Dtg.exe
C:\WINDOWS\System32\Esm.exe
C:\WINDOWS\System32\Rfq.exe
C:\WINDOWS\Cbl.exe
C:\WINDOWS\System32\Jfj.exe
C:\WINDOWS\Fmj.exe
C:\WINDOWS\System32\Qiu.exe
C:\WINDOWS\Gbd.exe
C:\WINDOWS\System32\Jra.exe
C:\WINDOWS\Etg.exe
C:\WINDOWS\System32\Ifn.exe
C:\WINDOWS\Dnl.exe
C:\WINDOWS\System32\Csd.exe
C:\WINDOWS\Vkl.exe
C:\WINDOWS\Dnk.exe
C:\WINDOWS\System32\Dpu.exe
C:\WINDOWS\System32\Jhd.exe
C:\WINDOWS\Mnb.exe
C:\WINDOWS\system32\crrl.exe
C:\WINDOWS\Web\Desktop.html
C:\Documents and Settings\John\Start Menu\Programs\Startup\WindowsUpdate40826[1].exe
C:\Documents and Settings\John\Start Menu\Programs\Startup\winupdate30769450[1].exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete these folders if found

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files

==Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

*Double Click on Fixdesktop.reg and allow to merge to the registry
*Double click on cwserviceremove.reg also allow to add or merge

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {99D54368-0118-55BE-9FED-B7883F55C2CF} - C:\WINDOWS\system32\atlht32.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appgu.exe] C:\WINDOWS\system32\appgu.exe
O4 - HKLM\..\Run: [Internet Component] C:\WINDOWS\System32\nwapanim.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Ons] C:\WINDOWS\System32\Ahv.exe
O4 - HKLM\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKLM\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKLM\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Mgj] C:\WINDOWS\System32\Lop.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Tka.exe
O4 - HKLM\..\Run: [Hld] C:\WINDOWS\Qkg.exe
O4 - HKLM\..\Run: [Jtf] C:\WINDOWS\System32\Ect.exe
O4 - HKLM\..\Run: [Okr] C:\WINDOWS\Gcj.exe
O4 - HKLM\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKLM\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKLM\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKLM\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKLM\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKLM\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKLM\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKLM\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKLM\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKLM\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKLM\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKLM\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKLM\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKLM\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKLM\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKLM\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKLM\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Etq] C:\WINDOWS\Mnb.exe

O4 - HKCU\..\Run: [Ins] C:\WINDOWS\System32\Fss.exe
O4 - HKCU\..\Run: [Tsdt] C:\Documents and Settings\John\Application Data\ersh.exe
O4 - HKCU\..\Run: [IwoqRib4h] dderenv.exe
O4 - HKCU\..\Run: [Ugqtur] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [xservice] C:\DOCUME~1\John\LOCALS~1\Temp\temp25.exe
O4 - HKCU\..\Run: [Bud] C:\WINDOWS\Tfa.exe
O4 - HKCU\..\Run: [Ekc] C:\WINDOWS\System32\Sov.exe
O4 - HKCU\..\Run: [Hsh] C:\WINDOWS\System32\Cci.exe
O4 - HKCU\..\Run: [Rlm] C:\WINDOWS\Jlk.exe
O4 - HKCU\..\Run: [Onv] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Kuh] C:\WINDOWS\Kdb.exe
O4 - HKCU\..\Run: [Sgu] C:\WINDOWS\Nkj.exe
O4 - HKCU\..\Run: [Leh] C:\WINDOWS\Tlp.exe
O4 - HKCU\..\Run: [Gtt] C:\WINDOWS\Dtg.exe
O4 - HKCU\..\Run: [Asu] C:\WINDOWS\System32\Esm.exe
O4 - HKCU\..\Run: [Hen] C:\WINDOWS\System32\Rfq.exe
O4 - HKCU\..\Run: [Mjf] C:\WINDOWS\Cbl.exe
O4 - HKCU\..\Run: [Bfi] C:\WINDOWS\System32\Jfj.exe
O4 - HKCU\..\Run: [Qig] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Hvm] C:\WINDOWS\System32\Qiu.exe
O4 - HKCU\..\Run: [Uif] C:\WINDOWS\Gbd.exe
O4 - HKCU\..\Run: [Djl] C:\WINDOWS\System32\Jra.exe
O4 - HKCU\..\Run: [Keq] C:\WINDOWS\Etg.exe
O4 - HKCU\..\Run: [Jeh] C:\WINDOWS\System32\Ifn.exe
O4 - HKCU\..\Run: [Kgh] C:\WINDOWS\Dnl.exe
O4 - HKCU\..\Run: [Nbn] C:\WINDOWS\System32\Csd.exe
O4 - HKCU\..\Run: [Jsq] C:\WINDOWS\Vkl.exe
O4 - HKCU\..\Run: [Etg] C:\WINDOWS\Dnk.exe
O4 - HKCU\..\Run: [Iag] C:\WINDOWS\System32\Dpu.exe
O4 - HKCU\..\Run: [Osj] C:\WINDOWS\System32\Jhd.exe
O4 - HKCU\..\Run: [Etq] C:\WINDOWS\Mnb.exe
O4 - Startup: WindowsUpdate40826[1].exe
O4 - Startup: winupdate30769450[1].exe

O9 - Extra button: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B8BF3C80-2914-416E-8D06-1634224BE0B4} - (no file) (HKCU)

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://horse-active....ang/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4604

O21 - SSODL: Meeting Component - {858D970D-ABF2-4C6A-B744-A0ABD268155A} - C:\WINDOWS\System32\unipjxpw.dll
O21 - SSODL: NTDBGTOOL - {5CE4279B-967E-422E-BF8A-9AA5BEA566CF} - C:\WINDOWS\System32\mmcbidft.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crrl.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART back to Normal mode

==Do the following
1. In the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Back in Windows
Do another scan with Hijackthis and post a fresh log
Also post the report from Ewidos
The log from About:Buster
The log from HSFix.bat>>C:\hslog.txt

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#3 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 24 May 2005 - 06:00 AM

Txs for quik reply! I copied to 3.5 all but Ewido Trojan Scanner. It won't fit on a separate disk. I'm using my other PC as the nurse maid.

Any recommendations?

I tried some other tools that were self-extrating, but my PC would not install them. Even when trying to run my NORTON 2005, it won't launch.

Will try to load the other software listed later today.

#4 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 May 2005 - 12:07 PM

If I understand correctly, you have everything else downloaded and transferred to the infected computer except for Ewidos
You didn't mention you couldn't get online with the infected computer

Follow all the other instructions I posted above
Omit the steps with Ewido for now

But I need you too manually update the definitions for About:Buster

I've uploaded the latest ref. list
Download the zipped file and Unzip it to the AboutBuster folder you unzipped earlier
Allow to overwrite if prompted
[attachment=240:attachment]

Additionally, if you couldn't download and install Windows CleanUp!
While in Safe mode, when I ask you to do the step with CleanUp!
Could you do the following if you couldn't install the program
Navigate to and delete ALL files and subfolders in your TEMP folders
Don't delete the Temp directories themselves

# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
# Empty your "Recycle Bin"

Do what you can and let me know what you couldn't accomplish later

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#5 Guest_Guest_chewman_*_*

Guest_Guest_chewman_*_*
  • Guests

Posted 24 May 2005 - 08:59 PM

Sorry for mis-informing you about my network connectivity, I'm still reluctant to do so. Your instructions were very good.

Finished all of the steps outlined in your detailed instructions, with the following exceptions:

1. EWIDO Was able to get a copy on cd and installed as instructed. However, when I got to the "click on Update" then "click the "Start update button" on the bottom msg bar i got "socket() failed!". Could this be caused by my not connenting my network cable? Because of this, I didn't run the EWIDO scan feature.

2. When I got to the "Control Panel" steps, I couldn't change my background. No theme was clickable. The default backround was still my dreaded "red Smart Security" backround.

While in step 2. above, an iexlporer browser popped up with "about blank" in the URL window.

Here are the 2 logs you requested:
hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 10:26:48 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Gug.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B73F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\pifn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Olb] C:\WINDOWS\System32\Sgj.exe
O4 - HKLM\..\Run: [Jsi] C:\WINDOWS\System32\Tml.exe
O4 - HKLM\..\Run: [Pqv] C:\WINDOWS\Gug.exe
O4 - HKLM\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKLM\..\Run: [Vle] C:\WINDOWS\System32\Foa.exe
O4 - HKLM\..\Run: [Qag] C:\WINDOWS\Sdq.exe
O4 - HKLM\..\Run: [Mui] C:\WINDOWS\Nfj.exe
O4 - HKLM\..\Run: [Per] C:\WINDOWS\Ntr.exe
O4 - HKLM\..\Run: [Tod] C:\WINDOWS\System32\Oqr.exe
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Egq] C:\WINDOWS\Obl.exe
O4 - HKLM\..\Run: [Rac] C:\WINDOWS\Rmk.exe
O4 - HKLM\..\Run: [Jde] C:\WINDOWS\System32\Daf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Olb] C:\WINDOWS\System32\Sgj.exe
O4 - HKCU\..\Run: [Jsi] C:\WINDOWS\System32\Tml.exe
O4 - HKCU\..\Run: [Pqv] C:\WINDOWS\Gug.exe
O4 - HKCU\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKCU\..\Run: [Vle] C:\WINDOWS\System32\Foa.exe
O4 - HKCU\..\Run: [Qag] C:\WINDOWS\Sdq.exe
O4 - HKCU\..\Run: [Mui] C:\WINDOWS\Nfj.exe
O4 - HKCU\..\Run: [Per] C:\WINDOWS\Ntr.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\System32\Oqr.exe
O4 - HKCU\..\Run: [Egq] C:\WINDOWS\Obl.exe
O4 - HKCU\..\Run: [Jde] C:\WINDOWS\System32\Daf.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




Here is the AB LogFile.txt


Scanned at: 6:52:50 PM on: 5/24/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed! : C:\WINDOWS\System32\deffw.dat
Removed! : C:\WINDOWS\System32\fafpe.dat
Removed! : C:\WINDOWS\System32\frtxo.dat
Removed! : C:\WINDOWS\System32\ijbir.dat
Removed! : C:\WINDOWS\System32\juhfc.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Removed! : C:\WINDOWS\System32\pqfme.dat
Removed! : C:\WINDOWS\System32\pymtc.dat
Removed! : C:\WINDOWS\System32\rxkrq.dat
Removed! : C:\WINDOWS\System32\ugobr.dat
Removed! : C:\WINDOWS\System32\vmjqt.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!





Scanned at: 6:54:53 PM on: 5/24/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed! : C:\WINDOWS\System32\deffw.dat
Removed! : C:\WINDOWS\System32\fafpe.dat
Removed! : C:\WINDOWS\System32\frtxo.dat
Removed! : C:\WINDOWS\System32\ijbir.dat
Removed! : C:\WINDOWS\System32\juhfc.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Removed! : C:\WINDOWS\System32\pqfme.dat
Removed! : C:\WINDOWS\System32\pymtc.dat
Removed! : C:\WINDOWS\System32\rxkrq.dat
Removed! : C:\WINDOWS\System32\ugobr.dat
Removed! : C:\WINDOWS\System32\vmjqt.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

#6 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 May 2005 - 10:55 PM

We made some progress
We'll have to get rid of the whole infection before we can restore your display properties
Shut down your computer and then reconnect the network cable

Restart and then update Ewido

Download and save too desktop or a folder CWShredder.exe from my signature below

Please save the rest of these instructions too a notepad file on the desktop or a folder
Close down all browser windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uqjlv.dll/sp.html#37049

O2 - BHO: (no name) - {B73F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\pifn.dll

O4 - HKLM\..\Run: [Olb] C:\WINDOWS\System32\Sgj.exe
O4 - HKLM\..\Run: [Jsi] C:\WINDOWS\System32\Tml.exe
O4 - HKLM\..\Run: [Pqv] C:\WINDOWS\Gug.exe
O4 - HKLM\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKLM\..\Run: [Vle] C:\WINDOWS\System32\Foa.exe
O4 - HKLM\..\Run: [Qag] C:\WINDOWS\Sdq.exe
O4 - HKLM\..\Run: [Mui] C:\WINDOWS\Nfj.exe
O4 - HKLM\..\Run: [Per] C:\WINDOWS\Ntr.exe
O4 - HKLM\..\Run: [Tod] C:\WINDOWS\System32\Oqr.exe
O4 - HKLM\..\Run: [Systemos Restart] Rundll32.exe pifn.dll, DllRegisterServer
O4 - HKLM\..\Run: [Egq] C:\WINDOWS\Obl.exe
O4 - HKLM\..\Run: [Rac] C:\WINDOWS\Rmk.exe
O4 - HKLM\..\Run: [Jde] C:\WINDOWS\System32\Daf.exe

O4 - HKCU\..\Run: [Olb] C:\WINDOWS\System32\Sgj.exe
O4 - HKCU\..\Run: [Jsi] C:\WINDOWS\System32\Tml.exe
O4 - HKCU\..\Run: [Pqv] C:\WINDOWS\Gug.exe
O4 - HKCU\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKCU\..\Run: [Vle] C:\WINDOWS\System32\Foa.exe
O4 - HKCU\..\Run: [Qag] C:\WINDOWS\Sdq.exe
O4 - HKCU\..\Run: [Mui] C:\WINDOWS\Nfj.exe
O4 - HKCU\..\Run: [Per] C:\WINDOWS\Ntr.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\System32\Oqr.exe
O4 - HKCU\..\Run: [Egq] C:\WINDOWS\Obl.exe
O4 - HKCU\..\Run: [Jde] C:\WINDOWS\System32\Daf.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

Killbox file paths to copy and paste to Notepad between dotted lines
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
C:\WINDOWS\System32\pifn.dll
C:\WINDOWS\System32\Sgj.exe
C:\WINDOWS\System32\Tml.exe
C:\WINDOWS\Gug.exe
C:\WINDOWS\Aej.exe
C:\WINDOWS\System32\Foa.exe
C:\WINDOWS\Sdq.exe
C:\WINDOWS\Nfj.exe
C:\WINDOWS\Ntr.exe
C:\WINDOWS\System32\Oqr.exe
C:\WINDOWS\Obl.exe
C:\WINDOWS\Rmk.exe
C:\WINDOWS\System32\Daf.exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

In Safe mode

Run the full scan with Ewido from the Instructions I supplied from above
Remember to save the log afterwards

Run About:Buster again, saving the log

Double click on fixdesktop.reg again and allow to merge to the registry

Run CWShredder, click the FIX button
Let it finish the scan and then

Restart back to Normal mode

Do this again
1. In the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post back a fresh hijackthis log
and the report from Ewidos
And the new About:buster log

You didn't supply me with the log from HSFix.bat, what happened to it????

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#7 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 28 May 2005 - 11:11 PM

I ran HJT with the supplied entries.

When trying to run KILLBOX, I was able to copy the clipboard, but the following items didn't paste:
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

Ran with the others.

When trying to run EWIDOs, it stopped 3-4 times with an error saying:SecuritySuite encountered an error and couldn't continue. The highest it got ot was 51.8%. During these restarts, it did find the following:
trojan.agent.bi
netvi32.exe
spyware.spywad.b
d3xk.dll
trojan.feat

Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:51:44 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Qii.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKLM\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKLM\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKLM\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKLM\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKCU\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKCU\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKCU\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



Here is the BUSTER Log:
Scanned at: 6:54:53 PM on: 5/24/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed! : C:\WINDOWS\System32\deffw.dat
Removed! : C:\WINDOWS\System32\fafpe.dat
Removed! : C:\WINDOWS\System32\frtxo.dat
Removed! : C:\WINDOWS\System32\ijbir.dat
Removed! : C:\WINDOWS\System32\juhfc.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Removed! : C:\WINDOWS\System32\pqfme.dat
Removed! : C:\WINDOWS\System32\pymtc.dat
Removed! : C:\WINDOWS\System32\rxkrq.dat
Removed! : C:\WINDOWS\System32\ugobr.dat
Removed! : C:\WINDOWS\System32\vmjqt.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 12:41:21 AM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Here is the HSLOG:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
tmp*.tmp
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

#8 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 28 May 2005 - 11:15 PM

Were you running EWIDO in SAFE MODE?
Let me know that info

We will have to manually add those entries into Killbox

Could you also do the following for me please

Download and UNZIP to desktop or a folder
Files.zip
Open the folder you extracted and double click on Find.bat
Let this run, it will produce a log

Post the contents back here with the fresh hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#9 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 29 May 2005 - 10:05 PM

Glad/sorry to see you rest on the 7th day!

Yes, I was running EWIDO in SAFE MODE. And I manually entered to entries that wouldn't paste from the clipboard and ran Killbox.

Files.zip log:
***LOG!***
Scanning for file(s)...

* result-> C:\WINDOWS\System32\BBC.EXE
* result-> C:\WINDOWS\System32\DSC.EXE
* result-> C:\WINDOWS\System32\IGS.EXE
* result-> C:\WINDOWS\System32\KDA.EXE
* result-> C:\WINDOWS\System32\MUV.EXE
* result-> C:\WINDOWS\System32\PCH.EXE
* result-> C:\WINDOWS\System32\QII.EXE
* result-> C:\WINDOWS\System32\SHO.EXE
* result-> C:\WINDOWS\System32\TFE.EXE
* result-> C:\WINDOWS\AMV.EXE
* result-> C:\WINDOWS\CDM.EXE
* result-> C:\WINDOWS\JBN.EXE
* result-> C:\WINDOWS\JKM.EXE
* result-> C:\WINDOWS\NLL.EXE
* result-> C:\WINDOWS\DESKTO~1.HTM
* result-> C:\WINDOWS\EOH~1.HTM
* result-> C:\WINDOWS\POPUP~1.HTM
* result-> C:\WINDOWS\QIK~1.HTM

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:58:26 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Qii.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKLM\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKLM\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKLM\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKLM\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - HKLM\..\Run: [Bdb] C:\WINDOWS\System32\Muv.exe
O4 - HKLM\..\Run: [Cgd] C:\WINDOWS\Jbn.exe
O4 - HKLM\..\Run: [Tld] C:\WINDOWS\Jkm.exe
O4 - HKLM\..\Run: [Ahm] C:\WINDOWS\System32\Kda.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Cdm.exe
O4 - HKLM\..\Run: [Tlt] C:\WINDOWS\System32\Tfe.exe
O4 - HKLM\..\Run: [Jqo] C:\WINDOWS\System32\Dsc.exe
O4 - HKLM\..\Run: [Sfv] C:\WINDOWS\Amv.exe
O4 - HKLM\..\Run: [Dss] C:\WINDOWS\System32\Igs.exe
O4 - HKLM\..\Run: [Plo] C:\WINDOWS\Nll.exe
O4 - HKLM\..\Run: [Tsi] C:\WINDOWS\System32\Uqp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKCU\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKCU\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKCU\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Bdb] C:\WINDOWS\System32\Muv.exe
O4 - HKCU\..\Run: [Cgd] C:\WINDOWS\Jbn.exe
O4 - HKCU\..\Run: [Tld] C:\WINDOWS\Jkm.exe
O4 - HKCU\..\Run: [Ahm] C:\WINDOWS\System32\Kda.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Cdm.exe
O4 - HKCU\..\Run: [Tlt] C:\WINDOWS\System32\Tfe.exe
O4 - HKCU\..\Run: [Jqo] C:\WINDOWS\System32\Dsc.exe
O4 - HKCU\..\Run: [Sfv] C:\WINDOWS\Amv.exe
O4 - HKCU\..\Run: [Dss] C:\WINDOWS\System32\Igs.exe
O4 - HKCU\..\Run: [Plo] C:\WINDOWS\Nll.exe
O4 - HKCU\..\Run: [Tsi] C:\WINDOWS\System32\Uqp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Again, thanks for your help! :)

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 May 2005 - 11:55 PM

I wish we could of got Ewido to run the full scan
Let's try the following, we can try another trojan scanner if the results of this are no good

Download and UNZIP to a folder or desktop Removal.zip
So you now have a folder Removal extracted
[attachment=249:attachment]

Print these instructions or save them too a notepad file for reference

Close out all windows, including this browser

Open Hijackthis>>Open Misc tools Section>>Open Process Manager
Left click to Highlight and then Kill this process if still running
C:\WINDOWS\System32\Qii.exe

Then click BACK and
Do another SCAN with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Lis] C:\WINDOWS\Aej.exe
O4 - HKLM\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKLM\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKLM\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKLM\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - HKLM\..\Run: [Bdb] C:\WINDOWS\System32\Muv.exe
O4 - HKLM\..\Run: [Cgd] C:\WINDOWS\Jbn.exe
O4 - HKLM\..\Run: [Tld] C:\WINDOWS\Jkm.exe
O4 - HKLM\..\Run: [Ahm] C:\WINDOWS\System32\Kda.exe
O4 - HKLM\..\Run: [Bth] C:\WINDOWS\Cdm.exe
O4 - HKLM\..\Run: [Tlt] C:\WINDOWS\System32\Tfe.exe
O4 - HKLM\..\Run: [Jqo] C:\WINDOWS\System32\Dsc.exe
O4 - HKLM\..\Run: [Sfv] C:\WINDOWS\Amv.exe
O4 - HKLM\..\Run: [Dss] C:\WINDOWS\System32\Igs.exe
O4 - HKLM\..\Run: [Plo] C:\WINDOWS\Nll.exe
O4 - HKLM\..\Run: [Tsi] C:\WINDOWS\System32\Uqp.exe

O4 - HKCU\..\Run: [Jkq] C:\WINDOWS\System32\Qii.exe
O4 - HKCU\..\Run: [Cjf] C:\WINDOWS\System32\Sho.exe
O4 - HKCU\..\Run: [Ofh] C:\WINDOWS\System32\Bbc.exe
O4 - HKCU\..\Run: [Klm] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Bdb] C:\WINDOWS\System32\Muv.exe
O4 - HKCU\..\Run: [Cgd] C:\WINDOWS\Jbn.exe
O4 - HKCU\..\Run: [Tld] C:\WINDOWS\Jkm.exe
O4 - HKCU\..\Run: [Ahm] C:\WINDOWS\System32\Kda.exe
O4 - HKCU\..\Run: [Bth] C:\WINDOWS\Cdm.exe
O4 - HKCU\..\Run: [Tlt] C:\WINDOWS\System32\Tfe.exe
O4 - HKCU\..\Run: [Jqo] C:\WINDOWS\System32\Dsc.exe
O4 - HKCU\..\Run: [Sfv] C:\WINDOWS\Amv.exe
O4 - HKCU\..\Run: [Dss] C:\WINDOWS\System32\Igs.exe
O4 - HKCU\..\Run: [Plo] C:\WINDOWS\Nll.exe
O4 - HKCU\..\Run: [Tsi] C:\WINDOWS\System32\Uqp.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the Removal folder and double click on Removal.bat
A dos window will open and then you should get a prompt to add entries to the registry
Allow to Merge

Restart your computer

Back in Windows
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

post back a fresh hijackthis log
Could you also run Find.bat again and post a fresh log from it

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#11 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 30 May 2005 - 10:19 PM

When trying the "Control Panel" steps, again, I couldn't change my background. No theme was clickable. The default backround was still my dreaded "red Smart Security" backround.


Here is the Find.bat log:
***LOG!***
Scanning for file(s)...

* result-> C:\WINDOWS\System32\BNU.EXE
* result-> C:\WINDOWS\System32\MKE.EXE
* result-> C:\WINDOWS\System32\VTE.EXE
* result-> C:\WINDOWS\HHA.EXE
* result-> C:\WINDOWS\TSN.EXE
* result-> C:\WINDOWS\DESKTO~1.HTM
* result-> C:\WINDOWS\POPUP~1.HTM

Here's HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:09:39 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Bnu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Bsu] C:\WINDOWS\System32\Vte.exe
O4 - HKLM\..\Run: [Sic] C:\WINDOWS\Tsn.exe
O4 - HKLM\..\Run: [Eor] C:\WINDOWS\System32\Bnu.exe
O4 - HKLM\..\Run: [Jmf] C:\WINDOWS\Hha.exe
O4 - HKLM\..\Run: [Don] C:\WINDOWS\System32\Mke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Bsu] C:\WINDOWS\System32\Vte.exe
O4 - HKCU\..\Run: [Sic] C:\WINDOWS\Tsn.exe
O4 - HKCU\..\Run: [Eor] C:\WINDOWS\System32\Bnu.exe
O4 - HKCU\..\Run: [Jmf] C:\WINDOWS\Hha.exe
O4 - HKCU\..\Run: [Don] C:\WINDOWS\System32\Mke.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#12 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 30 May 2005 - 11:50 PM

Let's try and finish this thing off, geesh I'm having a tough week :)
Ewido usually takes care of the bad files for this bad guy, I want to try running another scanner on your computer
Until we get rid of the bad files, we won't have much luck with your background

Can you do the following please

==Run KillBox.exe
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\BNU.EXE

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot afterwards

C:\WINDOWS\System32\MKE.EXE
C:\WINDOWS\System32\VTE.EXE
C:\WINDOWS\HHA.EXE
C:\WINDOWS\TSN.EXE
C:\WINDOWS\DESKTO~1.HTM
C:\WINDOWS\POPUP~1.HTM


When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Please Restart the computer into SAFE MODE at this time

In safe mode
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Bsu] C:\WINDOWS\System32\Vte.exe
O4 - HKLM\..\Run: [Sic] C:\WINDOWS\Tsn.exe
O4 - HKLM\..\Run: [Eor] C:\WINDOWS\System32\Bnu.exe
O4 - HKLM\..\Run: [Jmf] C:\WINDOWS\Hha.exe
O4 - HKLM\..\Run: [Don] C:\WINDOWS\System32\Mke.exe

O4 - HKCU\..\Run: [Bsu] C:\WINDOWS\System32\Vte.exe
O4 - HKCU\..\Run: [Sic] C:\WINDOWS\Tsn.exe
O4 - HKCU\..\Run: [Eor] C:\WINDOWS\System32\Bnu.exe
O4 - HKCU\..\Run: [Jmf] C:\WINDOWS\Hha.exe
O4 - HKCU\..\Run: [Don] C:\WINDOWS\System32\Mke.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode
Could you do the following

==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder
We'll need this later

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs...s/tds3setup.exe
Install it and Restart your computer when and if prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>

Follow this link on how to update it>> follow the instructions carefully
http://tds.diamondcs...php?page=update
Use the Manual update procedure
Again, don't run a scan yet

After TDS3 is updated

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer into Safe mode

First could you do the following
With Windows set to show hidden files and folders
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt <--I'll want to see this later


Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Give this time to finish
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

After you have removed the ones with postitive Identification

Restart back to Normal mode

After you have done the above
Post back the scandump.txt from TDS-3 file and a new Hijackthis log
Could you also post the log from RKFiles.bat>>>C:\Log.txt

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#13 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 31 May 2005 - 10:48 PM

I didn't started the TDS-3 scan in safe mode, had to do some work related stuff and broke my concentration on your instructions. Hope it didn't set your efforts back. I ran it a 2nd time in safe mode so I provided both scans. The 1st run identified several "positive IDs, the 2nd identified 3. These log showed the machine was a "flea ravaged mut"!

TDS-3 logs:
!st log

Scan Control Dumped @ 23:10:54 31-05-05
Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\bdd.exe

Suspicious Filename: HTA file in suspicious location
File: c:\msupdate.hta

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\!submit\bnu.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\munchie\desktop\worksheet scrap '50 ...'.shs

Suspicious Filename: Dual extensions
File: c:\program files\bittorrent-3.4.1.exe

Positive identification (DLL): Adware.Apropos.e (dll)
File: c:\program files\cxtpls\cxtpls.dll

Positive identification (DLL): Adware.Apropos.f (dll)
File: c:\program files\cxtpls\wingenerics.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.ex11 (dll)
File: c:\program files\hjt\backups\backup-20050524-215836-566.dll

Suspicious Filename: Dual extensions
File: c:\program files\hp\digital imaging\hpis\temp\install.wse.exe

Suspicious Filename: Dual extensions
File: c:\program files\ripper\setupdvddecrypter_3.5.1.0.exe

Positive identification (DLL): TrojanDownloader.Win32.Agent.lz (dll)
File: c:\windows\apiat.dll

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\crfn32.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\hku.exe

Positive identification: Adware.Toolbar.UCMore Dropper.e
File: c:\windows\iemenuextension.exe

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\iprs32.exe

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\javayo32.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\juf.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\kho.exe

Positive identification (DLL): TrojanDownloader.Win32.Agent.lz (dll)
File: c:\windows\mfcoa32.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.ne (dll)
File: c:\windows\ntjk.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\sysys.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\wingd32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winpj32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winrf32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winum.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winuz32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winwh.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winyv32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\winzl.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.lz (dll)
File: c:\windows\system32\addke.dll

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\aip.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\bdd.exe

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\system32\d3ap.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\die.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\eno.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\ern.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\fgl.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\ieq.exe

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\system32\javarg32.exe

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\mssh32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\msst.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\mstm32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\msum.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\mswf32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\msxr32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netbi.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netbr.dll

Positive identification: Trojan.Win32.Agent.bi1
File: c:\windows\system32\netda.exe

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netge32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netiy.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netlp.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netpx.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netrg32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\nettb32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\nettr.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netuj32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netur32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netwz32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\netyv32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntah.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntdb.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntfs.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\nthw32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntme32.dll

Positive identification: Trojan.Win32.Agent.bi2
File: c:\windows\system32\ntmo.exe

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntre32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntvu.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntwm.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntxa32.dll

Positive identification: TrojanDownloader.Win32.Agent.bq17
File: c:\windows\system32\ntxf.exe

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntxk.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntxq.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\ntyd.dll

Positive identification: TrojanClicker.Win32.Small.ed1
File: c:\windows\system32\open32_uninstall.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\ppc.exe

Positive identification: Adware.Sahat.o3
File: c:\windows\system32\q17i9a4j.exe

Positive identification (DLL): Adware.Sahat.l (dll)
File: c:\windows\system32\qh4mkbv9.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkba32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkcu.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkdl.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdked32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkkt32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkmh.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkmk32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkoo32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkps32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkrb32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkrh32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkwp32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkzv.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sdkzy32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysao.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysap.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysci32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysij.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.lz (dll)
File: c:\windows\system32\sysiw32.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.lz (dll)
File: c:\windows\system32\sysng32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysoa.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysrm32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysry32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysso32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\systp32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysua.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysvn32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\syswe32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysxo.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\sysym.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winbj.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winho32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winir.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winms.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winnq32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winpo32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winrj.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winvz32.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winye.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winzf.dll

Positive identification (DLL): TrojanDropper.Win32.Small.tn1 (dll)
File: c:\windows\system32\winzf32.dll




2nd log
Scan Control Dumped @ 00:26:54 01-06-05
Suspicious Filename: HTA file in suspicious location
File: c:\msupdate.hta

Suspicious Filename: Dual extensions
File: c:\documents and settings\munchie\desktop\worksheet scrap '50 ...'.shs

Suspicious Filename: Dual extensions
File: c:\program files\bittorrent-3.4.1.exe

Suspicious Filename: Dual extensions
File: c:\program files\hp\digital imaging\hpis\temp\install.wse.exe

Suspicious Filename: Dual extensions
File: c:\program files\ripper\setupdvddecrypter_3.5.1.0.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\ljh.exe

Positive identification: TrojanClicker.Win32.Spywad.b
File: c:\windows\system32\thl.exe



Here is the RKFiles.log:

C:\Program Files\SPYGUARD\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye




Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:30:10 AM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKLM\..\Run: [Oem] C:\WINDOWS\System32\Eno.exe
O4 - HKLM\..\Run: [Nhr] C:\WINDOWS\System32\Die.exe
O4 - HKLM\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKLM\..\Run: [Nke] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKLM\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKLM\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKLM\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKLM\..\Run: [Oog] C:\WINDOWS\Ljh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKCU\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKCU\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKCU\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKCU\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKCU\..\Run: [Oog] C:\WINDOWS\Ljh.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#14 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 01 June 2005 - 08:35 PM

I trust you deleted all files marked Positive
This file does look suspicious
Can you send it to the recylebin please
c:\msupdate.hta

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKLM\..\Run: [Oem] C:\WINDOWS\System32\Eno.exe
O4 - HKLM\..\Run: [Nhr] C:\WINDOWS\System32\Die.exe
O4 - HKLM\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKLM\..\Run: [Nke] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKLM\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKLM\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKLM\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKLM\..\Run: [Oog] C:\WINDOWS\Ljh.exe

O4 - HKCU\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKCU\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKCU\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKCU\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKCU\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKCU\..\Run: [Oog] C:\WINDOWS\Ljh.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Back in Windows check your Display settings again in Internet options

Post back a fresh Hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#15 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 01 June 2005 - 09:53 PM

Thanks for hangin in here!

Yes, all files were deleted from the EWIDO scan. Still can't change the red "SmartSecurity" desktop background.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:53 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\imapi.exe
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKLM\..\Run: [Oem] C:\WINDOWS\System32\Eno.exe
O4 - HKLM\..\Run: [Nhr] C:\WINDOWS\System32\Die.exe
O4 - HKLM\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKLM\..\Run: [Nke] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKLM\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKLM\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKLM\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKLM\..\Run: [Oog] C:\WINDOWS\Ljh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKCU\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKCU\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKCU\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKCU\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKCU\..\Run: [Oog] C:\WINDOWS\Ljh.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#16 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 01 June 2005 - 10:05 PM

That's the same entries in the hijackthis log I asked you too fix earlier

Did you remove this file
c:\msupdate.hta

Can you try this again, and ensure ALL other windows are closed before hitting the FIX CHECKED button
Especially all browser windows

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKLM\..\Run: [Oem] C:\WINDOWS\System32\Eno.exe
O4 - HKLM\..\Run: [Nhr] C:\WINDOWS\System32\Die.exe
O4 - HKLM\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKLM\..\Run: [Nke] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKLM\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKLM\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKLM\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKLM\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKLM\..\Run: [Oog] C:\WINDOWS\Ljh.exe

O4 - HKCU\..\Run: [Egd] C:\WINDOWS\System32\Aip.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\Kho.exe
O4 - HKCU\..\Run: [Jbc] C:\WINDOWS\System32\Bdd.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\System32\Fgl.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Ppc.exe
O4 - HKCU\..\Run: [Djo] C:\WINDOWS\System32\Ern.exe
O4 - HKCU\..\Run: [Vcg] C:\WINDOWS\Hku.exe
O4 - HKCU\..\Run: [Ulh] C:\WINDOWS\Juf.exe
O4 - HKCU\..\Run: [Rfd] C:\WINDOWS\System32\Thl.exe
O4 - HKCU\..\Run: [Oog] C:\WINDOWS\Ljh.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on Fixdesktop.reg and allow to merge to the registry

RESTART your computer

Back in windows
Check your Display settings,
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Run another scan with hijackthis and post a fresh log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#17 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 01 June 2005 - 10:32 PM

Sent the wrong log, sorry bout that.

Yes, I deleted c:\msupdate.hta earlier.

Great thing, when I reran Fixdesktop.reg, the SmartSecurity red screen is now gone!

This is the latest log:
Logfile of HijackThis v1.99.1
Scan saved at 12:23:27 AM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SPYGUARD\AVWUPSRV.EXE
C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\SPYGUARD\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SPYGUARD\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#18 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 June 2005 - 07:15 PM

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well

Speaking of SP2, you may consider visiting Windows Updates and Installing Critical updates and Service Pack 2 to help keep secure
Take a read at this
http://www.microsoft...p2/default.mspx

Stay safe :)

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#19 chewman

chewman

    Journeyman

  • Members
  • PipPip
  • 29 posts

Posted 02 June 2005 - 08:06 PM

u r da man! I'm sure your group has other qualified techs, but you've got my vote. Can't thank you enuff!

Will do the last bit of tips you supplied, SpywareBlaster sounds like it will help keep my PC somewhat virus safe.

Only one thing I can see that isn't quite right. I can't "right click" anything. Nothing happens! Any thoughts?

#20 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 June 2005 - 09:51 PM

Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as repair.reg

Save this file on the desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

Double click on repair.reg and allow to add or merge to the registry

Restart your computer and let me know if the right click is now enabled

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here