Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old December 29th, 2005, 03:01 AM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
Having bigtime spyware problems, please help (HJT scanlog)

Well, I did a dumb thing yesterday. I downloaded Kazaa to try to get a download not on Itunes. Long story short, I'm now getting pummelled by spyware, malware, etc. Ad-Aware and Windows Washer haven't helped. Symptoms: (1) hijacked homepage; (2) "your computer is infected" icons in my taskbar; (3) an occassional scroll-bar at the top of my screen; and (4) other crappy stuff (SpyAxe, etc.). Any help to solve these problem would be appreciated massively !!

Ran HJT and produced the following:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:27 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\winstall.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\winstall.exe
C:\winstall.exe
C:\winstall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbfh.dll/sp.html#77035%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\orbfh.dll/sp.html#77035%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\orbfh.dll/sp.html#77035%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbfh.dll/sp.html#77035%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\orbfh.dll/sp.html#77035%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp228F.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\system32\bum867.exe ymmud
O4 - HKLM\..\Run: [adddh.exe] C:\WINDOWS\adddh.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [39.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [39.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [38.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Last edited by lnsjr1; December 29th, 2005 at 03:06 AM.
Reply With Quote


  #2  
Old December 29th, 2005, 02:33 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
There are several infections...Try to uninstall Kazaa..Then do this :

1- Download smitRem.exe
and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

2- Download the trial version of Ewido Security Suite from HERE.
Install it (When installing, under "Additional Options" uncheck : -Install background guard and -Install scan via context menu), and update the definitions to the newest files. Do NOT run a scan yet.

Reboot your computer in SafeMode .

1- Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

2- Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

Reboot in normal mode and here:
- Post a new HijackThis log.
- Copy/paste the Ewido report, please.
Reply With Quote
  #3  
Old December 29th, 2005, 04:05 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
First off, thanks so much for your help.

I've done everything you said. Here's the Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:46 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [adddh.exe] C:\WINDOWS\adddh.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [39.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [39.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [38.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Reply With Quote
  #4  
Old December 29th, 2005, 04:06 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
And here's the Ewido report:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:58:24 AM, 12/29/2005
+ Report-Checksum: DD30D37F

+ Scan result:

HKU\S-1-5-21-343818398-688789844-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
[752] C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Cleaned with backup
C:\Documents and Settings\Louis\Cookies\louis@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Louis\Cookies\louis@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Louis\Cookies\louis@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Louis\Cookies\louis@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Louis\Cookies\louis@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\New Folder\WKekcrWwODzpkWip2oED6eaun2z3GvsQ.!!! -> Hijacker.Spywad.n : Cleaned with backup
C:\WINDOWS\$_hpcst$.hpc:jphoe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB888113.loghsrk -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB890923.log:aavch -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\netao32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netmc.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\sdkkj.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\syshb32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\addwv.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\apios32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\bum867.exe -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\mfcva.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\netod32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\private.exe -> Downloader.Small.cdj : Cleaned with backup
C:\WINDOWS\system32\s.exe -> Downloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\sdfdil.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\sdkik32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\spoolsrv32.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\srpcsrv32.dll -> Downloader.Adload.g : Cleaned with backup
C:\WINDOWS\system32\tio130.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio180.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio340.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio367.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio53.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio642.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio649.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio662.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio709.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\tio751.dll -> Downloader.Small.ccm : Cleaned with backup
C:\WINDOWS\system32\voi303.exe -> Downloader.Small.bpz : Cleaned with backup
C:\WINDOWS\system32\voi724.exe -> Downloader.Agent.zx : Cleaned with backup
C:\WINDOWS\system32\voi739.exe -> Downloader.Small.cdj : Cleaned with backup
C:\WINDOWS\system32\voi88.exe -> Dropper.Agent.ii : Cleaned with backup
C:\WINDOWS\system32\wbeconm.dll -> Downloader.SpyAxe : Cleaned with backup
C:\WINDOWS\_default.pifslll -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tocve -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default.pif:yoevi -> Downloader.Agent.bc : Cleaned with backup


::Report End
Reply With Quote
  #5  
Old December 29th, 2005, 04:08 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
And finally, here's the smitRem log:


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/29/2005
The current time is: 8:58:01.09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!


WinHound.com key was NOT successfully removed!


spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Winhound


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
Install.dat


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

wbeconm.dll
svcp.csv
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
oleext.dll
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

wbeconm.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!
Reply With Quote
  #6  
Old December 29th, 2005, 04:09 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
Again, thanks for your help. I can already tell that there's been a lot of crap removed. Please let me know if I need to do anything else.

THANKS !!
Reply With Quote
  #7  
Old December 29th, 2005, 04:38 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Yes, a good cleaning !

Close all browser windows, run only HijackThis and tick :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [adddh.exe] C:\WINDOWS\adddh.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [39.tmp] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [39.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\39.tmp.exe
O4 - HKLM\..\Run: [38.tmp.exe] C:\DOCUME~1\Louis\LOCALS~1\Temp\38.tmp.exe

Click "Fix checked".

Reboot in safe mode.
Make sure that you can view hidden files and folders,
as explained HERE
uncheck "Hide Extensions for Known File Types".

- Empty this folder :
C:\DOCUME~1\Louis\LOCALS~1\Temp\
(don't delete the folder itself, but all the files it contents)
- If this file is present, delete it too :
C:\WINDOWS\adddh.exe
- Empty the recycle bin.

Then, reboot in normal mode and post a new HijackTis log, please.
Reply With Quote
  #8  
Old December 29th, 2005, 05:02 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
Done. Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:32 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks !
Reply With Quote
  #9  
Old December 29th, 2005, 05:05 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Everything looks ok, now.
Reply With Quote
  #10  
Old December 29th, 2005, 05:14 PM
lnsjr1 lnsjr1 is offline
New Member
 
Join Date: Dec 2005
Posts: 7
Awesome !! YOU ROCK !!

Thanks so much for your help.
Reply With Quote
  #11  
Old December 29th, 2005, 05:27 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Don't hesitate to run tools as Ad-Aware Se and SpyBot S&D. You'll find them HERE. Because we don't see all with HijackThis.

Happy surfing, lnsjr1 !
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 08:18 AM.