Author Topic: Problems with Your searcher (Read 2894 times)

Guest_Mark · « **on:** November 14, 2004, 06:14:28 AM »

Got some problems with your searcher.
I can't get rid of it.
Can anyone help me?

This is my hjtlog:

Logfile of HijackThis v1.97.7
Scan saved at 12:19:24, on 14-11-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\sap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\tvrbbxs.exe
C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mark.MARK-T445T97X9D\My Documents\Utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [System Applications Profile] sap.exe
O4 - HKLM\..\RunServices: [System Applications Profile] sap.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Wmls Driver] winitr32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hcdqgeg] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eficbjs] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [delavrc] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [tgmpiay] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wvrfdke] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wteafdv] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [usgabft] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [erpjfbm] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [vlhdayq] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [yotvhol] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [csaupia] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [chihcno] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [gbyyfha] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [patvynw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [avhtcwl] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [nfwtkvk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [pjkxxgw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [dtpccfi] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eyumley] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [ogmfaws] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ebiqsjj] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [hxcjslk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [qephion] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [cvqkeri] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [kwrqaux] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ktdnibq] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [cuodmyl] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [qxxycqv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [xpwopeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [vgcahfc] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [nardela] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [qskexyd] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [featqoe] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ajjofyi] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lsstslk] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ouicxau] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mqodxab] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mlupfeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [brffkwy] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ncwjxpv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ksajeei] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lbgmgcp] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [skboocf] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mxybeod] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [fxchmbq] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [eooagom] c:\windows\mcmydrr.exe
O4 - Global Startup: gwum.lnk = C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

guestolo · « **Reply #1 on:** November 14, 2004, 11:03:21 AM »

HI Mark,
Let's try some cleaning tools before we tackle your log

First off, if you didn't pay for Spykiller I definitely recommend that you uninstall it
Restart your computer if you remove it
Link will explain why it's on the bogus list
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Now, let's get you 2 spyware removal tools that have a good reputation
Both yours for free, keep updated and run Scans every couple of weeks

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Download all updates
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process

Next:
Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download all updates
Check for Problems---FIX everything in RED

Restart your computer again to finish the cleaning

After you have done the above, could you please update your version of Hijackthis
Open Hijackthis>>Config>>Misc Tools>>Check for updates online
If for some reason it won't update, redownload Hijackthis 1.98.2
from HERE or HERE
Save it to your
C:\Documents and Settings\Mark.MARK-T445T97X9D\My Documents\Utils folder
allowing it to overwrite the old version

Post back a fresh hijackthis log after you have done the above
Let me know if you rid yourself of SpyKiller

Guest_Mark · « **Reply #2 on:** November 14, 2004, 04:30:02 PM »

Hi,

I did all you requested and got rid of Spykiller.
Thanx for helping me out here!!

P.s. How can i prevent it from happening again and how did i get in this mess
in the first place?

Logfile of HijackThis v1.98.2
Scan saved at 22:32:40, on 14-11-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\sap.exe
C:\WINDOWS\System32\iexplorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\njqmcbd.exe
C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Documents and Settings\Mark.MARK-T445T97X9D\My Documents\Utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [System Applications Profile] sap.exe
O4 - HKLM\..\Run: [Task manager] iexplorer.exe
O4 - HKLM\..\RunServices: [System Applications Profile] sap.exe
O4 - HKLM\..\RunServices: [Task manager] iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Wmls Driver] winitr32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hcdqgeg] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eficbjs] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [delavrc] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [tgmpiay] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wvrfdke] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wteafdv] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [usgabft] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [erpjfbm] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [vlhdayq] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [yotvhol] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [csaupia] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [chihcno] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [gbyyfha] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [patvynw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [avhtcwl] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [nfwtkvk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [pjkxxgw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [dtpccfi] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eyumley] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [ogmfaws] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ebiqsjj] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [hxcjslk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [qephion] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [cvqkeri] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [kwrqaux] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ktdnibq] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [cuodmyl] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [qxxycqv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [xpwopeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [vgcahfc] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [nardela] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [qskexyd] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [featqoe] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ajjofyi] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lsstslk] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ouicxau] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mqodxab] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mlupfeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [brffkwy] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ncwjxpv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ksajeei] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lbgmgcp] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [skboocf] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mxybeod] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [fxchmbq] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [Task manager] iexplorer.exe
O4 - HKCU\..\Run: [eijmime] c:\windows\xvdaeob.exe
O4 - Global Startup: gwum.lnk = C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

guestolo · « **Reply #3 on:** November 14, 2004, 04:50:17 PM »

Internet Explorer is not as secure as a lot of ppls would hope
That what has allowed you to be infected + we should put some preventive tools on your computer once your clean

Here's our next step Mark

Download and save to desktop CWShredder
Close down All browser windows and install CWShredder and then run it
Click the FIX button
Allow it to fix all problems
Restart your computer
We will get the rest after that

Before you post back it would be adviseable to Visit Windows updates and Update Windows and IE to SP1
This will help with security
Remember to Restart after installing Service Pack 1

Don't update to Service Pack 2 right now, the install will go bad with the infections you have on your computer,

Post back a fresh hijackthis log afterwards
We will get you totally clean and then you can decide if you want to install SP2

Guest · « **Reply #4 on:** November 14, 2004, 05:28:45 PM »

Ok, back again with a fresh log

Logfile of HijackThis v1.98.2
Scan saved at 23:34:49, on 14-11-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\sap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\apupcag.exe
C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mark.MARK-T445T97X9D\My Documents\Utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [System Applications Profile] sap.exe
O4 - HKLM\..\Run: [Task manager] iexplorer.exe
O4 - HKLM\..\RunServices: [System Applications Profile] sap.exe
O4 - HKLM\..\RunServices: [Task manager] iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 Wmls Driver] winitr32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hcdqgeg] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eficbjs] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [delavrc] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [tgmpiay] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wvrfdke] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wteafdv] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [usgabft] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [erpjfbm] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [vlhdayq] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [yotvhol] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [csaupia] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [chihcno] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [gbyyfha] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [patvynw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [avhtcwl] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [nfwtkvk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [pjkxxgw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [dtpccfi] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eyumley] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [ogmfaws] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ebiqsjj] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [hxcjslk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [qephion] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [cvqkeri] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [kwrqaux] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ktdnibq] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [cuodmyl] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [qxxycqv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [xpwopeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [vgcahfc] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [nardela] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [qskexyd] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [featqoe] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ajjofyi] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lsstslk] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ouicxau] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mqodxab] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mlupfeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [brffkwy] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ncwjxpv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ksajeei] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lbgmgcp] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [skboocf] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mxybeod] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [fxchmbq] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [Task manager] iexplorer.exe
O4 - HKCU\..\Run: [odkoitf] c:\windows\voqcqjt.exe
O4 - Global Startup: gwum.lnk = C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100469784686
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

guestolo · « **Reply #5 on:** November 14, 2004, 08:54:10 PM »

Good work on getting SP1

Let's try and get some cleanup done in your log

Set Windows to Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the HIde extensions for Known File Types
* Click Yes to confirm.
* Click OK.

Know how to Start in Safe mode ahead of time from the link I supplied below

Open Hijackthis>>Config>>Misc Tools>>Open Process Manager
Kill these process if still running
C:\WINDOWS\System32\sap.exe
C:\windows\apupcag.exe <--this one keeps changing names, we'll look for other bad files later

===Do another scan with Hijackthis and put a check beside these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O4 - HKLM\..\Run: [System Applications Profile] sap.exe
O4 - HKLM\..\Run: [Task manager] iexplorer.exe
O4 - HKLM\..\RunServices: [System Applications Profile] sap.exe
O4 - HKLM\..\RunServices: [Task manager] iexplorer.exe

O4 - HKCU\..\Run: [Win32 Wmls Driver] winitr32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe

O4 - HKCU\..\Run: [hcdqgeg] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eficbjs] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [delavrc] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [tgmpiay] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wvrfdke] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [wteafdv] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [usgabft] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [erpjfbm] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [vlhdayq] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [yotvhol] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [csaupia] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [chihcno] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [gbyyfha] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [patvynw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [avhtcwl] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [nfwtkvk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [pjkxxgw] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [dtpccfi] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [eyumley] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [ogmfaws] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ebiqsjj] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [hxcjslk] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [qephion] c:\windows\kkeerhv.exe
O4 - HKCU\..\Run: [cvqkeri] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [kwrqaux] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [ktdnibq] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [cuodmyl] c:\windows\clphreh.exe
O4 - HKCU\..\Run: [qxxycqv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [xpwopeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [vgcahfc] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [nardela] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [qskexyd] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [featqoe] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ajjofyi] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lsstslk] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ouicxau] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mqodxab] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mlupfeb] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [brffkwy] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ncwjxpv] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [ksajeei] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [lbgmgcp] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [skboocf] c:\windows\fgyjaeo.exe
O4 - HKCU\..\Run: [mxybeod] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [fxchmbq] c:\windows\kvybkji.exe
O4 - HKCU\..\Run: [Task manager] iexplorer.exe
O4 - HKCU\..\Run: [odkoitf] c:\windows\voqcqjt.exe

After you have put a tick beside the above entries, Close down all other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
Click Yes to the Prompt and exit hijackthis

RESTART your Computer in SAFE MODE

Find and delete these files of folders if they exist
C:\WINDOWS\System32\sap.exe <--file
c:\windows\kkeerhv.exe <--file
c:\windows\clphreh.exe <--file
c:\windows\voqcqjt.exe <--file
c:\windows\fgyjaeo.exe <--file
C:\windows\apupcag.exe <--file

C:\Program Files\SpyKiller <--folder

Restart back into Normal mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

I know you have already done online Virus scans at Panda's and Symantec's
Can you try one more at RAV's
http://www.ravantivirus.com/scan/
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button

Let it completely finish scanning

Copy and Paste the results back here

Could you also post a fresh hijackthis log too, thanks

Guest_Mark · « **Reply #6 on:** November 15, 2004, 05:38:22 AM »

I think we're on the right track.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Got my own homepage back.

Results from RAV-scan:

Scan started at 15-11-2004 11:22:59

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Mark.MARK-T445T97X9D\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-67d9b5a-694b4399.class - Trojan:Java/Dummy.C (exact) -> Infected
C:\WINDOWS\system32\fierwall.exe->(PEDiminisher) - Exploit:Win32/RpcDcom.gen! -> Suspicious

Scanned
============================
   Objects: 28657
   Directories: 2064
   Archives: 687
   Size(Kb): -445406
   Infected files: 1

Found
============================
   Viruses found: 1
   Suspicious files: 1
   Disinfected files: 0
   Mail files: 40

New HJT-log (certainly looks a whole lot better):

Logfile of HijackThis v1.98.2
Scan saved at 11:42:07, on 15-11-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\G-VGA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\program files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Mark.MARK-T445T97X9D\My Documents\Utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: gwum.lnk = C:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100469784686
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE11E0C-EA6A-484A-9859-3AC01E5CC3BB}: NameServer = 62.58.50.5 62.58.50.6

guestolo · « **Reply #7 on:** November 15, 2004, 11:30:56 AM »

Yup, looking a lot better
Can you open up your control Panel and double click on the Java Plugin
Click the CACHE tab and clear cache
That should take care of Trojan:Java/Dummy.C
We should update your Java to the latest, we can do this later

Could you also Navigate to this file
C:\WINDOWS\system32\fierwall.exe <--file

Run it through this Online File Scanner and post back the results
http://virusscan.jotti.dhs.org/
Give the page time to load and then use the Browse button to navigate to the file
Right click on the file and choose Select>>>Use the Submit button
Let it scan the file
Copy and paste back the results

By the way, I noticed you picked up one update from Windows Update
You may want to return and get All Critical or High Priority updates
NOT including Service Pack 2 or Recommended updates

Post back one last hijackthis log afterwards, we'll get some other tools on your Computer to help prevent this from happening again
One other note, I see you are running AVG and Norton's on startup
Do you feel you need both AV's running on Startup
It may cause System Slowdowns or conflicts and possibly slower bootup times running both at Startup

Eamonn · « **Reply #8 on:** December 06, 2004, 09:22:17 AM »

Hi,

Im having problems trying to remove this damn Your searcher, any help greatly appreciated, here is my hijackthis log file

Logfile of HijackThis v1.98.2
Scan saved at 14:32:45, on 06/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\WINNT\LTSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\winnt\ptrdjgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\odonoghuee\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mailsweeper.airtricity.com;10.50.*.*;netmon.*;livelink*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: C:\WINNT\lbbho.dll - {DEEA3283-8265-42DF-ACE6-30C75539EF67} - C:\WINNT\lbbho.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [NT Services] ntsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [NT Services] ntsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [kytntqx] c:\winnt\tkdpopg.exe
O4 - Startup: Vodafone Mobile Connect Card.lnk = C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = airtricity.com

guestolo · « **Reply #9 on:** December 06, 2004, 08:06:40 PM »

Wow Eamonn, No Anti-Virus software and your way behind on Windows Updates

Before we tackle your hijackthis log can you please try and do a few things
if you can
This will help to prevent infections in the future

First----Go to Windows updates and download All the latest Critical(High Priority)
Updates and make sure that you update your version of Internet Explorer to SP1
Restart your computer when prompted, return to Windows Update until you get all the latest Critical updates
http://www.microsoft.com/windows/ie/downlo...ds/default.mspx

Don't get the recommended updates unless you want them

Next: If you don't have your own Anti-Virus software and need a free solution
I highly recommend that you go download
the Free version of AVG 7

After you install it ensure it checks for updates and then Run a Full System scan
Let it fix what it finds
Restart your computer afterwards

Next: to help remove the CoolWeb infection
Download and Save to desktop the Standalone version of
CWShredder

Double click to run it, Click the FIX button and let it FIX all problems
RESTART your Computer afterwards

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version
If you don't have this verision,install this one
After installation-CHECK FOR UPDATES

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

Do a Full System Scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to finish the cleaning process

Post back a Fresh hijackthis log afterwards and we'll clean out the leftovers

Eamonn · « **Reply #10 on:** December 07, 2004, 05:31:00 AM »

Hi,

THanks for the reply, did as you said and I think I have a clean bill of health. My laptop was recently rebuilt after a number of bluescreen incidents, so that is why I had no windows updates or virus software. hopefully all resolved now, here is my hijackthis logfile just in case

Logfile of HijackThis v1.98.2
Scan saved at 10:39:41, on 07/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\WINNT\LTSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
C:\WINNT\system32\ntsvc.exe
C:\Documents and Settings\odonoghuee\Desktop\hijackthis.exe
C:\WINNT\system32\ntsvc.exe
C:\WINNT\System32\ntsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mailsweeper.airtricity.com;10.50.*.*;netmon.*;livelink*;<local>
O1 - Hosts: 193.120.138.237 rpcproxy.airtricity.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: C:\WINNT\lbbho.dll - {DEEA3283-8265-42DF-ACE6-30C75539EF67} - C:\WINNT\lbbho.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [NT Services] ntsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunServices: [NT Services] ntsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Vodafone Mobile Connect Card.lnk = C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = airtricity.com

guestolo · « **Reply #11 on:** December 07, 2004, 08:26:48 AM »

Have to leave for work right now, so I can look over your log later

I still see nasties in your log

You still didn't install that Anti-Virus software
Which one are you using?

As mentioned, if you don't have your own to install, put in the free one

That should hopefully catch a couple things and then post back a fresh hijackthis log

or please do an online virus scan at Housecall's---Set to Autoclean
http://housecall.trendmicro.com/
and/or
Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

Eamonn · « **Reply #12 on:** December 08, 2004, 06:00:16 AM »

Have managed to update my software (eventually!!), here is my latest logfile, hopefully all is well

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.98.2
Scan saved at 11:08:47, on 08/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\WINNT\LTSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mailsweeper.airtricity.com;10.50.*.*;netmon.*;livelink*;<local>
O1 - Hosts: 193.120.138.237 rpcproxy.airtricity.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Vodafone Mobile Connect Card.lnk = C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = airtricity.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = airtricity.com

guestolo · « **Reply #13 on:** December 08, 2004, 10:47:05 PM »

Log looks good, don't forget to clean out those temporary folders

To Tighten up your Security you should set up protection against further attacks.
You should install these spyware blockers
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL and link=IE-Spyad
With both, Check for updates every couple of weeks
They don't run in the background, just install and run once

Stay safe Eamonn

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Eamonn · « **Reply #14 on:** December 09, 2004, 06:32:35 AM »

Many Thanks again for all your help

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Delorean · « **Reply #15 on:** December 17, 2004, 04:37:39 PM »

HELP! I'm having the same problems. I followed the steps you gave Eamonn and my hjt log is below:

Logfile of HijackThis v1.99.0
Scan saved at 12:52:21 PM, on 12/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\WINDOWS\System32\??rss.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\BellSouth\Connection Tool\ARUpld32.exe
C:\Program Files\BellSouth\Connection Tool\ARMon32a.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo00018da4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\BellSouth® Internet Services\Dialer\DartDialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BAC6455-BB40-59E4-D503-64550DF37D49} - C:\WINDOWS\System32\pqu.dll (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\msacmx.dll (file missing)
O2 - BHO: (no name) - {C22D2048-ECFE-9153-8A8A-E6ABA9710194} - C:\WINDOWS\System32\nhtdkuw.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\dapiebar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LoadAgent] Gscbc.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [pmtzluh] "C:\WINDOWS\System32\pmtzluh.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Microsoft Update Machine] systemll.exe
O4 - HKLM\..\Run: [Win32 Services] Sygate.exe
O4 - HKLM\..\Run: [VC] C:\documents and settings\owner\local settings\temp\VC.exe
O4 - HKLM\..\Run: [yQ5P] C:\documents and settings\owner\local settings\temp\yQ5P.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemll.exe
O4 - HKLM\..\RunServices: [Win32 Services] Sygate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [Ovnf] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Win32 Services] Sygate.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103249026092
O16 - DPF: {96D338F5-8757-4A1C-AFEA-770A4036752F} - https://setup.bellsouth.net/wizlet/BellSout...wActiveXCab.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{024846A1-9BEF-4116-ACB0-86C25D8AF755}: NameServer = 205.152.37.254 205.152.132.235
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IP InSight Client (BellSouthNet) - Visual Networks - C:\Program Files\BellSouth\Connection Tool\LaunchIPI.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

TheTechGuide Forum

News:

Author Topic: Problems with Your searcher (Read 2894 times)

Guest_Mark

Problems with Your searcher

guestolo

Problems with Your searcher

Guest_Mark

Problems with Your searcher

guestolo

Problems with Your searcher

Guest

Problems with Your searcher

guestolo

Problems with Your searcher

Guest_Mark

Problems with Your searcher

guestolo

Problems with Your searcher

Eamonn

Problems with Your searcher

guestolo

Problems with Your searcher

Eamonn

Problems with Your searcher

guestolo

Problems with Your searcher

Eamonn

Problems with Your searcher

guestolo

Problems with Your searcher

Eamonn

Problems with Your searcher

Delorean

Problems with Your searcher