Author Topic: When it rains it pours (Read 1771 times)

Enchantingsylph · « **on:** December 08, 2005, 06:57:48 PM »

Ok first off I want to say that this is my first post. I came to this site doing a search on a regkey that I thought looked suspicious. I was directed to an entry here http://www.thetechguide.com/forum/index.php?showtopic=22557

I was going to follow the recommended procedure for him but it couldnt be that simple. I downloaded highjackthis.exe and told it to do theses steps as guestolo suggested for that fella:

*******Open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
Copy and paste the following bold line into the file name field
Then click the OPEN button

C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe

Don't allow hijackthis to reboot yet

Instead, Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer*******

Now I have rebooted the computer and go on to his next entry which says:

*****Can you do the following
Go back to
C:\Program Files\Common Files\Windows folder

Can you right click on those files and left click properties
Let me know date created, was it about the same time popups starting happening
Do you know what they're related too*****

When I go into that folder I also have the psapi.dll that was created in feb of 2004 and the AutoIt.exe that was created on Nov 2, 2005.

I sent it through the Jotti malware scan and and got the same exact results as jaycomc. psapi.dll came out clean and here is autoit3.exe
File: AutoIt3.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 162b6f2122563b20a0be2dfd23eec2d7
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Agent.79 (probable variant)

After that point in his thread I was confused by all the computers and instructions going on. I do not know the program ewido yet. Is the freeware version any good after the trial version? I have NAV trial installed at the moment and and use adaware se. Hijackthis was easy enough to figure out so here is that logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:14 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Thomas\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\BitPump\ieint.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{264C6610-9DFA-4D99-8312-1F838B45DE4D}: NameServer = 24.159.64.23,24.159.64.20
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I keep scanning with adaware and NAV and there is something new every scan. NAV just informed me of some new Spyware.Apropos.C in a file named cfgadmin.dll and the deletion failed. I looked into the log viewer of norton and there are a BUNCH. I will throw that in here in case any of this is residual from those invasions.

,Threat category: SpywareSource: C:\WINDOWS\system32\cfgadmin.dll,Description: The file C:\WINDOWS\system32\cfgadmin.dll is a Spyware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\Windows\services32.exe,Description: The file C:\Program Files\Common Files\Windows\services32.exe is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\mqexdlm.srg,Description: The file C:\WINDOWS\system32\mqexdlm.srg is a Adware threat.
,Threat category: VirusSource: C:\WINDOWS\system32\astr.exe,Description: The file C:\WINDOWS\system32\astr.exe is infected with the PWSteal.Trojan virus.
,Threat category: AdwareSource: C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc63,Description: The file C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc63 is a Adware threat.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZIPerfect v1.3 Serial by anTiHer0.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZIPerfect v1.2.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZipBackup v2.1.1.4816.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zip6.5.918 by CHiCNCREAM.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZexLab Dreamway Revision v1.5.2 ARM Smartphone2002.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zeugnis-Alchemist 1.0.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZeroPopup63.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZeroAds v1.35.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero X BeatCreator 1.6b.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero Trace v1.0.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero Popup v7.71 Crack by TSRH.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero Popup v1.38 by PGC.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero PopUp Killer XP v5.1 by ALEX.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zero Popup Killer 6.1.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZERO G INSTALL ANYWHERE V6.1 MAC by CROSSFiRE.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZERO G INSTALL ANYWHERE V6.1 LINUX.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\ZERO G INSTALL ANYWHERE V6.1 HP UX.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zeon DocuCom PDF Driver v4.60b.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zentrum Herbs 2.0.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zensura v2.61 Multilanguage.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zensura v2.60 Multilingual by ACME.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zeiterfassung v2.25.1.14 German by Acme.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zealot SWF2Video Studio v1.4.2 by TBE.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zealot SWF2Video Studio v1.4.1.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zealot SWF2Video Studio v1.3.1 by TBE.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zealot SWF2Video Studio v1.0.zip is infected with the W32.Alcra.A virus.
,Threat category: VirusSource: setup.exe,Description: The compressed file setup.exe within C:\RECYCLER\S-1-5-21-1175750902-570011401-2196729695-1006\Dc60\Incoming\Zealot SWF2Video Studio v1.0 by SND.zip is infected with the W32.Alcra.A virus.
,Threat category: AdwareSource: C:\Program Files\WebHost\webhost-v2.exe,Description: The file C:\Program Files\WebHost\webhost-v2.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\Windows\services32.exe,Description: The file C:\Program Files\Common Files\Windows\services32.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe,Description: The file C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrp.exe,Description: The compressed file qizrp.exe within C:\Program Files\Common Files\qizr\qizrp.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrp.exe,Description: The file C:\Program Files\Common Files\qizr\qizrp.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrm.exe,Description: The compressed file qizrm.exe within C:\Program Files\Common Files\qizr\qizrm.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrm.exe,Description: The file C:\Program Files\Common Files\qizr\qizrm.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrl.exe,Description: The compressed file qizrl.exe within C:\Program Files\Common Files\qizr\qizrl.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizrl.exe,Description: The file C:\Program Files\Common Files\qizr\qizrl.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizra.exe,Description: The compressed file qizra.exe within C:\Program Files\Common Files\qizr\qizra.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\qizr\qizra.exe,Description: The file C:\Program Files\Common Files\qizr\qizra.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\InetGet\mc-110-12-0000137.exe,Description: The file C:\Program Files\Common Files\InetGet\mc-110-12-0000137.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\Download\mc-110-12-0000137.exe,Description: The file C:\Program Files\Common Files\Download\mc-110-12-0000137.exe is a Adware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\S123KTE3\webhost-v2[1].exe,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\S123KTE3\webhost-v2[1].exe is a Adware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\IX8X0LE1\director_install[1].exe,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\IX8X0LE1\director_install[1].exe is a Adware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\8P6B8DIN\launcher[1].exe,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\8P6B8DIN\launcher[1].exe is a Adware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\stub_109_4_0_4_0[1].exe,Description: The compressed file stub_109_4_0_4_0[1].exe within C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\stub_109_4_0_4_0[1].exe is a Adware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\stub_109_4_0_4_0[1].exe,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\stub_109_4_0_4_0[1].exe is a Adware threat.
,Threat category: SpywareSource: C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\CP[1].GH2,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\012L4NXP\CP[1].GH2 is a Spyware threat.
,Threat category: AdwareSource: C:\Documents and Settings\Thomas\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe,Description: The file C:\Documents and Settings\Thomas\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe is a Adware threat.

I have been fighting this for days and its something new all the time. Can we get rid of all of it for once and for all? I am about to restart in safe mode and try to get rid of apropos. After that I'm sure I will have fifteen more things to delete..... sigh

PS Sorry if I jump from one topic to another or ramble, my brain is fried from all of this and I was already sick.

guestolo · « **Reply #1 on:** December 08, 2005, 07:45:31 PM »

Yes, Ewido, when it becomes the free version is still quite good

can you do the following
I believe you have Apropos rootkit infection
We'll run a tool for that
Also, let's make sure we run a tool for W32.Alcra.A virus

When I ask you too download a zip file, make sure you choose SAVE TO DISK rather than Open
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Download and save p2pnetwork.zip
Then UNZIP it to the BFU Folder so you now have p2pnetwork.bfu extracted

Download and save and then UNZIP to the BFU folder
BFU.zip
So you now have BFU.exe extracted

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode

Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections

Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Reboot back to Normal mode

Back in Windows, can you post a few logs please

1. Scan and save logfile with Hijackthis again, post a fresh log
2. Post the Whole contents of Ewido's report
3. Post The entire contents of the log.txt file in the aproposfix folder

Enchantingsylph · « **Reply #2 on:** December 15, 2005, 01:11:00 AM »

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Thomas\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C6PR6A3ogSmD]
@="0J4eMKNYZZYZZaZ4x1zSJJYZZYobZ4uzp 40ZQWQRCKfeZBPGTCPQZU8LK9GMQaQWQ"
"Device"="\\\\.\\WLTNull"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\wanmbios.sys"
"DriverName"="SlW2omp"
"HideUninstallerName"="C:\\Program Files\\Outlient\\rwintbbu.exe"
"HDll"="C:\\WINDOWS\\system32\\cfgadmin.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.GH2"
"InstallationId"="{X45ea955-5487-74d9-7b7e-2515a68e2a9a}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
"ClientName"="C:\\Program Files\\Outlient\\bathdprf.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\wzccsrss.exe"
"Version"="2.0.131"

************

Removing hidden service:
Service SlW2omp removed.

Removing hidden folder:
Deletion of folder Outlient succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\wanmbios.sys succeeded!
Deletion of file C:\WINDOWS\system32\wzccsrss.exe succeeded!
Deletion of file C:\WINDOWS\system32\cfgadmin.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C6PR6A3ogSmD]
[-HKEY_LOCAL_MACHINE\Software\C6PR6A3ogSmD]

Done!

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 11:57:59 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LocalNet Express 2.0\PropelAC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\slrundll.exe
C:\Documents and Settings\Thomas\Desktop\hijackthis.exe
C:\WINDOWS\system32\CMDL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.localnet.com/adv_search.phtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5500
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe
O4 - HKLM\..\Run: [Sonork] "C:\Program Files\Sonork\sonork.exe" -auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\BitPump\ieint.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{264C6610-9DFA-4D99-8312-1F838B45DE4D}: NameServer = 24.159.64.23,24.159.64.20
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         11:52:24 PM, 12/14/2005
+ Report-Checksum:      BE5A3988

+ Scan result:

   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B2.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B3.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B4.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B5.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B6.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B7.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B8.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B9.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> Spyware.Cookie.Webtrendslive : Cleaned with backup

::Report End

I want to thank you. Your instructions are very clear and precise. Helps ADD folks like myself

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I did everything you suggested now. Let me know if anything still looks fishy.

Thanks

guestolo · « **Reply #3 on:** December 17, 2005, 10:07:24 PM »

I just seen you online, I forgot all about your post

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Can you repost a fresh hijackthis log please, I want to see what it looks like now, thanks

Enchantingsylph · « **Reply #4 on:** December 19, 2005, 05:39:31 PM »

See how you are?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' /> I figured it was something like that. You must not forget me, for I am unforgettable!

Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 4:36:10 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\LocalNet Express 2.0\PropelAC.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Thomas\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.localnet.com/adv_search.phtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Sonork] "C:\Program Files\Sonork\sonork.exe" -auto
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\BitPump\ieint.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase2213.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

guestolo · « **Reply #5 on:** December 19, 2005, 05:54:50 PM »

Can you give me some info on these items in your hijackthis log please
O4 - HKLM\..\Run: [BitPump] "C:\Program Files\BitPump\bitpump.exe" /VerifySettings
I'm assuming a file sharing program

This next one
O4 - HKLM\..\Run: [Sonork] "C:\Program Files\Sonork\sonork.exe" -auto
Is it related too a instant messaging program?

Enchantingsylph · « **Reply #6 on:** December 20, 2005, 08:59:39 PM »

You are correct on both accounts. Bitpump is a bit torrent file sharing program and sonork is an instant messenger which use to be good before it went commercial

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> I know sonork is legit but bitpump is something a friend told me about since I was ticked off at limewire giving me Alcan.A Yes, for the record they are passing around infected files in limewire. The one I downloaded was called zmud and was suppose to be said mud client but it was not zmud at all! oh well....

guestolo · « **Reply #7 on:** December 20, 2005, 09:09:33 PM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in windows
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

P.S. Alcan A. can be spread by any file sharing program
It's a good idea to scan any file you download first with an updated Virus scanner before opening the file
We also rid you of a bad rootkit infection too

TheTechGuide Forum

News:

Author Topic: When it rains it pours (Read 1771 times)

Enchantingsylph

When it rains it pours

guestolo

When it rains it pours

Enchantingsylph

When it rains it pours

guestolo

When it rains it pours

Enchantingsylph

When it rains it pours

guestolo

When it rains it pours

Enchantingsylph

When it rains it pours

guestolo

When it rains it pours