Jump to content


Photo

Need help with this bugger.


  • Please log in to reply
1 reply to this topic

#1 atwdmw

atwdmw

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 July 2004 - 11:14 AM

Can anyone please help? One of our office computers has had consistent Trojan and virus problems. I ran ad-aware yesterday to remove a few trojans and data-miners and shortly thereafter Outlook stopped functioning.

Any help is greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 12:09:52 PM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\System32\qttask.exe
C:\PROGRA~1\2Ball\Softidol.exe
C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
C:\WINNT\system32\kfjqjgw.exe
C:\WINNT\system32\LzioMediaUpdater.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINNT\system32\whawizc.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Common Files\WinTools\WSup.exe
H:\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...//www.ferc.gov/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\system32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\system32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\system32\ielcaabe.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_3_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Meal creative - {E45C2A5C-2D2A-4851-6A60-1CFD461949AF} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Modem Applet] C:\dell\qwikcsa.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [PMedia] "C:\Program Files\Common Files\Media\winsrvc.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [JOYLOGO] C:\PROGRA~1\2Ball\Softidol.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\kfjqjgw.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\system32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\system32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\system32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\system32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\system32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe c:\winnt\system32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKCU\..\Run: [Y357RXf7e] whawizc.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: ViewTIFF for Java - http://countyrecords...in/TIFFView.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream...er/tdserver.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://bin.mcafee.co...54/mcinsctl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37651.628287037
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/BM2/BM2.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 18 July 2004 - 02:00 PM

Hello atwdmw,

You show signs of a Look2Me infection.
A tool has been made by Option^Explicit and freeatlast to find and remove it.
Please download VX2Finder from this link, and save it to your Desktop.

http://downloads.sub...Finder(126).exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Copy and paste the contents of the log into your next reply here.

_ _ _ __ _ _ __ _

Please download a Free Trial of Trojan Hunter and run it.

Next, take a free Online Virus scan at HouseCall or eTrust or both.

_ _ _ _ _ _ _ _ _

Then, please follow this link to remove PeopleOnPage http://www.pchell.co...pleonpage.shtml

While you're still in Add/Remove Programs find:

"Window Search" And "WinTools" and remove (uninstall) them.
You will be given a security code to insert, do so
And reboot when done.
_ _ _ _ _ _ _ _ _ _

Next to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

Softidol.exe

Then close task manager.
_ _ _ _ _ _ __ _ _


Open Hijackthis, click Scan, then put a check next to the following entries:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...//www.ferc.gov/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {00000000-167B-41bc-95FF-86A07B14712C} - C:\WINNT\system32\he3bbcff.dll
O2 - BHO: (no name) - {00000000-2565-4c5b-A455-A74C8A2247AB} - C:\WINNT\system32\wmcbaaca.dll
O2 - BHO: (no name) - {00000000-64C4-4a64-9767-895AB4921E41} - C:\WINNT\system32\ielcaabe.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [PMedia] "C:\Program Files\Common Files\Media\winsrvc.exe"
O4 - HKLM\..\Run: [JOYLOGO] C:\PROGRA~1\2Ball\Softidol.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\kfjqjgw.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\system32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\system32\he3bbcff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\system32\wmcbaaca.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\system32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\system32\ielcaabe.dll,EnableRunDLL32
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe c:\winnt\system32\icddefff.dll,EnableRunDLL32
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKCU\..\Run: [Y357RXf7e] whawizc.exe
O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/BM2/BM2.cab


Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot to Safe mode
(tap F8 while restarting) and delete these folders:

C:\Program Files\AutoUpdate\
C:\PROGRAM FILES\ACCELE~1\ <----there will be more of a name here
C:\PROGRAM FILES\2Ball\
C:\Program Files\Common Files\WinTools\
C:\Program Files\Common Files\Media\

And these files:

C:\WINNT\system32\he3bbcff.dll
C:\WINNT\system32\wmcbaaca.dll
C:\WINNT\system32\ielcaabe.dll
C:\WINNT\system32\kfjqjgw.exe
C:\WINNT\system32\LzioMediaUpdater.exe
C:\WINNT\system32\he3bbcff.dll,
C:\WINNT\system32\icddefff.dll
C:\WINNT\system32\idctup20.exe
C:\WINNT\system32\automove.exe

You may have to show hidden files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, reboot normally and please post a new HJT log and the Vx2 log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button