TheTechGuide Forum

General Category => Tech Clinic => Topic started by: laura on February 28, 2005, 07:29:27 PM

Title: Seeq hijacker
Post by: laura on February 28, 2005, 07:29:27 PM

Hi, I'm having all kinds of adware and malware troubles at work.  
My IT guy can't figure it out.  I've used Ad Aware and Spybot S&D and
still I have problems.  NOW, when I type in the word "fundsite" in the browser, it gets hijacked by Seeq.

I don't have complete administrator access, but any help will be appreciated.

Please see the below hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 4:21:25 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Radia\radexecd.exe
C:\Program Files\Radia\radsched.exe
C:\Program Files\Radia\Radstgms.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ndw.exe
C:\WINDOWS\System32\eudck32.exe
C:\WINDOWS\System32\dxttus40.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Extended Systems\XTNDConnect Desktop Connector\DesktopConnector.exe
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\lljohnso\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <REMOVED>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <REMOVED>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <REMOVED>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Radia User Process] C:\PROGRA~1\Radia\RADREXXW.EXE RAM.REX MODE=USERONLY FULL
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ndw] C:\WINDOWS\system32\ndw.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [73nS32T] eudck32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [M042RSf8U] dxttus40.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\lljohnso\Application Data\DownloadPlus.exe
O4 - Global Startup: Acrobat Assistant.lnk = ?
O4 - Global Startup: Desktop Connector.lnk = ?
O4 - Global Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=<REMOVED>
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (http://\"http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe\")
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - https://www.bownelink.com/infolink/bin/iManFile.cab (http://\"https://www.bownelink.com/infolink/bin/iManFile.cab\")
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://confeastern2.centra.com/SiteRoots/r...aDownloader.cab (http://\"http://confeastern2.centra.com/SiteRoots/russell/Install/CentraDownloader.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamload.com/Upload/XUpload.ocx (http://\"http://www.streamload.com/Upload/XUpload.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <REMOVED>
O17 - HKLM\Software\..\Telephony: DomainName = <REMOVED>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <REMOVED>
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Radia\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Radia\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Radia\Radstgms.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

Title: Seeq hijacker
Post by: guestolo on February 28, 2005, 08:42:11 PM

Would be easier if you had Administrator privileges
Let's see what you can do

First off, it's very important that you move Hijackthis out of the Temp folder, backups will be made and lost if we clean out your Temp folders
Redownload Hijackthis from My signature below
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT


I would access your Add/Remove programs and Remove if found
DownloadPlus
Link will show you why
http://securityresponse.symantec.com/avcen...wnloadplus.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/adware.downloadplus.html\")

Also Remove if found
SpyKiller from Add/Remove programs or Start>>All programs menu if found
and not paid for, it's bogus,
Take a look
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")

Restart your computer after removing either

Back in Windows

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Run Hijackthis from this location C:\HJT

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if found
C:\WINDOWS\system32\ndw.exe
C:\WINDOWS\System32\eudck32.exe
C:\WINDOWS\System32\dxttus40.exe

Do another scan with Hijackthis and put a check next to these entries:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [ndw] C:\WINDOWS\system32\ndw.exe

O4 - HKLM\..\Run: [73nS32T] eudck32.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [M042RSf8U] dxttus40.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\lljohnso\Application Data\DownloadPlus.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Back in windows, find and delete these files or folders if they exist

C:\Documents and Settings\lljohnso\Application Data\DownloadPlus.exe
<--file
C:\WINDOWS\System32\eudck32.exe <--file
C:\WINDOWS\System32\dxttus40.exe <--file

C:\Program Files\SpyKiller <--folder

Post back a fresh Hijackthis log afterwards

Can you do me a favor, I omitted one file from being deleted
I believe it's a trojan
Can you access this Online Malware Scan
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file
C:\WINDOWS\system32\ndw.exe <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
If found bad can you immediately delete it, but let me see the scanner results, thanks

Title: Seeq hijacker
Post by: laura on March 01, 2005, 01:25:33 PM

Ok, here's what Jotti's found:

Service load:  0%        100%  
 
File:  ndw.exe  
Status:  INFECTED/MALWARE  
Packers detected:  None
   
AntiVir  TR/Adware.Ndw.A.1 (0.37 seconds taken)
Avast  Win32:Trojan-gen. {Other} (1.52 seconds taken)
AVG Antivirus  Downloader.Small.9.BP (0.47 seconds taken)
BitDefender  Trojan.Adware.Ndw.A (0.46 seconds taken)
ClamAV  No viruses found (0.60 seconds taken)
Dr.Web  No viruses found (0.89 seconds taken)
F-Prot Antivirus  W32/Downloader.EW (0.09 seconds taken)
Fortinet  W32/Dload.MF-tr (0.41 seconds taken)
Kaspersky Anti-Virus  Trojan-Downloader.Win32.Lastad.f (0.98 seconds taken)
mks_vir  Trojan.Downloader.Small.Rn (0.22 seconds taken)
NOD32  No viruses found (0.48 seconds taken)
Norman Virus Control  W32/DLoader.AFM (0.19 seconds taken)
   
Statistics  
Last piece of malware found was Bifrose.D in out.eml, detected by:

Scanner  Malware name  Time taken  
AntiVir  X  0.43 seconds  
Avast  X  1.51 seconds  
AVG Antivirus  X  0.45 seconds  
BitDefender  Trojan.Spy.Goldun.T  0.51 seconds  
ClamAV  Trojan.Spy.Goldun.T  0.64 seconds  
Dr.Web  X  0.93 seconds  
F-Prot Antivirus  X  0.50 seconds  
Fortinet  X  0.43 seconds  
Kaspersky Anti-Virus  Trojan-Spy.Win32.Goldun.t  1.04 seconds  
mks_vir  Trojan.Spy.Goldun.T  0.24 seconds  
NOD32  Win32/Spy.Goldun.T  0.48 seconds  
Norman Virus Control  Bifrose.D  0.47 seconds  
 
I went ahead and deleted the file.

-----------------------------

Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:29:57 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Radia\radexecd.exe
C:\Program Files\Radia\radsched.exe
C:\Program Files\Radia\Radstgms.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Extended Systems\XTNDConnect Desktop Connector\DesktopConnector.exe
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <REMOVED>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <REMOVED>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by <REMOVED>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <REMOVED>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <REMOVED>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Radia User Process] C:\PROGRA~1\Radia\RADREXXW.EXE RAM.REX MODE=USERONLY FULL
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Acrobat Assistant.lnk = ?
O4 - Global Startup: Desktop Connector.lnk = ?
O4 - Global Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=<REMOVED>
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (http://\"http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe\")
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - https://www.bownelink.com/infolink/bin/iManFile.cab (http://\"https://www.bownelink.com/infolink/bin/iManFile.cab\")
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://confeastern2.centra.com/SiteRoots/r...aDownloader.cab (http://\"http://confeastern2.centra.com/SiteRoots/russell/Install/CentraDownloader.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamload.com/Upload/XUpload.ocx (http://\"http://www.streamload.com/Upload/XUpload.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <REMOVED>
O17 - HKLM\Software\..\Telephony: DomainName = <REMOVED>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <REMOVED>
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Radia\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Radia\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Radia\Radstgms.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe


I'm still getting that Seeq redirector page and some popups...did I miss something?

Title: Seeq hijacker
Post by: laura on March 01, 2005, 07:59:58 PM

This is a Spyware Doctor report for my C:/ drive:

Scans (basic information only):
 
Scan Results:
scan start: 3/1/2005 4:41:52 PM
scan stop: 3/1/2005 4:49:22 PM
scanned items: 87644
found items: 66
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
 
 
   
 Infection Name Location Risk
 AproposMedia multiple Medium
 AproposMedia HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} Medium
 AproposMedia HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}\NumMethods Medium
 AproposMedia HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}\ProxyStubClsid32 Medium
 AproposMedia HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} Medium
 AproposMedia HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}\NumMethods Medium
 AproposMedia HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}\ProxyStubClsid32 Medium
 AproposMedia HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} Medium
 AproposMedia HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\NumMethods Medium
 AproposMedia HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\ProxyStubClsid32 Medium
 AproposMedia HKLM\software\autoloader Medium
 AproposMedia HKLM\software\autoloader\7w4u1MOQPdLW Medium
 AproposMedia HKLM\software\autoloader\7w4Y1MOQPdLW Medium
 Boss Everyware HKCR\.dsv Medium
 Boss Everyware HKCR\.dsv\backup Medium
 Huntbar HKCR\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490} Elevated
 Slotchbar HKLM\SYSTEM\LastKnownGoodRecovery\LastGood##INF/conscorr.inf High
 Slotchbar HKLM\SYSTEM\LastKnownGoodRecovery\LastGood##INF/conscorr.PNF High
 Slotchbar HKLM\SYSTEM\LastKnownGoodRecovery\LastGood##INF/localNrd.inf High
 Slotchbar HKLM\SYSTEM\LastKnownGoodRecovery\LastGood##INF/localNrd.PNF High
 Trojan drsnsrch HKLM\SOFTWARE\Classes\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490} High
 Tracking Cookie(s) lljohnso@atdmt[2].txt Medium
 Tracking Cookie(s) lljohnso@valueclick[1].txt Medium
 Tracking Cookie(s) [email protected][1].txt Medium
 Tracking Cookie(s) lljohnso@statcounter[1].txt Medium
 Tracking Cookie(s) lljohnso@realmedia[2].txt Medium
 Tracking Cookie(s) lljohnso@revenue[2].txt Medium
 Tracking Cookie(s) lljohnso@trafficmp[2].txt Medium
 Tracking Cookie(s) lljohnso@advertising[2].txt Medium
 Tracking Cookie(s) lljohnso@maxserving[1].txt Medium
 Tracking Cookie(s) [email protected][2].txt Medium
 Tracking Cookie(s) lljohnso@cgi-bin[1].txt Medium
 Tracking Cookie(s) lljohnso@fastclick[2].txt Medium
 Tracking Cookie(s) lljohnso@centrport[1].txt Medium
 Tracking Cookie(s) lljohnso@casalemedia[2].txt Medium
 Tracking Cookie(s) lljohnso@euniverseads[1].txt Medium
 Tracking Cookie(s) [email protected][2].txt Medium
 AproposMedia HKCR\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} Medium
 AproposMedia HKCR\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32 Medium
 AproposMedia HKLM\Software\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} Medium
 AproposMedia HKLM\Software\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32 Medium
 AproposMedia HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} Medium
 AproposMedia HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32 Medium
 AproposMedia HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID Medium
 AproposMedia HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID Medium
 AproposMedia HKLM\Software\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} Medium
 AproposMedia HKLM\Software\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32 Medium
 AproposMedia HKLM\Software\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID Medium
 AproposMedia HKLM\Software\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID Medium
 XXXToolbar C:\WINDOWS\conscorr.ini Elevated
 Zango Search Assistant C:\WINDOWS\conscorr.ini Elevated
 Zango Search Assistant C:\WINDOWS\LastGood\INF\conscorr.inf Elevated
 Slotchbar C:\WINDOWS\LastGood\INF\conscorr.inf High
 XXXToolbar C:\WINDOWS\LastGood\INF\conscorr.inf Elevated
 Slotchbar C:\WINDOWS\LastGood\INF\conscorr.PNF High
 XXXToolbar C:\WINDOWS\LastGood\INF\conscorr.PNF Elevated
 Zango Search Assistant C:\WINDOWS\LastGood\INF\conscorr.PNF Elevated
 Slotchbar C:\WINDOWS\LastGood\INF\localNrd.PNF High
 Zango Search Assistant C:\WINDOWS\LastGood\INF\localNrd.PNF Elevated
 Twain-tech C:\WINDOWS\systb.exe Elevated
 IEPageFinder C:\WINDOWS\System32\inetdctr.dll Medium
 Win-Spy Stealth Monitor C:\WINDOWS\System32\URLHIST.tlb High
 AproposMedia C:\Documents and Settings\lljohnso\Local Settings\Temp\temp.fr18D1 Medium
 AproposMedia C:\RECYCLER\S-1-5-21-861567501-1085031214-725345543-3680\Dc42.exe Medium
 AproposMedia C:\RECYCLER\S-1-5-21-861567501-1085031214-725345543-3680\Dc43.exe Medium
 AproposMedia C:\WINDOWS\system32\dvdlobby.exe Medium


 
I tried the suggestions from my other post about Seeq hijacker, but it's got me stuck. What can I do about this?  Every time I try to get rid of stuff, I get MORE!



Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:57:47 PM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Radia\radexecd.exe
C:\Program Files\Radia\radsched.exe
C:\Program Files\Radia\Radstgms.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Extended Systems\XTNDConnect Desktop Connector\DesktopConnector.exe
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <REMOVED>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <REMOVED>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by <REMOVED>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <REMOVED>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <REMOVED>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Radia User Process] C:\PROGRA~1\Radia\RADREXXW.EXE RAM.REX MODE=USERONLY FULL
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = ?
O4 - Global Startup: Desktop Connector.lnk = ?
O4 - Global Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=<REMOVED>
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (http://\"http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe\")
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - https://www.bownelink.com/infolink/bin/iManFile.cab (http://\"https://www.bownelink.com/infolink/bin/iManFile.cab\")
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://confeastern2.centra.com/SiteRoots/r...aDownloader.cab (http://\"http://confeastern2.centra.com/SiteRoots/russell/Install/CentraDownloader.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamload.com/Upload/XUpload.ocx (http://\"http://www.streamload.com/Upload/XUpload.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =<REMOVED>
O17 - HKLM\Software\..\Telephony: DomainName = <REMOVED>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <REMOVED>
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Radia\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Radia\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Radia\Radstgms.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe



Thanks,
Laura

Title: Seeq hijacker
Post by: guestolo on March 01, 2005, 09:38:19 PM

I need to check out something

Could you
Download and UNZIP to desktop
Remv3.zip from this location
[attachment=48:attachment]
Ensure you unzip it, now you will have Remv3 folder on your desktop

IMPORTANT
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")


Navigate to the unzipped folder
remv3
open it and double click on remv3.bat
Let this finish, won't take long>>it will produce a log

Restart back to Normal mode
Post a fresh hijackthis log

Rkfiles.bat would of produced a log
can you please post this log too
C:\log.txt

Can you also download and save to Desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Open it and
"Click to Find VX2.BetterInternet"
Let it finish scanning and then Make a log
Post this back too

I need this information too, first I still see Spykiller in your log, I hope you didn't pay for it
Spyware Doctor, I don't use, so I can't comment on the findings, it appears it removed some bad files and registry entries

I'm more interested in Spybot and Ad-Aware
Can you open Spybot
Click on HELP>>>ABOUT
Let me know Spybot version and latest detection update date

Can you also open Ad-Aware
Click on DETAILS in Initialization Status
Let me know Reference number and Internal build

Title: Seeq hijacker
Post by: laura on March 02, 2005, 02:27:01 PM

guestolo,

I've done the things you asked for, here they are in the order you requested:

remv3.exe

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished


Logfile of HijackThis v1.99.1
Scan saved at 11:18:25 AM, on 3/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Radia\radexecd.exe
C:\Program Files\Radia\radsched.exe
C:\Program Files\Radia\Radstgms.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\Program Files\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\Radia\RADREXXW.EXE
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Extended Systems\XTNDConnect Desktop Connector\DesktopConnector.exe
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\Citrix\PNAgent\pnagent.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Radia\radskman.exe
C:\WINDOWS\System32\msiexec.exe
C:\HJT\HijackThis.exe
C:\PROGRA~1\Radia\radntfyc.exe
C:\PROGRA~1\Radia\radpinit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <REMOVED>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <REMOVED>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by <REMOVED>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <REMOVED>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\Compat\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Radia User Process] C:\PROGRA~1\Radia\RADREXXW.EXE RAM.REX MODE=USERONLY FULL
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = ?
O4 - Global Startup: Desktop Connector.lnk = ?
O4 - Global Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=<REMOVED>
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (http://\"http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe\")
O16 - DPF: {9F51E426-6EED-11D3-80B8-00C04F610DBB} (WebTransferCtrl Class) - https://www.bownelink.com/infolink/bin/iManFile.cab (http://\"https://www.bownelink.com/infolink/bin/iManFile.cab\")
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://confeastern2.centra.com/SiteRoots/r...aDownloader.cab (http://\"http://confeastern2.centra.com/SiteRoots/russell/Install/CentraDownloader.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab (http://\"http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamload.com/Upload/XUpload.ocx (http://\"http://www.streamload.com/Upload/XUpload.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <REMOVED>
O17 - HKLM\Software\..\Telephony: DomainName = <REMOVED>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <REMOVED>
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Radia\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Radia\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Radia\Radstgms.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

RKfiles.bat
Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished


VX2_Finder.exe

Files Found---
 
Additional Files---
 
Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
NavLogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
Q312461


Spybot S&D
Version 1.3
No detection updates installed.

Ad Aware
Definitions File Loaded:
Reference Number : SE1R28 16.02.2005
Internal build : 33
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 411893 Bytes
Total size : 1300934 Bytes
Signature data size : 1271214 Bytes
Reference data size : 29208 Bytes
Signatures total : 36156
Fingerprints size : 23479 Bytes
Target categories : 15
Target families : 632

I found Spy Doctor on www.majorgeeks.com, but you have to purchase the program to actually have the problems fixed or deleted.  I'm trying to avoid purchasing anything since this is a work computer!

Thanks for your help,
Laura

Title: Seeq hijacker
Post by: guestolo on March 02, 2005, 07:25:31 PM

Spybot doesn't seem to be updating
Can you open Spybot and Search for updates and Download all updates
Check for Problems>>Fix everything in RED

Restart your computer to finish the cleaning process
If it still doesn't seem to be updating
I see your running through a Proxy server, check the settings in Spybot

you will have to know your proxy setting
Which can be found thru
Control Panel>>Internet options>>Connections tab>>Under your connection type
Click Settings

Those you will have to add into Spybot
Open Spybot>>Click on Mode>>Advanced>>Ok the prompt
Click Settings>>Settings again in the column
On the right hand side scroll down to WEB UPDATE and check Use Proxy to Connect to Update Server
Fill in the required fields

Let me know if it will now update

If it won't update still, can you manually update the latest Detection updates and install them please
From this link
http://www.safer-networking.org/en/download/index.html (http://\"http://www.safer-networking.org/en/download/index.html\")

Ensure to run a scan with Spybot and Fix everything in RED
Restart your computer afterwards

Come back here and post one more log, let me know if Spybot found anything

Can you also open Hijackthis>>Open Misc tools sections>>Open Hosts file Manager
Click the "Open in Notepad" button
Notepad should open with the Hosts file listed
Copy and paste back the Whole Hosts notepad file too