Messages

1

Tech Clinic / hijacked by Coolwwwsearch & EffectiveBandToolbar

« on: April 06, 2005, 08:47:40 PM »

Dear Guestolo,
Everything is running better now.
I recently updated from Windows 2000 to XP and rebuilt my computer from scratch.  Not sure if the entry you mention has something to do with this.
I was way behind on the Windows Updates and have since updated and included SP2.  I am now current.
I will also follow your other instructions and load the other protection programs.  I am on the home stretch now.
You have been a great help and I am pleased that I have found this website.  It's definitely on my favorites now.
How does it make money?  I would like to support it with a donation for your efforts and assistance.
Regards,
Gazoomba

2

Tech Clinic / hijacked by Coolwwwsearch & EffectiveBandToolbar

« on: April 06, 2005, 06:26:21 AM »

Dear Guestolo,
Here are your answers:

The Registry Fix you asked me to try was Fixdesktop Registry Editor.  You sent it as a zip file named fixdesktop.zip

All the shortcut items on my previous desktop are back to normal.  I had a JPEG saved as the desktop and this was not there but I have just used a generic Microsoft desktop until the system is clear again.

HSFix Log is below:
 
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:08 PM, on 6/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

Also, I seem to have an error loading IE and even Mozilla Firefox after running Hijack this?  I lose connection to the Internet.  The first time I ran Hijackthis after the main deletion of the 04 Autoloading programs etc, I had troubles seeing my C drive and my virus protection said something about a Haxdoor Virus.  That was the last time I saw that error.  Not sure if this has anything to do with your analysis.  After running Spybot search and Destroy I get no errors after the scan but IE works fine again after a reboot?

Cheers,
Gazoomba

3

Tech Clinic / hijacked by Coolwwwsearch & EffectiveBandToolbar

« on: April 05, 2005, 06:15:18 AM »

Dear Guestolo,
You are a miracle worker.  I have control of my desktop, right click button, Web Browser (IE) and access again to my computer.  What a relief!

 Logfile of HijackThis v1.99.1
Scan saved at 8:07:52 PM, on 5/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

Here is the other log:

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdmt16.sys
winlow.sys
drct16.dll
mszx23.exe
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-

What are your thoughts.  Things seem to be OK now?
Regards,
Gazoomba

4

Tech Clinic / hijacked by Coolwwwsearch & EffectiveBandToolbar

« on: April 04, 2005, 05:12:11 AM »

Dear Guestolo,
Thanks for your reply and guidance.  Here is my response to your requests.

1. A fresh Hijackthis Log (using the latest version of HJT)

Logfile of HijackThis v1.99.1
Scan saved at 7:44:43 PM, on 4/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Uab.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKLM\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKLM\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKLM\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKLM\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKLM\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKLM\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKLM\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKLM\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Fdt] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Dvj] C:\WINDOWS\Tia.exe
O4 - HKCU\..\Run: [Ehs] C:\WINDOWS\Clf.exe
O4 - HKCU\..\Run: [Emh] C:\WINDOWS\System32\Uui.exe
O4 - HKCU\..\Run: [Qcv] C:\WINDOWS\Jqv.exe
O4 - HKCU\..\Run: [Vbk] C:\WINDOWS\System32\Esg.exe
O4 - HKCU\..\Run: [Csn] C:\WINDOWS\System32\Eua.exe
O4 - HKCU\..\Run: [Kmm] C:\WINDOWS\System32\Bje.exe
O4 - HKCU\..\Run: [Iti] C:\WINDOWS\Kph.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ahr.exe
O4 - HKCU\..\Run: [Alp] C:\WINDOWS\System32\Oab.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

2. The Findings from the Export.bat enquiry:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001
"NoViewContextMenu"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINDOWS\\desktop.html"

Hopefully, this will provide the information you need.
Regards,
Gazoomba http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

5

Tech Clinic / hijacked by Coolwwwsearch & EffectiveBandToolbar

« on: April 02, 2005, 08:44:48 AM »

I hope someone can help.  I've had this error for a few days and have done my best to clear the errors which keep coming back.
I've used my updated versions of Ad-Aware SE personal, Spybot Search and Destroy as well as eTrust Antivirus and they sometimes identify the problem but do not delete or fix it.

My Desktop has a red screen with a link to Smart Security or Slimshield, IE is disabled, my right click button has been disabled and it occasionally disables Outlook Express.

I have loaded Firefox so have access to the net plus I have a second stand alone laptop that is not infected to browse the net and follow instructions etc while the other PC is not working

I have read a few postings and have also loaded and used the following programs:

- CWShredder
- HiJack this
- Registrar light
- Spysubtract
- Cleanup312

I have not been able to successfully use these programs to delete the problems.

Here is my logfile:

Logfile of HijackThis v1.99.0
Scan saved at 11:32:15 PM, on 2/04/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Cvi.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\MKemper\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\MKemper\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Boc] C:\WINDOWS\System32\Cvi.exe
O4 - HKLM\..\Run: [Sar] C:\WINDOWS\System32\Uab.exe
O4 - HKLM\..\Run: [Jtl] C:\WINDOWS\Vrg.exe
O4 - HKLM\..\Run: [Ufd] C:\WINDOWS\System32\Ois.exe
O4 - HKLM\..\Run: [Ljc] C:\WINDOWS\Rof.exe
O4 - HKLM\..\Run: [Bdr] C:\WINDOWS\Ouk.exe
O4 - HKLM\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKLM\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKLM\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKLM\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKLM\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKLM\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - HKCU\..\Run: [Sjm] C:\WINDOWS\System32\Rgc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Bko] C:\WINDOWS\System32\Uke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ovo] C:\WINDOWS\Mdu.exe
O4 - HKCU\..\Run: [Mrh] C:\WINDOWS\System32\Dvr.exe
O4 - HKCU\..\Run: [Ijf] C:\WINDOWS\System32\Ael.exe
O4 - HKCU\..\Run: [Hbs] C:\WINDOWS\Pmr.exe
O4 - HKCU\..\Run: [Ncg] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Iue] C:\WINDOWS\System32\Eae.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA License Client - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

I have deleted a lot of the nasty files like the R and F sections and some of the others but the keep re-appearing.

Can you help me?  This has been driving me nuts!
Gazoomba