Author Topic: Another TopAnitSpyWare victem (Read 1281 times)

hepcatx · « **on:** February 20, 2005, 11:46:45 AM »

I got the desktop/taskbar/pop hijack from topantispyware. Worst thing is its on my work computer.

I'm running windows xp sp2 on a Dell. Here's what hijackthis says:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:07 AM, on 2/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}\SVCHOST.EXE
C:\WINDOWS\process.exe
C:\WINDOWS\System32\Xvgaog.exe
C:\WINDOWS\msmsgrxp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\atacdiran\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.247.16.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2[censored]ed.biz
O1 - Hosts: 127.0.0.3 sp2[censored]ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}\SVCHOST.EXE
O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
O4 - HKLM\..\Run: [sIwnUXmE] C:\WINDOWS\uthbvs.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Bphzzd.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Xvgaog.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\uthbvs.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: translink pivotal.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {003D946B-0E64-4C6E-88C6-B5BAB630363E} (Pivotal eRelationship Active Access (Version 5.1) - Portal Preferences Page (rprefs.dll)) - http://asb-sac-pas-001/epower/cab/RDAPREFS.CAB
O16 - DPF: {0047388F-51E3-4F3C-B343-D4C2C6F47E72} (Pivotal eRelationship Active Access (Version 5.1) - Smart Portal (rdaprtl.dll)) - http://asb-sac-pas-001/epower/cab/RDAPRTL.CAB
O16 - DPF: {00479453-31F5-4870-A0FD-BA078BFA789B} (Pivotal eRelationship Active Access (Version 5.1) - Resources (rdares.dll)) - http://asb-sac-pas-001/epower/cab/RDARES.CAB
O16 - DPF: {00499C34-6952-45AD-9697-241B90292833} (Pivotal eRelationship Active Access (Version 5.1) - Stealth Report Interface (rdaRprt.dll)) - http://asb-sac-pas-001/epower/cab/RDARPRT.CAB
O16 - DPF: {00A40008-7D21-4F26-A9D7-A2EFC3771C5F} (Pivotal eRelationship Active Access (Version 5.1) - Shared Object Library Interface (rdashare.dll)) - http://asb-sac-pas-001/epower/cab/RDASHARE.CAB
O16 - DPF: {00FF182B-B4C8-4C76-812F-D24B9A11F242} (Pivotal eRelationship Active Access (Version 5.1) - Portal Control Proxy (rdaui.dll)) - http://asb-sac-pas-001/epower/cab/RdaUI.cab
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.1) - Shortcut Handler (rshortcut.dll)) - http://asb-sac-pas-001/epower/cab/RSHORTCUT.CAB
O16 - DPF: {3814B215-C77A-4EDB-BE3B-F6CB92DD33C5} (Pivotal ePower Lifecycle Engine (Version 5.1) - Instantiator (rdaobjcreate.dll)) - http://asb-sac-pas-001/epower/cab/RdaObjCreate.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.1) - EMail Class (rn1sendx.dll)) - http://asb-sac-pas-001/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.1) - Plug-in Result Return Collection (dfoutils.dll)) - http://asb-sac-pas-001/epower/cab/DFOUTILS.CAB
O16 - DPF: {C45056F0-B4BC-4A65-85F0-2A131563795B} (Pivotal ePower Lifecycle Engine (Version 5.1) - Platform Access (rdaclnt.dll)) - http://asb-sac-pas-001/epower/cab/RDACLNT.CAB
O16 - DPF: {CD883B96-F640-4B89-BA88-F6AE1E72B65B} (Pivotal eRelationship Active Access (Version 5.1) - Email Connector (rdaemail.dll)) - http://asb-sac-pas-001/epower/cab/RDAEMAIL.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\Software\..\Telephony: DomainName = erggroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = erggroup.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

guestolo · « **Reply #1 on:** February 20, 2005, 09:08:13 PM »

Quote

I'm running windows xp sp2 on a Dell

Your log shows you haven't installed Service pack 2 yet
Make sure you don't until you free of Viruses and Spyware

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a Restore point
Name it and click Create
This is just to ensure you have a backup from this point on

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Installing it may download and start running a scan
Allow to update, but Don't run a scan yet

Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now but Don't run a scan yet

===Download and save to Desktop the
FixIstbar.exe from Symantecs
Don't run it yet

===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later

Print this out or save to a Notepad file on the desktop
Also know how to start in safe mode, I'm going to ask you to do so shortly, if your unsure, I supplied a link below
Disconnect from the Internet

===Open Hijackthis>>Open Misc Tools>>Open Process Manager and kill these processes if running
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}\SVCHOST.EXE
C:\WINDOWS\process.exe
C:\WINDOWS\System32\Xvgaog.exe
C:\WINDOWS\msmsgrxp.exe

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2[censored]ed.biz
O1 - Hosts: 127.0.0.3 sp2[censored]ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt

O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}\SVCHOST.EXE
O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
O4 - HKLM\..\Run: [sIwnUXmE] C:\WINDOWS\uthbvs.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Bphzzd.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Xvgaog.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\uthbvs.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

EDITING out Registry instructions by Trend Micro
May not be needed
Instead
Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

RESTART your Computer in SAFE MODE

Find and delete these files or folders if they exist
C:\WINDOWS\System32\spoolsrv32.exe <--this file, exact spelling
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}\SVCHOST.EXE
C:\WINDOWS\process.exe
C:\WINDOWS\System32\Xvgaog.exe
C:\WINDOWS\msmsgrxp.exe
C:\WINDOWS\uthbvs.exe
C:\WINDOWS\System32\systime.exe

C:\Program Files\ISTsvc <--this folder

If you find any of these related to Smart security, remove them also
Let me know if you found any
Using Windows Explorer and/or Search, locate and delete the following files
they are in bold >>>Not all may exist, but take a look
•C:\WINDOWS\desktop.html '
-C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
•C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url

Note* <current user>= user name having a problem with the desktop issue

Open Hijackthis>>Open Misc Tools>>Open Host File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this line
Delete any below the above one you didn't manually add yourself

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Open up Windows CleanUp! that you installed earlier
START>>ALL programs>>CleanUp
Click the CleanUp button
Let it finish scanning for files, when it's done it will prompt you to Log off
DON'T at this time
Instead

Run the FixIstbar tool from Symantec and let it fix anything it finds

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to Normal mode to finish the cleaning process

Check the Display settings again from the Control Panel

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back with a fresh hijackthis log afterwards
Can you also let me know what else you see in these subfolders
C:\WINDOWS\System32\Services\
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}

hepcatx · « **Reply #2 on:** February 25, 2005, 09:48:37 PM »

Sorry it took so long. You are right about the SP2 - its not installed.
Ok I went down the list and did everything. Here is the fresh hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:49 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\atacdiran\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.247.16.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: E-mail.lnk = ?
O4 - Startup: translink pivotal.url
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {003D946B-0E64-4C6E-88C6-B5BAB630363E} (Pivotal eRelationship Active Access (Version 5.1) - Portal Preferences Page (rprefs.dll)) - http://asb-sac-pas-001/epower/cab/RDAPREFS.CAB
O16 - DPF: {0047388F-51E3-4F3C-B343-D4C2C6F47E72} (Pivotal eRelationship Active Access (Version 5.1) - Smart Portal (rdaprtl.dll)) - http://asb-sac-pas-001/epower/cab/RDAPRTL.CAB
O16 - DPF: {00479453-31F5-4870-A0FD-BA078BFA789B} (Pivotal eRelationship Active Access (Version 5.1) - Resources (rdares.dll)) - http://asb-sac-pas-001/epower/cab/RDARES.CAB
O16 - DPF: {00499C34-6952-45AD-9697-241B90292833} (Pivotal eRelationship Active Access (Version 5.1) - Stealth Report Interface (rdaRprt.dll)) - http://asb-sac-pas-001/epower/cab/RDARPRT.CAB
O16 - DPF: {00A40008-7D21-4F26-A9D7-A2EFC3771C5F} (Pivotal eRelationship Active Access (Version 5.1) - Shared Object Library Interface (rdashare.dll)) - http://asb-sac-pas-001/epower/cab/RDASHARE.CAB
O16 - DPF: {00FF182B-B4C8-4C76-812F-D24B9A11F242} (Pivotal eRelationship Active Access (Version 5.1) - Portal Control Proxy (rdaui.dll)) - http://asb-sac-pas-001/epower/cab/RdaUI.cab
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.1) - Shortcut Handler (rshortcut.dll)) - http://asb-sac-pas-001/epower/cab/RSHORTCUT.CAB
O16 - DPF: {3814B215-C77A-4EDB-BE3B-F6CB92DD33C5} (Pivotal ePower Lifecycle Engine (Version 5.1) - Instantiator (rdaobjcreate.dll)) - http://asb-sac-pas-001/epower/cab/RdaObjCreate.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.1) - EMail Class (rn1sendx.dll)) - http://asb-sac-pas-001/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.1) - Plug-in Result Return Collection (dfoutils.dll)) - http://asb-sac-pas-001/epower/cab/DFOUTILS.CAB
O16 - DPF: {C45056F0-B4BC-4A65-85F0-2A131563795B} (Pivotal ePower Lifecycle Engine (Version 5.1) - Platform Access (rdaclnt.dll)) - http://asb-sac-pas-001/epower/cab/RDACLNT.CAB
O16 - DPF: {CD883B96-F640-4B89-BA88-F6AE1E72B65B} (Pivotal eRelationship Active Access (Version 5.1) - Email Connector (rdaemail.dll)) - http://asb-sac-pas-001/epower/cab/RDAEMAIL.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ussfoa.erggroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = erggroup.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

guestolo · « **Reply #3 on:** February 25, 2005, 10:05:39 PM »

Do another scan with Hijackthis and with all windows closed
fix this entry

O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt

Restart the computer

Back in windows
Open Hijackhts>>>Open the Misc tools section>>Open the Hosts file manager

Delete any lines below this line
127.0.0.1 localhost <--don't delete this line
that you don't recognize

EG....
127.0.0.3 newiframe.biz <--delete this

Do another scan with Hijackthis and post a fresh log
Let me know if you have any problems

Quote

Can you also let me know what else you see in these subfolders
C:\WINDOWS\System32\Services\
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}

The contents may cause reinfection

hepcatx · « **Reply #4 on:** March 06, 2005, 12:42:11 PM »

I fixed the O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt

Open Host File Manager shows a blank page.

C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43} contains svchost.dll

The desktop and popups stopped, but my taskbar is still hijacked. Whenever I try to enter the taskbar properties it closses itself immediately
-----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:38:27 AM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\atacdiran\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.247.16.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: E-mail.lnk = ?
O4 - Startup: translink pivotal.url
O4 - Startup: VirusScan Console.lnk = C:\Program Files\Network Associates\VirusScan\mcconsol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {003D946B-0E64-4C6E-88C6-B5BAB630363E} (Pivotal eRelationship Active Access (Version 5.1) - Portal Preferences Page (rprefs.dll)) - http://asb-sac-pas-001/epower/cab/RDAPREFS.CAB
O16 - DPF: {0047388F-51E3-4F3C-B343-D4C2C6F47E72} (Pivotal eRelationship Active Access (Version 5.1) - Smart Portal (rdaprtl.dll)) - http://asb-sac-pas-001/epower/cab/RDAPRTL.CAB
O16 - DPF: {00479453-31F5-4870-A0FD-BA078BFA789B} (Pivotal eRelationship Active Access (Version 5.1) - Resources (rdares.dll)) - http://asb-sac-pas-001/epower/cab/RDARES.CAB
O16 - DPF: {00499C34-6952-45AD-9697-241B90292833} (Pivotal eRelationship Active Access (Version 5.1) - Stealth Report Interface (rdaRprt.dll)) - http://asb-sac-pas-001/epower/cab/RDARPRT.CAB
O16 - DPF: {00A40008-7D21-4F26-A9D7-A2EFC3771C5F} (Pivotal eRelationship Active Access (Version 5.1) - Shared Object Library Interface (rdashare.dll)) - http://asb-sac-pas-001/epower/cab/RDASHARE.CAB
O16 - DPF: {00FF182B-B4C8-4C76-812F-D24B9A11F242} (Pivotal eRelationship Active Access (Version 5.1) - Portal Control Proxy (rdaui.dll)) - http://asb-sac-pas-001/epower/cab/RdaUI.cab
O16 - DPF: {28E4BE08-1C25-4CE4-A9AA-3495A9D08C8E} (Pivotal eRelationship Active Access (version 5.1) - Shortcut Handler (rshortcut.dll)) - http://asb-sac-pas-001/epower/cab/RSHORTCUT.CAB
O16 - DPF: {3814B215-C77A-4EDB-BE3B-F6CB92DD33C5} (Pivotal ePower Lifecycle Engine (Version 5.1) - Instantiator (rdaobjcreate.dll)) - http://asb-sac-pas-001/epower/cab/RdaObjCreate.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.1) - EMail Class (rn1sendx.dll)) - http://asb-sac-pas-001/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.1) - Plug-in Result Return Collection (dfoutils.dll)) - http://asb-sac-pas-001/epower/cab/DFOUTILS.CAB
O16 - DPF: {C45056F0-B4BC-4A65-85F0-2A131563795B} (Pivotal ePower Lifecycle Engine (Version 5.1) - Platform Access (rdaclnt.dll)) - http://asb-sac-pas-001/epower/cab/RDACLNT.CAB
O16 - DPF: {CD883B96-F640-4B89-BA88-F6AE1E72B65B} (Pivotal eRelationship Active Access (Version 5.1) - Email Connector (rdaemail.dll)) - http://asb-sac-pas-001/epower/cab/RDAEMAIL.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ussfoa.erggroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = erggroup.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = erggroup.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

guestolo · « **Reply #5 on:** March 06, 2005, 04:16:28 PM »

Download and UNZIP to a folder Hoster by Toadbee

Restart back Into safe mode
Delete this subfolder
C:\WINDOWS\System32\Services\{DF3A1730-0042-4DD4-9442-3ACA286D4F43}

Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

Stay in safe mode
If you don't recognize this startup entry have Hijackthis fix it, I'm not sure what it's related too
O4 - Startup: translink pivotal.url

Open Hoster>>>you may have use the top right button to make the Hosts file Writeable
Then Click the Restore Original hosts button

Restart back to Normal mode and post back a fresh Hijackthis log

Can you also let me know what else you see in this folder
C:\WINDOWS\System32\Services\ <--this folder

Also, I know longer see Spybot in your log, did you uninstall it?
If so, why?

TheTechGuide Forum

News:

Author Topic: Another TopAnitSpyWare victem (Read 1281 times)

hepcatx

Another TopAnitSpyWare victem

guestolo

Another TopAnitSpyWare victem

hepcatx

Another TopAnitSpyWare victem

guestolo

Another TopAnitSpyWare victem

hepcatx

Another TopAnitSpyWare victem

guestolo

Another TopAnitSpyWare victem