Author Topic: Bestfind4u and other issues (Read 2292 times)

woody2005 · « **on:** February 24, 2005, 03:26:08 PM »

Hi guys....have a couple of issues I need resolving if possible (without having to reformat my c: drive!!)
Firstly...bestfind4u has hijacked my browser...atempted several times to delete with various spyware programs which were successful but eventually it finds its way back. I can post a HJT on request.

Another issue I have, and it's one that has me stumped is a strange one. My wife has just logged onto a website www.eumom.ie for expectant mothers. She entered all her details and it asked her for her due date which she entered as 2nd November 2005 (02/11/05). When she logged back in after the registration process was finished her due date was showing as 11th February 2005 (11/02/05). She got onto the site administrators who looked at her profile and it showed 2nd November 2005. I viewed the profile on my work pc and it also showed 02nd November 2005 but my home pc will show it as 11th February 2005. My pc is set to English (Irish), DD/MM/YY format as shown in my time, date settings..and my pc date shows 23rd February 2005. Now it seems like it is reversing the settings to MM/DD somewhere deep in the bowels of my drive. Can anyone shed any light on this for me please...I can't sleep at night.
Incidently I did install SP2 prior to this...would that have caused a problem??

Your help in these matters would be greatly appreciated

Karl

guestolo · « **Reply #1 on:** February 24, 2005, 05:26:37 PM »

Let's see what causing the Hijack to the website
Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

Guest_woody2005_* · « **Reply #2 on:** February 24, 2005, 07:54:24 PM »

Thanks for getting back to me
Here's my Hijack log as requested

Logfile of HijackThis v1.99.0
Scan saved at 00:50:39, on 25/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\qttask.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\litwfir.exe
C:\Program Files\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\HPDESK\hppddir.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\shmyga.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\pair32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pigsback.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [BKPO1ZG2D] C:\WINDOWS\bxnkgxnn.exe
O4 - HKLM\..\Run: [bluestart] C:\\rraut.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\Fmempro.exe" autostart
O4 - HKCU\..\Run: [cawlsqc] c:\windows\litwfir.exe
O4 - HKCU\..\Run: [garrqmm] c:\windows\wwnmavi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pigsback.com/
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100484485670
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: CA License Client - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Sub Connections - Unknown - C:\WINDOWS\System32\shmyga.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Workgroup Security Tools - Unknown - C:\WINDOWS\System32\pair32.exe

guestolo · « **Reply #3 on:** February 25, 2005, 12:07:41 AM »

I see some problems Woody, but I don't want to get to involved with this log
You appear to be getting ongoing help at another forum, not fair to the helper assisting you right now
If it appears that your not being assisted post back and I can try and help out
But having you go 2 or more directions wouldn't be right to all of us

woody2005 · « **Reply #4 on:** February 25, 2005, 04:40:10 AM »

Hi again,

I did post my dilemma in another part of this forum but figured I was posting in the wrong area so I re-posted here. I also sought advice from another website but haven't had much luck there either..bestfind4u keeps coming back to haunt me. Like going to the doctor's, I need a second opinion.

Regards

guestolo · « **Reply #5 on:** February 25, 2005, 04:49:59 PM »

What I can suggest right now to do
I'm not sure what steps you have done to help remove this nasty

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>

Follow this link on how to update it>> follow the instructions carefully
http://tds.diamondcs.com.au/index.php?page=update
Use the Manual update procedure
Again, don't run a scan yet

Disable Microsoft's Anti-Spyware Real time Protection until you are clean if it is enabled, this may prevent and fixes with Hijackthis
Open the program>>Options>>Settings>>In the top right click the Real time Protection Icon
Deactivate all of the options>>>Internet agents, application agents, system agents

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Print this out or save to a Notepad file for easy access

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pigsback.com/ <--If that's not a preferred default start page, or unknown to you, fix it

O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - (no file)

O4 - HKLM\..\Run: [BKPO1ZG2D] C:\WINDOWS\bxnkgxnn.exe
O4 - HKLM\..\Run: [bluestart] C:\\rraut.exe

O4 - HKCU\..\Run: [cawlsqc] c:\windows\litwfir.exe
O4 - HKCU\..\Run: [garrqmm] c:\windows\wwnmavi.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O14 - IERESET.INF: START_PAGE_URL=http://www.pigsback.com/

O23 - Service: Sub Connections - Unknown - C:\WINDOWS\System32\shmyga.exe
O23 - Service: Workgroup Security Tools - Unknown - C:\WINDOWS\System32\pair32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer Into SAFE MODE by tapping the F8 key as the system is booting up

Find and delete these files if they exist
C:\WINDOWS\desktop.html <--file
C:\WINDOWS\Web\desktop.html <--file
C:\WINDOWS\System32\pair32.exe <--file
C:\windows\litwfir.exe <-file
C:\WINDOWS\System32\shmyga.exe <--file
C:\WINDOWS\System32\spoolsrv32.exe <--file, EXACT spelling
C:\WINDOWS\System32\runoledb32.exe <--file
C:\rraut.exe <--file
c:\windows\wwnmavi.exe <--file

Go to START>>RUN
type in
%temp%
Hit OK
In the new window click EDIT>>SELECT ALL
Delete the selected

Run Hijackthis again in safe mode and fix any of those entries you fixed earlier
if any have reappeared

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

After you have removed the ones with postitive Identification

Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Manually type in something like
www.google.ie

Restart back to Normal mode

Check your display settings again in the Control Panel

Post a fresh hijackthis log and the Scandump.txt from TDS-3

woody2005 · « **Reply #6 on:** February 25, 2005, 10:11:45 PM »

Back again and did what you asked step by step. Here are the results:

Logfile of HijackThis v1.99.0
Scan saved at 03:03:25, on 26/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\qttask.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\HPDESK\hppddir.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jude, I Love you
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\Fmempro.exe" autostart
O4 - HKCU\..\Run: [mklvurs] c:\windows\jwhcddd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100484485670
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: CA License Client - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

and here is the scandump.txt

Scan Control Dumped @ 02:49:44 26-02-05
Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\gekaqtp.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\wliwrjj.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\roxbnbp.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\kaomlkm.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\iuhtrfv.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\tovvqtd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\reavcee.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\dhnurgc.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\hhmrwno.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\jjeavqb.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\envvtmb.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\jwhcddd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\fyisnpu.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\sudvclr.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\dhymrxe.exe

Positive identification: TrojanDownloader.Win32.Delf.cb10
File: c:\windows\loadclean.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\gviyybe.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\ocdycch.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\tokqeyj.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\bctkecc.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\efemive.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\aaiqfxc.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\fftkkcx.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\lonawun.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\kboitlg.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\vrilnig.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\mpgcmmx.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\iyxehef.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\lqwesvf.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\slwlwdt.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\ggqttpt.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\vjuaeqq.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\lulcrny.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\xiofjuj.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\twkoicw.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\xxohhcq.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\pabyvro.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\jpubcdu.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\utprrqy.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\vrcachr.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\sueujcq.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\kyirxhm.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\pbbvekp.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\ebwtvmn.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\twpjaue.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\enqxpwk.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\mhqeann.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\pxultui.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\nrsovye.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\jmymxrt.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\gsjdffk.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\himtkyd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\bhkulga.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\spfjjue.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\hxaledb.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\hlaricf.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\gecwhof.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\oetswks.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\qixvgwu.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\dnsfvxv.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\tlmrsbd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\wrcnqjh.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\dvdseuy.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\nqxusec.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\ymlckhq.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\ogvxogr.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\upgkhsy.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\chatmpo.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\irqourd.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\hntamrw.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\payvdag.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\rhkowop.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\beuthbt.exe

Positive identification: TrojanDropper.Win32.Agent.ft
File: c:\windows\system32\olexp.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\windows\system32\mtvtifll.exe

Positive identification: Trojan.Win32.Zapchast.c
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094746.exe

Positive identification: TrojanClicker.Win32.Agent.bd
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094747.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094760.exe

Positive identification: Trojan.Win32.Zapchast.c
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094778.exe

Positive identification: TrojanClicker.Win32.Agent.bd
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094779.exe

Positive identification: Trojan.Win32.SecondThought.aa Dropper
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp42\a0094787.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp43\a0095015.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp44\a0095023.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp44\a0095036.exe

Positive identification: Trojan.Win32.StartPage.qp1
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp44\a0095062.exe

Positive identification: TrojanDropper.Win32.Agent.ft
File: c:\system volume information\_restore{4ff2605d-ba6b-47c3-92b9-a44a1551a95b}\rp44\a0095072.exe

Positive identification (embedded in file): Adware.ToolBar.MyWay.b1
File: g:\system volume information\_restore{a4bed380-236b-4348-b32b-1c9d1ff56a63}\rp1\a0000089.exe

Positive identification (embedded in file): Adware.ToolBar.MyWay.f (dll)
File: g:\system volume information\_restore{a4bed380-236b-4348-b32b-1c9d1ff56a63}\rp1\a0000089.exe

Positive identification: Adware.ToolBar.MyWay.b1
File: g:\system volume information\_restore{a4bed380-236b-4348-b32b-1c9d1ff56a63}\rp12\a0002593.exe

Positive identification (DLL): Adware.ToolBar.MyWay.f (dll)
File: g:\system volume information\_restore{a4bed380-236b-4348-b32b-1c9d1ff56a63}\rp12\a0002594.dll

I deleted all positive ids as requested.....what happens next?

Regards

guestolo · « **Reply #7 on:** February 26, 2005, 03:53:47 AM »

With Windows set to show hidden files and folders

I've uploaded a file called rkfiles.zip

Can you save it and UNZIP the contents to a folder

RESTART into safe mode <--this is important
Find and delete this file

c:\windows\jwhcddd.exe <--this file

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [mklvurs] c:\windows\jwhcddd.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to the file RKfiles.bat and double click to run it
You must have this unzipped and be in safe mode
Wait for the results

Restart back to Normal mode
Post a fresh hijackthis log

Rkfiles.bat would of produced a log
can you please post this log too
C:\log.txt <--this log

woody2005 · « **Reply #8 on:** February 26, 2005, 12:07:14 PM »

I'm back after doing what you said and here are the results

Logfile of HijackThis v1.99.0
Scan saved at 17:02:36, on 26/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\qttask.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\HPDESK\hppddir.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jude, I Love you
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\Fmempro.exe" autostart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100484485670
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: CA License Client - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

and the other logfile as requested:

C:\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\shmygad.exe: UPX!
C:\WINDOWS\SYSTEM32\downf108.exe: UPX!
C:\WINDOWS\SYSTEM32\fmod.dll: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

Regards

guestolo · « **Reply #9 on:** February 26, 2005, 04:02:12 PM »

Can you ensure that all those files found bad by TDS 3 are gone

Delete these 2 files, may have to be done in safe mode
C:\WINDOWS\SYSTEM32\shmygad.exe
C:\WINDOWS\SYSTEM32\downf108.exe

Ensure whether you deleted them in safe mode or Normal that you restart your computer afterwards, I want to see a fresh hijackthis log

After that I've uploaded a file called FinditNT2KXP.zip
Can you save it and UNZIP the contents
Open the folder and double click on Find.bat

It will produce a log, can you post that log along with a fresh hijackthis log, thanks

woody2005 · « **Reply #10 on:** February 26, 2005, 08:52:18 PM »

Hi,

Yep, deleted all files found by TDS

And the two c:\windows\system32 files have also been obliterated.

Here are the two logs you requested

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\find it\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 274C-1DEA

Directory of C:\WINDOWS\System32

26/05/2004 05:24 <DIR> Microsoft
26/05/2004 04:57 <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 3,436,085,248 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 274C-1DEA

Directory of C:\WINDOWS\System32

27/02/2005 01:33 909 vsconfig.xml
19/02/2005 12:32 4,212 zllictbl.dat
26/05/2004 05:09 488 logonui.exe.manifest
26/05/2004 05:09 488 WindowsLogon.manifest
26/05/2004 05:09 749 wuaucpl.cpl.manifest
26/05/2004 05:09 749 cdplayer.exe.manifest
26/05/2004 05:09 749 ncpa.cpl.manifest
26/05/2004 05:09 749 sapi.cpl.manifest
26/05/2004 05:09 749 nwc.cpl.manifest
26/05/2004 04:57 <DIR> dllcache
25/05/2004 23:15 23,148 Atmenuxx.GID
10 File(s) 32,990 bytes
1 Dir(s) 3,436,068,864 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 274C-1DEA

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 274C-1DEA

Directory of C:\WINDOWS\System32

22/09/2004 18:46 20,480 setb2.tmp
22/09/2004 18:46 20,480 setb1.tmp
27/10/2001 06:48 231,424 SET2B.tmp
15/10/2001 21:47 90,112 SET37.tmp
23/08/2001 11:00 2,577 CONFIG.TMP
5 File(s) 365,073 bytes
0 Dir(s) 3,436,019,712 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Pigsback connect"="IEAKEmpathy Marketing Ltd."
"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Sun 27 Feb 2005 1:33:26 A..H. 909 0.89 K
zllictbl.dat Sat 19 Feb 2005 12:32:32 ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,121 bytes 5.00 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"HydarVisionDesktopManager"=""
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"WINDVDPatch"="CTHELPER.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"
"SCM"="c:\\program files\\silver crest memory adapter tools2.93\\scma.exe sys_auto_run C:\\Program Files\\Silver Crest Memory Adapter Tools2.93"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"WinFaxAppPortStarter"="wfxsnt40.exe"
"O-Card"="C:\\Program Files\\O-Card\\oic.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

And here is the current HJT log

Logfile of HijackThis v1.99.0
Scan saved at 01:46:10, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\qttask.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\O-Card\oic.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\HPDESK\hppddir.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jude, I Love you
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [O-Card] C:\Program Files\O-Card\oic.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\Fmempro.exe" autostart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100484485670
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: CA License Client - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

So far bestfind4u hasn't made a reappearance

Regards

Karl

guestolo · « **Reply #11 on:** February 27, 2005, 01:15:22 AM »

Your log looks good now,
Just to be safe, this file should be legit, but may be in the wrong directory
I'm not sure
Can you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file
C:\WINDOWS\SYSTEM32\fmod.dll <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results

Let's get some minor cleanup done
Can you download and save to desktop
[attachment=40:attachment]

UNZIP the Contents to Desktop
fixit.reg and Post.bat
will be placed on your desktop
We'll need those soon

Next to ensure you don't Restore any bad guys

You should disable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Before restarting your computer can you Double click on fixit.reg
and Allow it to merge to the registry

Restart your computer
Back in Windows make sure to Enable System Restore again

Can you next Double click on Post.bat
and new reg file will be placed on the desktop
Right click on Post.reg and select EDIT
Copy and paste back the results

Could you also post one more hijackthis log

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

This program here in your log
Silver Crest Memory Adapter Tools2.93
I'm just curious about it, what's it all about?

woody2005 · « **Reply #12 on:** February 27, 2005, 11:08:59 AM »

Hi again,

here's the logs you requested

Malware scan:

File: fmod.dll Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) Packers detected:
UPX AntiVir
No viruses found (0.39 seconds taken) Avast
No viruses found (1.53 seconds taken) AVG Antivirus
No viruses found (0.49 seconds taken) BitDefender
No viruses found (0.48 seconds taken) ClamAV
No viruses found (0.69 seconds taken) Dr.Web
No viruses found (1.16 seconds taken) F-Prot Antivirus
No viruses found (0.10 seconds taken) Fortinet
No viruses found (0.47 seconds taken) Kaspersky Anti-Virus
No viruses found (1.04 seconds taken) mks_vir
No viruses found (0.28 seconds taken) NOD32
No viruses found (0.55 seconds taken) Norman Virus Control
No viruses found (0.19 seconds taken)

Post.reg Log

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

And finally the latest HJT:

Logfile of HijackThis v1.99.0
Scan saved at 15:54:23, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\qttask.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\O-Card\oic.exe
C:\Program Files\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\HPDESK\hppddir.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jude, I Love you
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [O-Card] C:\Program Files\O-Card\oic.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\Fmempro.exe" autostart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100484485670
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: CA License Client - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Event Log Watch - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Silver Crest Memory Adapter Tools 2.93 is the software that came with my removable memory stick that plugs into my usb port.

Regards,

Karl

guestolo · « **Reply #13 on:** February 27, 2005, 07:14:31 PM »

To be on the safe side, you may want to do the following

Save this too a Notepad file and then close down all browser windows

Go to START>>RUN
In the open field
Copy and paste the bold line below and then hit OK

regsvr32 /u C:\WINDOWS\SYSTEM32\fmod.dll

That should unregister the .dll
Then navigate too C:\WINDOWS\SYSTEM32\fmod.dll
Right click and rename fmod.dll
to
fmod.old

If you have no problems with it in the future you can delete it, if it's needed you can
rename the file back to the original name and reregister
with
regsvr32 C:\WINDOWS\SYSTEM32\fmod.dll

Let me know how you make out
Thanks for the info on Silver Crest

If you still have TDS3 installed, remember it's good for 30days
If you decide to hold onto it for the duration
Bookmark the page to the manual updates
Update your radius database one more time and run a scan before uninstalling

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

woody2005 · « **Reply #14 on:** February 28, 2005, 11:49:19 AM »

Hi,

Copied and pasted the line that you asked but when I clicked on ok the system told me that
"c:\windows\system32\fmod.dll was loaded, but the dllUnregisterServer entry point was not found. This file cannot be registered."

Bestfind4u has finally disappeared, thank god!! Your help was greatly appreciated.

Incidently, has all of this any bearing on my other query regarding the date issue that I mentioned in my original post? I have tried to change the date on the website but it still comes up in the MM/DD format.

Regards,

Karl

A donation is on its way to your fantastic website

guestolo · « **Reply #15 on:** February 28, 2005, 03:05:23 PM »

I'm curious if it is a Cookie, cache problem

Can you access your Internet options via Control Panel
and clear Cookies, Files and History

On top of that you may want to try this cleanup utility to help you out with that
and your Temp folders
Best after installed, you Restart your computer and then run it, just to ensure that your not needing anything in your temp folders until next Reboot

It's a free utility
Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Open Windows CleanUp!
START>>All programs>>CleanUp!
Click the CleanUp! button
Let it finish scanning for files and when done Log off and back on again
To clean whatever is in use

Try the site again, still the same problem?
Is your clock set to the right time on the computer?

Guest · « **Reply #16 on:** March 19, 2005, 07:15:17 PM »

Thanks again for your help...with your expert advice it seems like we've kicked bestfind4u into touch. As for the other problem...well it doesn't seem to be affecting any programs or having any visible effect on computer performance.

Here's hoping I won't be back but if I have to then I know I'll get the best advice.

Regards,

Karl

guestolo · « **Reply #17 on:** March 19, 2005, 11:00:45 PM »

Glad to hear things are still well
I'm locking this thread
Thanks for posting back Karl
By the way Karl, Admin may not of noticed that a Donation was sent
I'm sure he thanks you if one was
And I thank you, it will help to maintain the site to allow help for others
in the future

Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Bestfind4u and other issues (Read 2292 times)

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

Guest_woody2005_*

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

woody2005

Bestfind4u and other issues

guestolo

Bestfind4u and other issues

Guest

Bestfind4u and other issues

guestolo

Bestfind4u and other issues