Jump to content


Photo

MYSEARCHNOW SEEKSEEK


  • Please log in to reply
3 replies to this topic

#1 Zooka

Zooka

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 July 2004 - 03:28 PM

I've tried everything...AdAware, Spybot-SD, CWShredder, and they cleaned up some stuff, but other stuff remains, specifically mysearchnow.com and seekseek.

Please help....Hijack This log below...thanks


Logfile of HijackThis v1.97.7
Scan saved at 4:22:56 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\UPBAGS~1\Cornbias.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Syscm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\Mkwwa.exe
C:\WINDOWS\System32\Ksd5.exe
C:\WINDOWS\system32\cidaemon.exe
C:\SPYWARE STUFF\HijackThis.exe
C:\Program Files\Real\RealPlayer\realplay.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.....asp?keyphrase=
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4BEE8E2A-F8A3-4554-A265-8C07AED7061C} - C:\WINDOWS\System32\eds.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe
O4 - HKLM\..\Run: [5HBKNZ634HJWQ9] C:\WINDOWS\System32\RmtPCB55.exe
O4 - HKLM\..\Run: [Build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [jurirwt] C:\WINDOWS\jurirwt.exe
O4 - HKLM\..\Run: [wpcx] C:\WINDOWS\wpcx.exe
O4 - HKLM\..\Run: [tgfwb] C:\WINDOWS\tgfwb.exe
O4 - HKLM\..\Run: [upazwduz] C:\WINDOWS\upazwduz.exe
O4 - HKLM\..\Run: [vhwqzqc] C:\WINDOWS\System32\lkbsqzm.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O16 - DPF: DigiChat Applet - http://host5.digicha...s/Client_IE.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...dtc32_EN_XP.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} - http://adblock.linkz.com/APHelper.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab

#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 15 July 2004 - 01:34 PM

You have a number of problems and it's going to require some effort to get this all cleaned up. Just take it slowly and deliberately.

This line from your log is very suspicious:

O4 - HKLM\..\Run: [Build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe

I can't find anything on it. Look in your Program Files folder for a folder that starts with UPBAGS and see if you recognize it as something you installed and want. If so, then skip the related items that I'll mark as <-- your determination when I address them later.
If it's not something you want, then check in Add/Remove Programs and see if it can be uninstalled there.

You have a Peper infection, click HERE to download the PeperFix tool - save it to your desktop. Peper can interfere with removal of other malware so it's best addressed first. It's also gotten more resistant to removal and is best attacked in Safe Mode.

Update your Ad-aware with the latest reference file released Jul 12, 2004.

Temporarily turn off Spybot's TeaTimer while doing this cleanup so it won't intefere with the changes we'll be making.

Reboot your computer into Safe Mode by repeatedly tapping the F8 key during bootup. Stay in Safe Mode until instructed to reboot.
  • Doubleclick the Peperfix.exe and run it.
  • Run Ad-aware
  • Run CWShredder
Run a new HJT scan. Mark these items (if still present) for removal:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.....asp?keyphrase=

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

O2 - BHO: (no name) - {4BEE8E2A-F8A3-4554-A265-8C07AED7061C} - C:\WINDOWS\System32\eds.dll

O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll

O4 - HKLM\..\Run: [zzb2] c:\WINDOWS\System32\zzb2.exe

O4 - HKLM\..\Run: [5HBKNZ634HJWQ9] C:\WINDOWS\System32\RmtPCB55.exe

O4 - HKLM\..\Run: [Build Owns] C:\PROGRA~1\UPBAGS~1\Cornbias.exe
<-- your determination

O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe

O4 - HKLM\..\Run: [jurirwt] C:\WINDOWS\jurirwt.exe

O4 - HKLM\..\Run: [wpcx] C:\WINDOWS\wpcx.exe

O4 - HKLM\..\Run: [tgfwb] C:\WINDOWS\tgfwb.exe

O4 - HKLM\..\Run: [upazwduz] C:\WINDOWS\upazwduz.exe

O4 - HKLM\..\Run: [vhwqzqc] C:\WINDOWS\System32\lkbsqzm.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe

O4 - HKLM\..\Run: [syscm] C:\WINDOWS\System32\Syscm.exe

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Open Windows Explorer and reconfigure it to Enable Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.
Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.
Select: Show hidden files and folders, Ok the prompt
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files
Ok the Prompt, click Apply

Click the Apply to all Folders button.

Look for and delete (if found) these files:

C:\WINDOWS\System32\Ksd5.exe
C:\WINDOWS\System32\Mkwwa.exe
C:\WINDOWS\System32\Syscm.exe
C:\WINDOWS\System32\zzb2.exe

Now, delete these folders and all contents:

C:\Program Files\Sqwire
C:\Program Files\UPBAGS~1 <-- your determination
C:\Program Files\Common Files\SQ

Reboot normally.

Now, run a virus check - either visit one or more of the online virus scanners linked in my Signature or download one of the free antivirus programs listed there.

Once that's done run another HJT scan, and post it here for further review.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 Zooka

Zooka

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 12:50 PM

OK... follwed your instructions, and here's the new log....

Logfile of HijackThis v1.98.0
Scan saved at 1:34:45 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\SPYWARE STUFF\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: C:\WINDOWS\lbbho.dll - {249BBF90-68AC-47A7-8D33-00EEB3667C02} -
C:\WINDOWS\lbbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} -
C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program
Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe"
/STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
- {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 16 July 2004 - 09:48 PM

That last log is missing most of the Running processes.

Other than that, things look much better - but there's still a little cleanup to do.

Run a new HJT scan. Mark these items for removal:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: C:\WINDOWS\lbbho.dll - {249BBF90-68AC-47A7-8D33-00EEB3667C02} -
C:\WINDOWS\lbbho.dll


This is an optional fix. It's not malware, just a drain on your system resources. You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT if you choose to do so:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot and run another HJT scan and post the log for what may be the last look. If everything looks as well as I'm expecting, then we'll reset your System Restore and call it all clean.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button