Author Topic: Never Done This, But I Need Help (Read 1107 times)

Donica · « **on:** February 23, 2005, 01:03:02 PM »

Started my laptop today (Win2000 OS) and did some searching on Google. I wasn't looking up anything that would normally cause problems (cracks, porn, etc), I was looking at some pregnancy websites when a window popped up for topantispyware.com

The window took over my desktop in a very creepy way, so I ran AdAware and removed all that it found, and deleted a bunch of virii that Avast started finding. When I restarted my computer I was faced with a blank desktop and the hourglass icon. The only way I'm posting this now is by opening IE via the Windows Task Manager.

I can't seem to find anything odd in my processes, but I'm not an expert. So I downloaded Hijack This, and here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:47 AM, on 2/23/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
C:\WINNT\System32\spoolsrv32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [dACFT] C:\WINNT\qgvneqs.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Ifcsxq.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Yfjoow.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g Wireless LAN Utility\WLANUTL.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: 763433.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: WebWorks Help 3.0 - file://D:\Documentation\WebDoc\wwhelp3.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O21 - SSODL: eplrr - {32760FEC-E99D-4D0E-9E4F-1A7D887E8066} - C:\WINNT\System32\eplrr3.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

Please help.

Donica · « **Reply #1 on:** February 23, 2005, 01:12:16 PM »

I forgot to mention that at the same time the Topantispyware.com site came up an icon showed up in the lower left of a yellow triangle with a black exclaimation point telling me that I was vulnerable to spyware. I'm assuming it is somehow linked to the topantispyware stuff.

Of course, I can't see it now because I have no taskbar at all.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Donica · « **Reply #2 on:** February 23, 2005, 02:00:54 PM »

Great. Now I'm getting this random minimized window that's called "Hi". I've closed it and ended the process tree (whatever that means). Argh!

guestolo · « **Reply #3 on:** February 23, 2005, 11:39:30 PM »

Let's try this

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Save this too Notepad or Print this out
Disconnect from the Internet

Restart your computer into Safe mode by tapping the F8 key as the system is booting up
Sign in with this user's account

Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

Find and delete these files if they exist
C:\WINNT\System32\spoolsrv32.exe <--file, exact spelling
C:\WINNT\qgvneqs.exe
C:\WINNT\System32\Ifcsxq.exe
C:\WINNT\System32\Yfjoow.exe
C:\WINNT\System32\eplrr3.dll

C:\Documents and Settings\<YOUR USERNAME>\Start Menu\Programs\Startup\763433.exe

Also look for these ones and delete them, there in bold
Let me know if you find any of them
•C:\WINNT\desktop.html '
C:\WINNT\Web\desktop.html
• C:\WINNT\SSICO.ICO
• C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
• C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url

NOTE:<current user> indicates user having problems with desktop

Stay in Safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [dACFT] C:\WINNT\qgvneqs.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Ifcsxq.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Yfjoow.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - Global Startup: 763433.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe

O21 - SSODL: eplrr - {32760FEC-E99D-4D0E-9E4F-1A7D887E8066} - C:\WINNT\System32\eplrr3.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Do a disk cleanup
START>>Run>>type in cleanmgr
Ensure Temp and temp internet files are checked

Restart back to Normal mode

Post back a fresh hijackthis log afterwards

EDIT>>>In normal mode
Check your Display settings in Control panel again

guestolo · « **Reply #4 on:** March 10, 2005, 01:35:56 AM »

Topic locked due too inactivity

TheTechGuide Forum

News:

Author Topic: Never Done This, But I Need Help (Read 1107 times)

Donica

Never Done This, But I Need Help

Donica

Never Done This, But I Need Help

Donica

Never Done This, But I Need Help

guestolo

Never Done This, But I Need Help

guestolo

Never Done This, But I Need Help