Jump to content


Photo

My homepage has a mind of it's own


  • Please log in to reply
6 replies to this topic

#1 SAR

SAR

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 09:09 PM

My computer has been hijacked again. The first time it happened, CWShredder solved the problem immediately. That is not the case this time. I have run Spybot, Aluria and Ad-Aware with no success. The site that my computer is directed to when IE is launched is res://uzvmo.dll/index.html#96676. I also have tons of "Only the Best" pop-ups. I am including a HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 9:47:50 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~1\ASE\ASEserv.exe
C:\WINDOWS\d3oj.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\d3au.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Spyware removers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uzvmo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uzvmo.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.roadrunner.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uzvmo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uzvmo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uzvmo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uzvmo.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {5E2DD815-A676-7CB5-1698-B2A5ABA388C5} - C:\WINDOWS\ipen32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3au.exe] C:\WINDOWS\d3au.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\d3oj.exe
O4 - HKLM\..\RunOnce: [sdkfc.exe] C:\WINDOWS\system32\sdkfc.exe
O4 - HKLM\..\RunOnce: [d3tc.exe] C:\WINDOWS\system32\d3tc.exe
O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
O4 - HKLM\..\RunOnce: [addqw.exe] C:\WINDOWS\addqw.exe
O4 - HKLM\..\RunOnce: [sysgc.exe] C:\WINDOWS\sysgc.exe
O4 - HKLM\..\RunOnce: [addsq32.exe] C:\WINDOWS\system32\addsq32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe
O4 - HKLM\..\RunOnce: [ipha.exe] C:\WINDOWS\system32\ipha.exe
O4 - HKLM\..\RunOnce: [msds.exe] C:\WINDOWS\system32\msds.exe
O4 - HKLM\..\RunOnce: [mfcts.exe] C:\WINDOWS\mfcts.exe
O4 - HKLM\..\RunOnce: [netwg.exe] C:\WINDOWS\system32\netwg.exe
O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\mfcil.exe
O4 - HKLM\..\RunOnce: [ntho32.exe] C:\WINDOWS\system32\ntho32.exe
O4 - HKLM\..\RunOnce: [apiri.exe] C:\WINDOWS\system32\apiri.exe
O4 - HKLM\..\RunOnce: [ntmb.exe] C:\WINDOWS\ntmb.exe
O4 - HKLM\..\RunOnce: [javabc.exe] C:\WINDOWS\system32\javabc.exe
O4 - HKLM\..\RunOnce: [ntvc.exe] C:\WINDOWS\system32\ntvc.exe
O4 - HKLM\..\RunOnce: [javado.exe] C:\WINDOWS\javado.exe
O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe
O4 - HKLM\..\RunOnce: [apiro.exe] C:\WINDOWS\system32\apiro.exe
O4 - HKLM\..\RunOnce: [winti.exe] C:\WINDOWS\system32\winti.exe
O4 - HKLM\..\RunOnce: [javafz32.exe] C:\WINDOWS\system32\javafz32.exe
O4 - HKLM\..\RunOnce: [sysqv32.exe] C:\WINDOWS\sysqv32.exe
O4 - HKLM\..\RunOnce: [netje32.exe] C:\WINDOWS\netje32.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.roadrunner.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.roadrunner.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 05 July 2004 - 02:53 AM

Just to let you know I am looking at your log, please be patient and I will get back to you as soon as possible.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#3 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 05 July 2004 - 10:08 PM

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {5E2DD815-A676-7CB5-1698-B2A5ABA388C5} - C:\WINDOWS\ipen32.dll

O4 - HKLM\..\Run: [d3au.exe] C:\WINDOWS\d3au.exe
O4 - HKLM\..\RunOnce: [d3oj.exe] C:\WINDOWS\d3oj.exe
O4 - HKLM\..\RunOnce: [sdkfc.exe] C:\WINDOWS\system32\sdkfc.exe
O4 - HKLM\..\RunOnce: [d3tc.exe] C:\WINDOWS\system32\d3tc.exe
O4 - HKLM\..\RunOnce: [sdklj32.exe] C:\WINDOWS\sdklj32.exe
O4 - HKLM\..\RunOnce: [addqw.exe] C:\WINDOWS\addqw.exe
O4 - HKLM\..\RunOnce: [sysgc.exe] C:\WINDOWS\sysgc.exe
O4 - HKLM\..\RunOnce: [addsq32.exe] C:\WINDOWS\system32\addsq32.exe
O4 - HKLM\..\RunOnce: [mfcor32.exe] C:\WINDOWS\system32\mfcor32.exe
O4 - HKLM\..\RunOnce: [ipha.exe] C:\WINDOWS\system32\ipha.exe
O4 - HKLM\..\RunOnce: [msds.exe] C:\WINDOWS\system32\msds.exe
O4 - HKLM\..\RunOnce: [mfcts.exe] C:\WINDOWS\mfcts.exe
O4 - HKLM\..\RunOnce: [netwg.exe] C:\WINDOWS\system32\netwg.exe
O4 - HKLM\..\RunOnce: [mfcil.exe] C:\WINDOWS\mfcil.exe
O4 - HKLM\..\RunOnce: [ntho32.exe] C:\WINDOWS\system32\ntho32.exe
O4 - HKLM\..\RunOnce: [apiri.exe] C:\WINDOWS\system32\apiri.exe
O4 - HKLM\..\RunOnce: [ntmb.exe] C:\WINDOWS\ntmb.exe
O4 - HKLM\..\RunOnce: [javabc.exe] C:\WINDOWS\system32\javabc.exe
O4 - HKLM\..\RunOnce: [ntvc.exe] C:\WINDOWS\system32\ntvc.exe
O4 - HKLM\..\RunOnce: [javado.exe] C:\WINDOWS\javado.exe
O4 - HKLM\..\RunOnce: [winpw.exe] C:\WINDOWS\system32\winpw.exe
O4 - HKLM\..\RunOnce: [apiro.exe] C:\WINDOWS\system32\apiro.exe
O4 - HKLM\..\RunOnce: [winti.exe] C:\WINDOWS\system32\winti.exe
O4 - HKLM\..\RunOnce: [javafz32.exe] C:\WINDOWS\system32\javafz32.exe
O4 - HKLM\..\RunOnce: [sysqv32.exe] C:\WINDOWS\sysqv32.exe
O4 - HKLM\..\RunOnce: [netje32.exe] C:\WINDOWS\netje32.exe


Download About:Buster by RubbeR DuckY from either of the following locations.

http://www.atribune....AboutBuster.zip
or
http://tools.zerosre...AboutBuster.zip

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!! Do not open internet explorer to come back here until after running the tool.

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page. This may take a few minutes. It will also produce a report - save this somewhere. Then click ok to run aboutbuster.exe again, make a copy of that report also.

Reboot and post the two reports from About:Buster, along with a new HijackThis log from the new version of HijackThis as you are running an outdated version, download HijackThis v1.98 here.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#4 SAR

SAR

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 July 2004 - 03:52 PM

Below are the reports from AboutBuster and Hijack This. I was a bit overanxious and missed the opportunity to save the first AboutBuster report. I thought it would give me a prompt to save it. Anyway, here are the other two logs. By the way, when I opened IE after running these processes, Google was my homepage - is that a good sign?

About:Buster Version 1.25
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!


Logfile of HijackThis v1.98.0
Scan saved at 4:46:43 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~1\ASE\ASEserv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\ccEvtMgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.roadrunner.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {9D9CB61B-156B-3C2C-B9AB-BCB95AA0D47C} - C:\WINDOWS\netro32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.roadrunner.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.roadrunner.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\fqloybrw.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


Best,
SAR

#5 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 09 July 2004 - 02:25 AM

Its a good sign - About buster sets the dafault page to google after its cleaned out cws. Its the most common 'neutral' page and won't panic people when they see it as their default. You can reset this as normal in Control Panel > Internet Options.

You are running hijackthis out of a temporary directory. Can you please create a folder in C:Program Files and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder.

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware. Then download a free trial of TrojanHunter and perform a scan and clean anything it finds.


Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {9D9CB61B-156B-3C2C-B9AB-BCB95AA0D47C} - C:\WINDOWS\netro32.dll (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\fqloybrw.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. Rename or REALSCHED.EXE to REALSCHED.OLD as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

Then fix this line with HJT

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

Reboot and post a fresh log so we can check that everything has been cleaned. In the meantime you can help prevent this happening again.

SpywareBlaster will block bad ActiveX and malevolent cookies.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Both are very small free programs that you run once, and then just occasionally to check for updates.

If you don't have an up to date hosts file it might be a good idea to replace it with a new one. This will help you block bad sites and ad servers. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.

It may be worth reading How did I get infected in the first place?
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#6 SAR

SAR

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 11:46 PM

Wow! That took quite awhile but I think it was well worth the effort. i ran the TrendMicro and Pandasoftware scans and quarantined, deleted, disinfected, etc. The TrojanHunter was not quite as successful. It detected a few things but I was not able to locate the files on my computer to submit for analysis. They are listed below:

Found possible trojan file: C:\Program Files\Internet Explorer\vgtcpgxg.exe/rtz.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\Program Files\Spyware Solutions\Aluria Software\ASE\ASE.exe (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000496.exe/3GHI.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP5\A0000856.exe (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP9\A0001717.exe/kVAA.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\config\systemprofile\Desktop\HijackThis.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temporary Directory 3 for cwshredder.zip\CWShredder.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)

Of course, I recognized the one for Alluria, HJT, and CWShredder and added them to the ignore list. The System Volume Information files are the ones that confused me.

Also, I tried to fix my hosts file but I'm not sure that I did it correctly. The file I found was actually named lmhosts. I renamed it as hosts.old and then downloaded the MVPS file as you directed. I extracted the file into the same location but am unable to open it. I get a message stating that Windows doesn't know what type of file it is. Is this important or not?

Finally, below is my most recent HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 12:37:19 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spyware Solutions\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.roadrunner.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.roadrunner.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.roadrunner.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Best,

SAR

#7 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 12 July 2004 - 10:14 PM

System Volume Information means there maybe some previous infection saved in system restore. To empty system restore follow these instructions...
To turn off system restore.
1 Click Start, point to Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.
3. Click the System Restore tab. The System Restore Properties dialog box appears.
4. Check Turn off system restore on all drives
5. Click OK. Click Yes, when you are prompted to restart Windows.

Then turn system restore back on.
1 Click Start, point to Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.
3. Click the System Restore tab. The System Restore Properties dialog box appears.
4. Uncheck Turn off system restore on all drives
5. Click OK. Click Yes, when you are prompted to restart Windows.

For further information on system restore click [/URL=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam&docid=2001012513122239&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=]here[/URL]

Doubleclicking the hosts file won't open it, you need a hosts viewer for that. You don't need to open it for it to work, as long as its in the correct directory it will be ok. Theres info on the MVPS website from the previous link that will give you more information on it, viewing it etc and how it works.

Make sure you have all hidden files shown When looking for this file. C:\Program Files\Internet Explorer\vgtcpgxg.exe/rtz.exe

If that doesn't wotk - try this.

Run this registry script, which forces Windows to show so called "superhidden" files:
Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Then try looking for this file
C:\Program Files\Internet Explorer\vgtcpgxg.exe/rtz.exe
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button