Jump to content


Photo

duplication of unwanted program running


  • Please log in to reply
1 reply to this topic

#1 razman

razman

    Member

  • New Member
  • Pip
  • 1 posts

Posted 07 July 2004 - 09:47 AM

My broswer is continually malfunctioning, and I found so many duplications of program such as Hrinb18.exe running. My hijackthis log is as follows:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINNT\system32\iehgen.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\ursu.exe
C:\Program Files\ClockSync\Sync.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINNT\system32\ipl1_qcx.exe
C:\WINNT\system32\qxake.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\SysAI\SysAI.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realtime.dire....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://realtime.dire...h.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://realtime.dire....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {49FB3703-E344-7EE7-8756-11550CA22813} - C:\WINNT\system32\rbqvlfym.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Administrator\msopt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINNT\system32\wer1306.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O2 - BHO: (no name) - {FFD2825E-0785-40C5-9A41-518F53A8261F} - C:\WINNT\SiteHlpr.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ILInstallPkgEngine.exeD] D:\Bin\ILInstallPkgEngine.exe
O4 - HKLM\..\Run: [ILInstallPkgEngine.exeE] E:\Bin\ILInstallPkgEngine.exe
O4 - HKLM\..\Run: [ILInstallPkgEngine.exeF] F:\Bin\ILInstallPkgEngine.exe
O4 - HKLM\..\Run: [ILInstallPkgEngine.exeG] G:\Bin\ILInstallPkgEngine.exe
O4 - HKLM\..\Run: [ILInstallPkgEngine.exeH] H:\Bin\ILInstallPkgEngine.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe
O4 - HKLM\..\Run: [kTz7Zu5a9] C:\documents and settings\administrator\local settings\temp\kTz7Zu5a9.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\system32\RqngD1Le.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [o39k36X] iehgen.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Ette] C:\Documents and Settings\Administrator\Application Data\ursu.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Z0qqRWbnT] ipl1_qcx.exe
O4 - HKCU\..\Run: [Mnk] C:\WINNT\system32\qxake.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://putra.upm.edu.my/iNotes.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E868436-A5C9-49C1-B733-21229A02A7C8}: NameServer = 12.127.16.68,12.127.17.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E868436-A5C9-49C1-B733-21229A02A7C8}: NameServer = 12.127.16.68,12.127.17.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E868436-A5C9-49C1-B733-21229A02A7C8}: NameServer = 12.127.16.68,12.127.17.72

#2 stockkbroker

stockkbroker

    Advanced Member

  • Helper
  • PipPipPip
  • 102 posts

Posted 07 July 2004 - 10:49 AM

Hi,

What operating system are you using? Try to include this header the next time you post HijackThis Log.

Logfile of HijackThis v1.97.7
Scan saved at 11:35:02 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Before you begin, please print out the following instructions so that you can follow along as we go.

Anti spyware tools needed
Download Spybot and Ad aware and scan your computer with these free anti spyware software.
  • Ad-Aware<=Follow the link to learn how to download, install and use Ad aware.
  • Spybot Search and Destroy <= Follow the link to learn how to download, install and use SpyBot.
Specific spyware removal tools needed
Due to the nature of these infections, special anti spyware tools are needed to remove them.
  • CWS Shredder<=The tool designed by Merijn to keep up with the prolific variations of the CoolWebSearch hijack. Put CWShredder into tis own folder, click check for updates and fix. Let CWShredder fix any bad entries that it finds.
  • Look2Me Removal(WinXP)<=The latest Look2Me Fix brought out by Option Explicit. Double click VX2 finder.exe to run and let it fix anything that it finds.
Fixing the HIJACKTHIS log
Please look over the following entries I have listed, check them and Press the "Fix Checked" button with HijackThis.
When you are doing this, make sure you have NO Internet Explorer windows open, including this one.
  • R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://realtime.dire....net/search.php
  • R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realtime.dire....net/search.php
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://realtime.dire...h.net/index.php
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realtime.dire....net/search.php
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realtime.dire....net/search.php
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://realtime.dire....net/search.php
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://realtime.dire....net/search.php
  • R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
  • R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://realtime.dire....net/search.php
  • O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
  • O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
  • O2 - BHO: (no name) - {49FB3703-E344-7EE7-8756-11550CA22813} - C:\WINNT\system32\rbqvlfym.dll
  • O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
  • O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll (file missing)
  • O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\Documents and Settings\Administrator\msopt.dll
  • O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINNT\system32\wer1306.dll
  • O2 - BHO: (no name) - {FFD2825E-0785-40C5-9A41-518F53A8261F} - C:\WINNT\SiteHlpr.dll
  • O4 - HKLM\..\Run: [ILInstallPkgEngine.exeD] D:\Bin\ILInstallPkgEngine.exe
  • O4 - HKLM\..\Run: [ILInstallPkgEngine.exeE] E:\Bin\ILInstallPkgEngine.exe
  • O4 - HKLM\..\Run: [ILInstallPkgEngine.exeF] F:\Bin\ILInstallPkgEngine.exe
  • O4 - HKLM\..\Run: [ILInstallPkgEngine.exeG] G:\Bin\ILInstallPkgEngine.exe
  • O4 - HKLM\..\Run: [ILInstallPkgEngine.exeH] H:\Bin\ILInstallPkgEngine.exe
  • O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe
  • O4 - HKLM\..\Run: [kTz7Zu5a9] C:\documents and settings\administrator\local settings\temp\kTz7Zu5a9.exe
  • O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
  • O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\system32\RqngD1Le.exe
  • O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
  • O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
  • O4 - HKLM\..\Run: [o39k36X] iehgen.exe
  • O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
  • O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
  • O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
  • O4 - HKCU\..\Run: [Z0qqRWbnT] ipl1_qcx.exe
  • O4 - HKCU\..\Run: [Mnk] C:\WINNT\system32\qxake.exe
  • O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com...MultiDistFC.CAB
  • O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
Clean your computer of useless cookies, temporary files
Navigate to the following folders and delete the contents inside but not the folders
  • Start | Run (type) "%temp%" (no quotes)
    Completely delete the entire contents of that "temp" folder.
  • Empty your "Recycle Bin"

Scanning for viruses and trojans
Due to the large number of infections that you have, please consider running a virus and trojan scan. Post a new Hijackthis log at the completion of these scans.
Before you do please turn off system Restore first.Deleting spyware files and folders
You need to show hidden files and boot into safe mode before the deletion process.
Once in safe mode, follow the directory listed and delete the following folders.
  • C:\Program Files\ClearSearch\
  • C:\Program Files\Common files\WinTools
Follow the directory listed and delete the following exe files.
  • C:\WINNT\system32\iehgen.exe
  • C:\PROGRA~1\ezula\mmod.exe
  • C:\WINNT\system32\ipl1_qcx.exe
  • C:\WINNT\system32\qxake.exe
Reboot and post a new HijackThis Log.

Learn how to prevent future infectionSpyware preventions
To reduce the likelyhood of future infections, I strongly recommend installing the following antispyware tools.
  • SpywareBlaster<=SpywareBlaster will prevent spyware from being installed and consumes no system resources.
  • Spyware Guard<=SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad<=IE/Spyad is a free tool that places over 4000 websites and domains in the IE Restricted list which will seriously impair attempts to infect your system.
  • Script Defender<=Script Defender is a script blocker that can be used to protect against drive by downloads.
I would also recommend installing any one of the following firewalls.
  • Sygate<=Sygate Security Agent incorporates an application-centric firewall that stealths host systems, provides stateful firewalling, applies rule-based security policy, and controls application usage.
  • Agtinum Outpost<=Agnitum Outpost is a full-featured yet light-weight personal firewall product with application scanning and basic intrusion-detection features. It offers a good balance between ease of use and protection.
  • Zone Labs<=Zone Labs is a leading creator of endpoint security solutions and one of the most trusted brands in Internet security, protecting millions of PCs from risks posed by hackers and data theft. The award-winning endpoint security product line is deployed in global enterprises.
  • Kerio Personal Firewall<=Kerio Personal Firewall (KPF) helps users control how their computers exchange data with other computers on the Internet or local network.Necessity for all desktop computers connected to broadband Internet, using DSL, cable, ISDN, WiFi or satellite modems.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button