Author Topic: how do I get rid of this hijacker!? (Read 4611 times)

fr8st3 · « **on:** March 06, 2005, 11:15:29 AM »

This trojan has taken over my computer for months now. At first, i used cwshredder and it worked for a while. Then a couple of weeks ago the hijacker "morphed" into something else and now nothing works. I also bought spyware vanisher and it didn't help. I downloaded hijackthis but I dont know what to do next.

Logfile of HijackThis v1.99.1
Scan saved at 10:14:40 AM, on 3/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\runner.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243BF4B7-817F-4ABD-8ECC-75461427ACD7} - C:\WINNT\System32\ajdn.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAFINK\instafink.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [runner.exe] C:\WINNT\System32\runner.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ice_3_ES_XP.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD27A22-0756-4A1D-A36D-C4433A63C2C9}: NameServer = 151.164.1.8 151.164.30.105
O18 - Filter: text/html - {FBF609A2-D6B3-47B3-8830-BF446A37F008} - C:\WINNT\System32\ajdn.dll
O18 - Filter: text/plain - {FBF609A2-D6B3-47B3-8830-BF446A37F008} - C:\WINNT\System32\ajdn.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Please Help!

guestolo · « **Reply #1 on:** March 06, 2005, 05:55:51 PM »

Access your Add/Remove Programs and remove if found
Gator
P2P Networking Useless addon, usually associated with Kazaa, can cause signifigant slowdowns in system performance and browsing
If prompted to remove Altnets Do so

I would also remove MyWay or MyBar or similiar

Restart your computer afterwards

I'm sorry you got persuaded into purchasing SpywareVanisher
It's on the Rogue (Bogus) list
See this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Installing it may download and start running a scan
Allow to update, but Don't run a scan yet

RESTART your Computer in SAFE MODE

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to Normal mode to finish the cleaning process

Once back in windows, we need some tools to help identify some entries
Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log

Also, Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
Hit: -Unmark all

Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log

Also post back a fresh Hijackthis log afterwards

Can you do me a favor
Open Spybot>>Click on HELP>>ABOUT >>>Let me know Spybot version and Latest detection update date

fr8st3 · « **Reply #2 on:** March 08, 2005, 01:16:07 AM »

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\kbd.dll Fri Jun 25 2004 11:06:36a A...R 57,344 56.00 K
________________________________________________

1,288 items found: 1,288 files (1 H/S), 0 directories.
Total of file sizes: 260,333,481 bytes 248.27 M

Administrator Account = True

--------------------End log---------------------

StartDreck (build 2.1.7 public stable) - 2005-03-08 @ 00:13:21 (GMT -06:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Owner at PARKSCOMP

»Registry
»Run Keys
»Current User
»Run
*Yahoo! Pager=1
*ctfmon.exe=C:\WINNT\System32\ctfmon.exe
*Boost XP Service=C:\Program Files\Boost XP\bxservice.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*runner.exe=C:\WINNT\System32\runner.exe
»RunOnce
»Default User
»Run
»RunOnce
*SetDefaultMidi=MIDIDEF.EXE
»Local Machine
»Run
*NeroCheck=C:\WINNT\System32\NeroCheck.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*mmtask=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
*NvCplDaemon=RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
*CTHelper=CTHELPER.EXE
*MMTray=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
*Logitech Utility=Logi_MwX.Exe
*BJCFD=C:\Program Files\BroadJump\Client Foundation\CFD.exe
*tgcmdprovidersbc="c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*nwiz=nwiz.exe /install
*NvMediaCenter=RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
*AceGain LiveUpdate=C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*P2P Networking=C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*{243BF4B7-817F-4ABD-8ECC-75461427ACD7}
`InprocServer32=C:\WINNT\System32\ajdn.dll
*instafink.INSTAFINK/{4E7BD74F-2B8D-469E-90F0-F66AB581A933}
`InprocServer32=C:\PROGRA~1\INSTAFINK\instafink.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
*{549B5CA7-4A86-11D7-A4DF-000874180BB3}
`InprocServer32=
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
*{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
`InprocServer32=
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+620=\SystemRoot\System32\smss.exe
+668=\??\C:\WINNT\system32\csrss.exe
+692=\??\C:\WINNT\system32\winlogon.exe
+756=C:\WINNT\system32\services.exe
+768=C:\WINNT\system32\lsass.exe
+972=C:\WINNT\system32\svchost.exe
+1096=C:\WINNT\System32\svchost.exe
+1240=C:\WINNT\System32\svchost.exe
+1276=C:\WINNT\System32\svchost.exe
+1352=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1468=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1756=C:\WINNT\Explorer.EXE
+1784=C:\WINNT\system32\spoolsv.exe
+1980=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+2004=C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
+140=C:\WINNT\System32\CTHELPER.EXE
+308=C:\Program Files\BroadJump\Client Foundation\CFD.exe
+336=C:\program files\support.com\bin\tgcmd.exe
+352=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
+456=C:\WINNT\System32\RUNDLL32.EXE
+480=C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
+528=C:\Program Files\iTunes\iTunesHelper.exe
+548=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+584=C:\WINNT\System32\ctfmon.exe
+596=C:\Program Files\Messenger\msmsgs.exe
+612=C:\WINNT\System32\runner.exe
+940=C:\WINNT\System32\rundll32.exe
+1064=C:\Program Files\SBC\Connection Manager\CManager.exe
+1624=C:\Program Files\Logitech\MouseWare\system\em_exec.exe
+144=C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
+2736=C:\WINNT\System32\alg.exe
+2800=C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
+2824=C:\Program Files\Norton AntiVirus\navapsvc.exe
+2900=C:\WINNT\System32\nvsvc32.exe
+3132=C:\WINNT\system32\slserv.exe
+3188=C:\WINNT\System32\svchost.exe
+3844=C:\Program Files\iPod\bin\iPodService.exe
+412=C:\Program Files\JGsoft\EditPadLite\EditPad.exe
+1480=C:\Documents and Settings\Owner\My Documents\Corey's Docs\InstallZuma.exe
+3672=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+2120=C:\Documents and Settings\Owner\Desktop\DllCompare.exe
+2472=C:\Documents and Settings\Owner\My Documents\Corey's Docs\startdreck\StartDreck.exe
»Application specific

Logfile of HijackThis v1.99.1
Scan saved at 12:14:21 AM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\runner.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Documents and Settings\Owner\My Documents\Corey's Docs\InstallZuma.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\DllCompare.exe
C:\Documents and Settings\Owner\My Documents\Corey's Docs\startdreck\StartDreck.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243BF4B7-817F-4ABD-8ECC-75461427ACD7} - C:\WINNT\System32\ajdn.dll (file missing)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAFINK\instafink.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [runner.exe] C:\WINNT\System32\runner.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ice_3_ES_XP.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD27A22-0756-4A1D-A36D-C4433A63C2C9}: NameServer = 151.164.1.8 151.164.30.105
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

The version of Spybot is 3.1 Date: 2004-09-04

guestolo · « **Reply #3 on:** March 08, 2005, 01:58:45 AM »

Open your add/Remove Programs and remove if found
InstaFinderK
Restart your computer if removed

Download and save to desktop this Removal tool developed by Symantec

also

Download and save to desktop The STANDALONE version of CWShredder.exe
Don't run this yet

Please print this out or save to a Notepad file on your desktop for easy access
START>>RUN>>type in notepad
hit OK

Disconnect from the Internet (Close down all browser windows) and all unnecessary programs running in the background

Open Hijackthis>>Open Misc tools>>Open Delete File on Reboot
Copy and paste the bold line below into the File Name box

C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll

Then click OPEN, when prompted to Restart

Please Restart into Safe mode, you can do this by tapping the F8 key as the system is booting up

In safe mode

Find and delete these files or folders if they exist
C:\Program Files\INSTAFINK <--folder
C:\WINNT\System32\P2P Networking <--folder

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {243BF4B7-817F-4ABD-8ECC-75461427ACD7} - C:\WINNT\System32\ajdn.dll (file missing)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAFINK\instafink.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKCU\..\Run: [runner.exe] C:\WINNT\System32\runner.exe

O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ice_3_ES_XP.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Do a Disk CleanUp, Ensure that temp and temporary Internet files are checked
START>>RUN>>Type in cleanmgr
Hit OK

Again, in safe mode
Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
RESTART your computer when Done

Back in Windows
Open just CWShredder and click ONLY the FIX button, let it fix all problems
Restart your computer

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log
Could you also post the Whole>>> FxAgentB.log

Would you also
Access this Online Malware Scan
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard drive
C:\WINNT\System32\runner.exe<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results, I believe it's a trojan I had scanned awhile back, but I want to make sure

Also run another scan with DLLCompare
If this entry is still hanging around
C:\WINNT\SYSTEM32\kbd.dll Fri Jun 25 2004 11:06:36a A...R 57,344 56.00 K

Could you additionally, if that entry is still found in DLLCompare
Download and install Registrar Lite.
http://www.resplendence.com/reglite
Install it and then run it
Copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "Go" tab.
Find: "Appinit_Dlls" value on the right side panel
DoubleClick on it
Copy and post here the information in the 'Value' field.

fr8st3 · « **Reply #4 on:** March 08, 2005, 11:10:19 PM »

FxAgent B log

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 000000EC (terminated)
process: services.exe, thread: 00000128 (terminated)
process: lsass.exe, thread: 00000130 (terminated)
process: svchost.exe, thread: 000001E4 (terminated)
process: svchost.exe, thread: 00000208 (terminated)
process: explorer.exe, thread: 000002FC (terminated)
process: cleanmgr.exe, thread: 00000414 (terminated)
process: CFD.exe, thread: 000004B8 (terminated)
process: rundll32.exe, thread: 0000050C (terminated)
process: ctfmon.exe, thread: 0000057C (terminated)
process: FxAgentB.exe, thread: 00000240 (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\Documents and Settings\Owner\My Documents\My Music\iTunes\iTunes Music\

?: (not scanned)
C:\WINNT\system32\kbd.dll: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 82656
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 11
The number of registry entries fixed: 1

The tool initiated a system reboot.

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:53:03 PM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DCD80B9C-C74C-48E8-9D9F-C6BE8C2D0D0F} - C:\WINNT\System32\cjoom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O18 - Filter: text/html - {4F60B211-8E8A-4970-A149-9CA8227BEC9D} - C:\WINNT\System32\cjoom.dll
O18 - Filter: text/plain - {4F60B211-8E8A-4970-A149-9CA8227BEC9D} - C:\WINNT\System32\cjoom.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Jotti's Online Malware Scan

Service load: 0% 100%

File: runner.exe
Status: INFECTED/MALWARE
Packers detected: PEX

AntiVir No viruses found (0.46 seconds taken)
Avast Win32:Trojan-gen. {Other} (1.58 seconds taken)
AVG Antivirus Proxy.15.M (1.03 seconds taken)
BitDefender Win32.Bagle.9.Gen@mm (0.65 seconds taken)
ClamAV Worm.Bagle.Gen-2 (0.60 seconds taken)
Dr.Web No viruses found (0.90 seconds taken)
F-Prot Antivirus No viruses found (0.14 seconds taken)
Fortinet No viruses found (0.43 seconds taken)
Kaspersky Anti-Virus Trojan-Proxy.Win32.Mitglieder.bk (1.02 seconds taken)
mks_vir Worm.Beagle.AV (0.23 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (0.51 seconds taken)
Norman Virus Control Sandbox: W32/Malware; [ General information ]

* File length: 10752 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\runner.exe.

[ Changes to registry ]
* Creates key "HKCU\Software\Timeout".
* Sets value "uid"="238131497" in key "HKCU\Software\Timeout".
* Sets value "port"="" in key "HKCU\Software\Timeout".
* Sets value "pid"="" in key "HKCU\Software\Timeout".
* Creates value "runner.exe"="C:\WINDOWS\SYSTEM\runner.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://www.lssacs.com/script.php?p=0&id=238131497p.
* Opens URL: http://www.lhmon.com/script.php?p=0&id=238131497p.

[ Security issues ]
* Possible backdoor functionality [QOS] port 4660.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Enumerates running processes. (1.12 seconds taken)

I did another dllcompare scan and the kbd.dll is gone but now it gave me a different dll

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\phe.dll Wed Jan 26 2005 6:12:10p ..S.R 0 0.00 K
________________________________________________

1,288 items found: 1,288 files (1 H/S), 0 directories.
Total of file sizes: 260,316,073 bytes 248.25 M

Administrator Account = True

--------------------End log---------------------

I clicked on the Appinit_Dlls, but there was nothing in the "value" field
the only info given was "type"=REG_SZ and "size"=1

thanks for helpin out.

guestolo · « **Reply #5 on:** March 08, 2005, 11:28:56 PM »

Let's try this
Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file on your desktop and then close down all other open Windows, including this one

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINNT\System32\runner.exe

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.

Do the same for these ones

C:\WINNT\System32\cjoom.dll

C:\WINNT\SYSTEM32\phe.dll

Finally, in Full Path of File to Delete, copy and paste the following:

C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Restart if not prompted

Back in Windows, Don't open any other windows

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DCD80B9C-C74C-48E8-9D9F-C6BE8C2D0D0F} - C:\WINNT\System32\cjoom.dll

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall

O18 - Filter: text/html - {4F60B211-8E8A-4970-A149-9CA8227BEC9D} - C:\WINNT\System32\cjoom.dll
O18 - Filter: text/plain - {4F60B211-8E8A-4970-A149-9CA8227BEC9D} - C:\WINNT\System32\cjoom.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your computer one more time

Post back a fresh Hijackthis log and a new log from DLLCompare

fr8st3 · « **Reply #6 on:** March 09, 2005, 11:37:40 PM »

hey that last thing worked. the hijacker is gone and there aren't any random pop up adds

here's the hijackthis log

thanks for all your help!

Logfile of HijackThis v1.99.1
Scan saved at 10:33:59 PM, on 3/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Boost XP Service] C:\Program Files\Boost XP\bxservice.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

guestolo · « **Reply #7 on:** March 10, 2005, 12:26:32 AM »

Looks good

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

guestolo · « **Reply #8 on:** March 13, 2005, 01:18:02 PM »

I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread

Take Care

TheTechGuide Forum

News:

Author Topic: how do I get rid of this hijacker!? (Read 4611 times)

fr8st3

how do I get rid of this hijacker!?

guestolo

how do I get rid of this hijacker!?

fr8st3

how do I get rid of this hijacker!?

guestolo

how do I get rid of this hijacker!?

fr8st3

how do I get rid of this hijacker!?

guestolo

how do I get rid of this hijacker!?

fr8st3

how do I get rid of this hijacker!?

guestolo

how do I get rid of this hijacker!?

guestolo

how do I get rid of this hijacker!?