Jump to content


Photo

Can't get rid of ezula, wintools and other spyware


  • Please log in to reply
12 replies to this topic

#1 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 June 2004 - 12:30 PM

Hello,

I have run adaware and spybot several times to get rid of the spyware on my PC but can't seem to get rid of everything. The ezula and wintools keep coming back. I am running a McAfee Enterprise 7.0 anti-virus on my PC. Several times in a day it detects files infected with Adware-ezula virus. Most of these seem to come from some ezsys.exe, aisysUS.exe applications which are under winnt/system32 folder. Most of the infected files have filenames like ezstub11111.exe.

I also had a look2me virus/spyware on my PC which I got rid of last week.

Below is the hijackthis log. Please help.


Logfile of HijackThis v1.97.7
Scan saved at 1:26:08 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\WINNT\System32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\whfbidw.exe
C:\WINNT\System32\LzioMediaUpdater.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINNT\system32\etlitr50.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mufazzal.bohri\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\whfbidw.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [rsrV3ng] htirdssp.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\WTuninst.exe remove
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [aB09RhMFg] iaswmi.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8155.4588078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0136FA8-3EB4-4D66-8C88-1037DAE0E06F} (UUServConfig.GetRegValue) - http://pc.mcilink.co...UServConfig.CAB
O16 - DPF: {E6C53E8E-24CA-4BEF-8C68-654510AF071B} - http://pc.mcilink.co.../Webinstall.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com

#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 05:53 PM

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe

O2 - BHO: (no name) - {00000000-10D6-4e5f-8F7F-29B32C1C0FC4} - C:\WINNT\System32\icddefff.dll
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\System32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\System32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\System32\ielcaabe.dll
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll

O4 - HKLM\..\Run: [rsrV3ng] htirdssp.exe
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\WTuninst.exe remove
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [aB09RhMFg] iaswmi.exe

O16 - DPF: {E6C53E8E-24CA-4BEF-8C68-654510AF071B} - http://pc.mcilink.co.../Webinstall.CAB

O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINNT\System32htirdssp.exe
C:\WINNT\System32\he3bbcff.dll
C:\WINNT\System32\wmcbaaca.dll
C:\WINNT\System32\icddefff.dll
C:\WINNT\System32\ielcaabe.dll
C:\WINNT\srchupdt.exe
C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe
C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\WTuninst.exe
C:\Program Files\Common files\WinTools\ <-- delete folder
C:\PROGRA~1\Web Offer\wo.exe
C:\WINNT\System32\iaswmi.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#3 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 05 July 2004 - 03:37 PM

Hello,

Thank you very much for your response.

However, I am unable to start my PC in SAFE MODE. The PC hangs. I even tried Safe Mode with Networking and Safe Mode with Command Prompt, and nothing works.

Do I need to do this in safe mode or would it be okay if I do it in normal mode?

Please advice.

Thanks again for all your help.

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 05 July 2004 - 03:45 PM

Most of the files should delete in normal mode. Try and then post a new HJT log and let me know about the files.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 06 July 2004 - 09:40 AM

Hello,

I guess I did something stupid. I wanted to give it a last shot to start my PC in safe mode. So I followed the instructions to use the Systems Utility Configuration, invoke msconfig and check the "Safe Mode" box. I didn't realize I would run into the same problem as with using the F-8 key.

So, now my computer starts in safe mode and hangs at the login prompt. I am now unable to make it start in a normal mode. Even if I hit the F-8 key and choose the normal mode, it still starts in safe mode because I have checked the safe mode in msconfig.

So I am running into a catch-22 situation now. This is far worse than having spyware on my PC. Now I am unable to get back into my computer. I am using a friend's PC to post this message.

Please let me know if there is anyway to somehow login in the normal mode so atleast I can get control of the PC.

Thanks a lot.. Please reply soon as I will be waiting for your response while I am using my friends PC.

Thanks for your help and appreciate it.

#6 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 06 July 2004 - 12:09 PM

While you are in Safe Mode, run msconfig and change it back.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#7 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 06 July 2004 - 08:23 PM

Hi,

I finally managed to fix the problems. I was getting stuck in safe mode due to the image ox XP I had on my PC. The keyboard was getting locked.

Anway, I did everything you had adviced me earlier. Here is my new HJT log. Please let me know what additional steps I need to take.

Thanks for all your help.


Logfile of HijackThis v1.97.7
Scan saved at 9:18:07 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
c:\_integra\bin\shstart.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\whfbidw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\whfbidw.exe
O4 - HKCU\..\Run: [aB09RhMFg] iaswmi.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8155.4588078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0136FA8-3EB4-4D66-8C88-1037DAE0E06F} (UUServConfig.GetRegValue) - http://pc.mcilink.co...UServConfig.CAB
O16 - DPF: {E6C53E8E-24CA-4BEF-8C68-654510AF071B} - http://pc.mcilink.co.../Webinstall.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.dsmain.com

#8 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 06 July 2004 - 08:37 PM

Hi,

I can't believe this is happening. I had removed wintools, let my PC be connected to the internet and run for an hour or so. Then I had replied to this thread and posted by recent HJT log, hoping that I had removed all the spyware.

But now, I see wintools running again. How did I get this back? Here is my most recent HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 9:35:12 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
c:\_integra\bin\shstart.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\whfbidw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\whfbidw.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKCU\..\Run: [aB09RhMFg] iaswmi.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8155.4588078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0136FA8-3EB4-4D66-8C88-1037DAE0E06F} (UUServConfig.GetRegValue) - http://pc.mcilink.co...UServConfig.CAB
O16 - DPF: {E6C53E8E-24CA-4BEF-8C68-654510AF071B} - http://pc.mcilink.co.../Webinstall.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.dsmain.com


Thanks for your help.

#9 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 08 July 2004 - 07:48 PM

Hello LoPhatPhuud,

Could you please tell me what I should do next?

Thanks!

#10 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 08 July 2004 - 08:09 PM

First:
Download LSPfix here: »www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of cdlsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish
Reboot


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\whfbidw.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKCU\..\Run: [aB09RhMFg] iaswmi.exe

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINNT\System32\whfbidw.exe
C:\Program Files\Common Files\WinTools\ <-- delete folder
C:\DOCUME~1\MUFAZZ~1.BOH\LOCALS~1\Temp\tb_setup.exe
C:\WINNT\System32\iaswmi.exe

*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.0 is now available.
If you do already have it installed, download it from here:
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Then run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#11 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 10 July 2004 - 06:20 PM

Hi LoPhatPhuud,

I did everything as you said, except removing this one:

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe

I see that the application installed under the _integra folder is something that my company has installed, they use it to push automatic updates. I cannot remove that program, so do I still need to remove the entry mentioned above?

I have run hijackthis and the log is posted below. I continue to get a lot of virii in the ezula files. I don't see ezula in the results of hijackthis. But under c:\winnt\system32, there is a ezsys.exe file, which is the source of all virus. What should I do with this file?



Logfile of HijackThis v1.98.0
Scan saved at 7:15:13 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\WINNT\System32\MsPMSPSv.exe
c:\_integra\bin\shstart.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {E0136FA8-3EB4-4D66-8C88-1037DAE0E06F} (UUServConfig.GetRegValue) - http://pc.mcilink.co...UServConfig.CAB
O16 - DPF: {E6C53E8E-24CA-4BEF-8C68-654510AF071B} - http://pc.mcilink.co.../Webinstall.CAB
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.dsmain.com


Thanks a million for you help. I appreciate it a lot.

#12 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 10 July 2004 - 06:35 PM

No need to remove that entry. It returned unknown when I checked for it. Yuor log is clean!!

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#13 mb12345

mb12345

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 13 July 2004 - 02:45 PM

Hi LoPhatPhuud,

THANK YOU SO MUCH for all your help and support. I highly appreciate the precious time you spent on helping me through this.

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button