Jump to content


Photo

Persistent Change to Martfinder


  • This topic is locked This topic is locked
25 replies to this topic

#1 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 20 May 2004 - 09:59 PM

I have read the FAQ and followed all instructions, including those in the hijack and prevent articles. But still I am experiencing a problem with MSIE being redirected to the martfinder.com home page. Sometimes it shows up as "about:blank" as well. It's hard to discern a pattern. From reading other postings I think this has something to do with the "win32.exe" file, but I suspect there are other problems as well. Below is are the Hijack This and Startup log files. I would appreciate any advice about which items to remove. Thanks in advance.

Bobby

Logfile of HijackThis v1.97.7
Scan saved at 10:32:11 PM, on 5/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\WINNT\System32\IEHost.exe
C:\WINNT\system32\stcupd1305.exe
C:\WINNT\system32\stcupd1305.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINNT\System32\Czdy3Fz.exe
C:\WINNT\System32\YrkInpex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Downloads\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://e:\\My Webs\wedweb\home.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Bobby\msopt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [bx.exe] C:\documents and settings\bobby\local settings\temp\bx.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\System32\IEHost.exe
O4 - HKLM\..\Run: [38Z3MSR3DDD##A] C:\WINNT\System32\JpwpEx.exe
O4 - HKLM\..\Run: [AutoLoaderqAq51IPjNKXO] "C:\WINNT\system32\stcupd1305.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qp9f36S] stcupd1305.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab
O16 - DPF: {83CC9124-6C79-11D4-A64A-00500487DAB3} - http://download.audi...ActiveSetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.5672800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.cus...l/java/RntX.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O19 - User stylesheet: C:\WINNT\win32.bmp

StartupList report, 5/20/2004, 10:45:57 PM
StartupList version: 1.52
Started from : E:\Downloads\HijackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\WINNT\System32\IEHost.exe
C:\WINNT\system32\stcupd1305.exe
C:\WINNT\system32\stcupd1305.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINNT\System32\Czdy3Fz.exe
C:\WINNT\System32\YrkInpex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Downloads\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TrackPointSrv = tp4serv.exe
LTWinModem1 = ltmsg.exe 9
S3TRAY2 = S3Tray2.exe
tourpath = regedit /s c:\winnt\tour.reg
Synchronization Manager = mobsync.exe /logon
TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
TP4EX = tp4ex.exe
PRPCMonitor = PRPCUI.exe
QCTRAY = C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
ConfigSafe = C:\CFGSAFE\NTFSCLUP.EXE
CSScheduleCheck = C:\CFGSAFE\SCHWIZEX.EXE -CHECK
UC_SMB =
dla = C:\WINNT\system32\dla\tfswctrl.exe
vptray = C:\PROGRA~1\Navnt\vptray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Samsung LBP SM = "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Iomega Automatic Backup 1.0.1 = C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
GhostStartTrayApp = C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
win32.exe = C:\WINNT\win32.exe
Iesearch.exe = C:\Program Files\Internet Explorer\Iesearch.exe
bx.exe = C:\documents and settings\bobby\local settings\temp\bx.exe
Bakra = C:\WINNT\System32\IEHost.exe
38Z3MSR3DDD##A = C:\WINNT\System32\JpwpEx.exe
AutoLoaderqAq51IPjNKXO = "C:\WINNT\system32\stcupd1305.exe" /PC="AM.WILD" /HideUninstall
qp9f36S = stcupd1305.exe
wdskctl = C:\WINNT\wdskctl.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\Srng\SNHelper.dll (file missing) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Documents and Settings\Bobby\msopt.dll - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

BMMTask.job
Scheduled Snapshot.job

--------------------------------------------------

Enumerating Download Program Files:

[{11111111-1111-1111-1111-111111111123}]
CODEBASE = file://c:\winnt\win.exe

[ICSScannerLight Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zone...ee/cm/ICSCM.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150...ip/RdxIE601.cab

[IBM Access Support]
InProcServer32 = C:\WINNT\System32\IbmEgath.dll
CODEBASE = file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab

[{83CC9124-6C79-11D4-A64A-00500487DAB3}]
CODEBASE = http://download.audi...ActiveSetup.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINNT\DOWNLO~1\MEDIAT~1.OCX
CODEBASE = http://www.mt-downlo...tsInstaller.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8118.5672800926

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Live Collaboration]
InProcServer32 = C:\WINNT\DOWNLO~1\RntX.dll
CODEBASE = https://liveca06.cus...l/java/RntX.cab

[WMService Class]
InProcServer32 = C:\WINNT\WildApp.dll
CODEBASE = http://download.over...com/WildApp.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 8,245 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 02:14 AM

Click here to download the Peper removal tool. Double click on 'uninst.exe', let it run and terminate. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall asks permission. Reboot when done.

Then go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Reboot when done.

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.

Also, click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
Posted Image

#3 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 11:06 AM

Daemon,

Thanks for your speedy advice. I followed each of the recommended actions. Below are the results at each stage, along with a new Hijack log and the vaule of the Appinit_Dlls. Please let me know if you see other problems to address.

Bobby


PEPER REMOVAL TOOL: Ran in a DOS box; didn't show a progress dialog nor any message that it had completed. After 10 minutes I restarted and proceded to the next step.


TREND HOUSECALL: Found and cleaned BKDR_SANDBOXER.A

Also found 17 Non-Cleanable Files (All Deleted)

TROJ STARTPAGE.S C:\\WINNT\system32\iilhjme.dll
BKDR SANDBOX.A C:\\WINNT\system32\Elq0h.exe
BKDR SANDBOX.A C:\\WINNT\system32\NwuD1.exe
BKDR SANDBOX.A C:\\WINNT\system32\Hiq2.exe
BKDR SANDBOX.A C:\\WINNT\system32\Ebq69iNP.exe
BKDR SANDBOX.A C:\\WINNT\system32\BukkTj.exe
BKDR SANDBOX.A C:\\WINNT\system32\Dml7NcUS.exe
TROJ SCTHOUGHT.C C:\\WINNT\Downloaded Program Files\install026.exe
TROJ STARTPAG.GH C:\\WINNT\win.exe
TROJ STARTPAG.GH C:\\WINNT\win32.exe
ADW SCANPORTAL.A C:\\WINNT\mwsvm.ocx
ADW SCANPORTAL.A C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\QBURY9EJ\ieassist[1].cab *ieasst.dll*
ADW RULEDOR.C C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\QJDEVQ3H\ClrSchP070[1].exe
TROJ SCTHOUGHT.C C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\SD8XA7KH\install026[1].exe
ADW SCANPORTAL.A C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\SD8XA7KH\ocx[1].cab *mwsvm.ocx*
ADW SCANPORTAL.A C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\SDINCLAZ\mwsvm[1].cab *mwsvm.exe*
ADW SCANPORTAL.A C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\GD6NGDMN\slmss[1].exe


e-TRUST ANTIVIRUS WEB SCANNER: All clean

PANDA ACTIVESCAN: 2 virues found and disinfected.

Virus: Trj/StartPage.CK C:\\WINNT\system32\ebmchk.dll
Virus: Trj/Idly.A C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\SDINCLAZ\IdleUI[1].dll


CWSHREDDER: None present. Restored 2 Internet Explorer pages


SPYBOT S&D: Found and fixed one problem

PeopleOnPage HKEY_LOCAL_MACHINE\Sofware\Envolo


AD-AWARE: 101 objects found (all deleted)


NEW HIJACK THIS LOG:

Logfile of HijackThis v1.97.7
Scan saved at 12:00:01 PM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\WINNT\system32\stcupd1305.exe
C:\WINNT\system32\stcupd1305.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
E:\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\winnt\system32\mnckh.dll/sp.html

(obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://c:\winnt\system32\mnckh.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.cdc.gov:900/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://c:\winnt\system32\mnckh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\winnt\system32\mnckh.dll/sp.html

(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://c:\winnt\system32\mnckh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://c:\winnt\system32\mnckh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file

missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Bobby\msopt.dll
O2 - BHO: (no name) - {CFEC6F20-43D4-4306-926F-4C6A69AF661C} - c:\winnt\system32\mnckh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic

Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [bx.exe] C:\documents and settings\bobby\local settings\temp\bx.exe
O4 - HKLM\..\Run: [AutoLoaderqAq51IPjNKXO] "C:\WINNT\system32\stcupd1305.exe" /PC="AM.WILD"

/HideUninstall
O4 - HKLM\..\Run: [qp9f36S] stcupd1305.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B

Notebook Adapter\WPC11Cfg.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -

http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akama...TimeInstaller.e

xe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {83CC9124-6C79-11D4-A64A-00500487DAB3} - http://download.audi...ActiveSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -

http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupd...8118.5672800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macr...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) -

https://liveca06.cus...l/java/RntX.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) -

http://download.over...com/WildApp.cab
O19 - User stylesheet: C:\WINNT\win32.bmp


APPINIT_DLLS VALUE: c:\winnt\system32\kbdlp.dll

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 01:43 PM

Use the Registrar Lite program. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Windows key in the left pane to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

"C:\WINNT\System32\kbdlp.dll", hit 'apply' and 'ok' to set.

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the kbdlp.dll in C:\WINNT\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINNT\System32\kbdlp.dll
Copy and paste this into the 'To' box: C:\Junk\kbdlp.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, re-run CWShredder. Reboot when done. Run HJT and post a new log for the final steps.
Posted Image

#5 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 02:20 PM

I ran into a bit of a glitch. I removed the Appinit_Dlls value, as instructed, then restarted and tried to move it using WinFile. But the move failed. I went back into RegLite and checked the Appinit_Dlls value and sure enough it had been reset back to "C:\winnt\system32\kbdlp.dll". I repeated the process again with the same result. Then I tried removing the value, closing RegLite and re-opening it right away again (i.e., without rebooting). It was immediately reset. Before closing RegLite, I did confirm that the value was empty, but as soon as it was reopened, the value returned. Something must be regenerating it. Any clues?

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 02:51 PM

Can you see the file in C:\winnt\system32\ now?
Posted Image

#7 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 02:53 PM

Yes

#8 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 02:56 PM

I can see it via Windows explorer. But for some reason it doesn't display via WinFile. Shall I try to move it from within the explorer, as I would any other file?

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 02:58 PM

Yes move the file to the Junk folder.
Posted Image

#10 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 03:01 PM

No luck on the move. I get an error, saying that it is being used by Windows.

#11 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 04:15 PM

Here is a bit more info in case it helps for diagnosis. My BlackIce Firewall identifies "kbdlp.dll" as a possible trojan whenever any application is launched. It first appears during startup as system devices are loaded (like the trackpoint pointing stick), and also occurs later when other apps are started like RegLite, CWShredder, etc.... Does that help at all?

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 04:34 PM

Try the winfile approach again - we need to move that file.
Posted Image

#13 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 04:44 PM

Can't do it. Do you think it might work in Safe Mode?

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 May 2004 - 04:46 PM

Try it - if it doesn't work there is another approach we can take.
Posted Image

#15 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 10:06 PM

Looks like we will need to move to that other approach. I tried the earlier steps under safe mode with no luck. The file is being used by windows and is always regenerated in the Appinist_DLLs value field.

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 04:21 AM

Download 'Dllfix.exe' from: http://tools.zerosrealm.com/dllfix.exe

It is a self-extracting archive; double click on it.

Open the DLLFIX folder and double click on Start.bat. At the main menu, press '2' (Run Fix) and enter.

At the second menu, press '1' (Enter DLL Name Manually) and enter

At the prompt, enter: kbdlp.dll

Your system will reboot in 15 seconds and begin the fix.

When finished, there will be a log (log.txt) in the dllfix folder, post it in your next reply.
Posted Image

#17 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 07:12 AM

Everything worked well, up to the rebooting. When it came back, my desktop displayed (without start bar or icons) and a dos box opened entitled, "C:\winnt\system32\cmd.exe".

It's entire contents reads:

Windows 2000 detected
Running from E:\Downloads\DLLFix\dllfix
The system cannot find the file manual.txt
Could Not Find C:\manual.txt
Md5 Check of

That's it. No further action seems to be taking place. It's been like that for approximately 10 minutes. There is no command prompt in that dos box, and I'm not quite sure what will happen if X out of it, or perhaps force a shut down by powering off. Any ideas?

#18 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 07:13 AM

P.S. Needless to say, I am writing this from an entirely different computer.

#19 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 07:18 AM

Stop it from running, reboot and post a new HJT log.
Posted Image

#20 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 07:27 AM

Back up now. Here is the new HJT log. I also checked Appinist_DLLs value in RegLite and, unfortunately, it still contains kbdlp.dll

Logfile of HijackThis v1.97.7
Scan saved at 8:22:43 AM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\WINNT\system32\stcupd1305.exe
C:\WINNT\system32\stcupd1305.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
E:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.cdc.gov:900/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Bobby\msopt.dll
O2 - BHO: (no name) - {CFEC6F20-43D4-4306-926F-4C6A69AF661C} - c:\winnt\system32\mnckh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [bx.exe] C:\documents and settings\bobby\local settings\temp\bx.exe
O4 - HKLM\..\Run: [AutoLoaderqAq51IPjNKXO] "C:\WINNT\system32\stcupd1305.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qp9f36S] stcupd1305.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {83CC9124-6C79-11D4-A64A-00500487DAB3} - http://download.audi...ActiveSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.5672800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.cus...l/java/RntX.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O19 - User stylesheet: C:\WINNT\win32.bmp

#21 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 04:23 PM

Ignore that last HJT log. I re-ran Ad-Aware and it made several changes. Here's the latest log:

Logfile of HijackThis v1.97.7
Scan saved at 5:18:09 PM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINNT\System32\svchost.exe
E:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.cdc.gov:900/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Bobby\msopt.dll
O2 - BHO: (no name) - {CFEC6F20-43D4-4306-926F-4C6A69AF661C} - c:\winnt\system32\mnckh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [bx.exe] C:\documents and settings\bobby\local settings\temp\bx.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {83CC9124-6C79-11D4-A64A-00500487DAB3} - http://download.audi...ActiveSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.5672800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.cus...l/java/RntX.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O19 - User stylesheet: C:\WINNT\win32.bmp

#22 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 04:41 PM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Bobby\msopt.dll
O2 - BHO: (no name) - {CFEC6F20-43D4-4306-926F-4C6A69AF661C} - c:\winnt\system32\mnckh.dll (file missing)
O4 - HKLM\..\Run: [win32.exe] C:\WINNT\win32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [bx.exe] C:\documents and settings\bobby\local settings\temp\bx.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\winnt\win.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O19 - User stylesheet: C:\WINNT\win32.bmp

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINNT\win32.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\documents and settings\bobby\local settings\temp\bx.exe
C:\WINNT\wdskctl.exe

Reboot back into normal mode, rescan with HJT and post a new log here.
Posted Image

#23 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 05:12 PM

Okay. Even with hidden files displayed, I couldn't see win32.exe or wdskctl.exe. But I was able to delete the other two. Here's the new HJT log. Also, if it matters, I still see that BlackIce identifies kbdlp.dll as a possible trojan upon startup.

Logfile of HijackThis v1.97.7
Scan saved at 6:07:48 PM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\S3Tray2.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\ISS\BlackICE\blackice.exe
E:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gateway.cdc.gov:900/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quickenw\bagent.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\PROGRA~1\ThinkPad\ACCESS~1\Agent\common\install\ibmegath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {83CC9124-6C79-11D4-A64A-00500487DAB3} - http://download.audi...ActiveSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.5672800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://liveca06.cus...l/java/RntX.cab

#24 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 05:22 PM

OK, this is where we are up to. Your HJT log is clean now and the hijacking appears to have stopped. The bad .dll is still in your System32 folder. To do anything about that we need to move/remove it and the two techniques we have tried so far haven't worked.

Please have another go at the reglite and dllfix techniques to see if you can get a result. Let me know how you get on.
Posted Image

#25 BobbyM

BobbyM

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 06:57 PM

I tried both methods again, but no dice. Windows just won't let that one go.

I have implemented all the steps in Mike Healan's article on preventing hijacking (http://www.spywarein...ked/prevent.php), so if I let the evil DLL be, do you think it will lead to the same problems all over again, or are things pretty well secure? I assume that it's a good idea to scan my system periodically with CWS and Ad-Aware. Is there anything else that you would recommend I do on a routine basis?

Thanks a million for your terrific help. I will go straight to PayPal and make a donation to help keep the forum going. You are doing marvelous work and I appreciate it. Thanks for being there, wherever you are.

#26 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 24 May 2004 - 09:20 AM

OK, I'll close this thread. I suspect this issue isn't fully resolved - start a new topic if you have further problems and include a link to this one.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button