• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Innuendo

Need help

8 posts in this topic

I'll start with my log and then discribe what is happening and how it began.

 

Logfile of HijackThis v1.98.0

Scan saved at 9:06:54 PM, on 7/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/baldwincounty

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C8BEECA-4BFE-4449-91E0-13D850A2528A}: NameServer = 216.231.160.2,209.102.191.47

 

---------------------

 

I'm having very odd occurances with files (~100kb with names similar to files found in windows/system32) suddenly appearing on my PC and placing themselves in my startup. They are trying to access the web and are trying to connect to an instantdollar site. I block them with my firewall, disable them, then reboot and delete them. But they keep coming back. I've ran every trojan and spy program I can find and they continue to hijack my PC. A friend of mine thinks there may be something that is recreating these files with difference names on my PC when I try and delete them. Perhaps I should try deleting one from the command prompt next time?

 

This all began when I closed a window and then another pop-up appeared. But I guess it was one of those java things that has been hitting everyone recently because it started to install something on my PC. I couldn't get it to stop so I yanked my power cord. =) But it still got me. It affected WMP and it would not run. I had to re-install it, and then delete some malicous looking files within the folder.

 

Anyway, this is nonetheless where I am at now. Any advice is very much appreciated as I am out of ideas. Or if you are familiar with this instantdollar thing please help. =)

 

Thank you very much in advance.

Share this post


Link to post
Share on other sites

hey, im having the exact same problem...theres been 4 .exe files added to my startup, i disable and delete one and another appears...any solution would be greatly appreciated, its funny how nothing is showing up in my hijack this log either

Share this post


Link to post
Share on other sites

Another thing I find strange is all the svchost.exe files running. When I CNTR+ALT+DEL and choose processes I have 6 svchost files. But when I try and search for it I only come up with one.

 

:wtf:

Share this post


Link to post
Share on other sites

Hi,

Close all open windows, rescan with HijackThis

Place a check in each of the following then click "Fix checked".

 

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 ieautosearch

 

Then reboot, and then ...

 

Download icon11.gifAd-Aware

 

After installing Ad-Aware, and before running the program.

 

Update Ad-aware's Reference File: instructions icon11.gifhere

 

Required Step: icon11.gifReconfigure Ad-Aware for Full Scan

 

Also install and run the below:

 

Download and run icon11.gifLavasoft's VX2 Cleaner (plug-in)

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

Here is my new log after doing the requested tasks. FYI: It did find some VX2 files. =) Hope I'm getting closer to fixing this problem. Thank you again for all your help.

 

-----------------------------

 

Logfile of HijackThis v1.98.0

Scan saved at 9:15:07 AM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Network Associates\VirusScan\VsStat.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Network Associates\VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\Avconsol.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/baldwincounty

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C8BEECA-4BFE-4449-91E0-13D850A2528A}: NameServer = 216.231.160.2,209.102.191.47

Share this post


Link to post
Share on other sites

Here is a FINDnFIX log if it helps with anything. This program and what it describes is far over my head. I don't understand any of it. :scratchhead::techsupport:

 

--------------------------------------

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder

and is the destination for the file to be moved..

-*Previous directions will no longer work...

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Sun 18 Jul 04 11:33:52

11:33am up 0 days, 0:26

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

*For *Helpers/Mods and/or users that are not familiar with any of the

items on the scan results- I recommend using an alternative, once

you know what to look for!

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/16)»»»»»»»»»»»»»»»»

 

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs =

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group GATEWAY_SYSTEM\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

11:34am up 0 days, 0:26

Sun 18 Jul 04 11:34:39

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-18-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 07-18-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Sun Jul 18 2004 11:33:52a .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: ?

00001190: vk f AppInit_

000011D0:DLLs G vk UDeviceNotSelectedTimeout

00001210: 1 5 P 9 0 vk ' zGDIProce

00001250:ssHandleQuota" vk Spooler2 y e s _

00001290: 0 ` vk 5swapdisk vk

000012D0: . TransmissionRetryTimeout 0 `

00001310: vk ' A USERProcessHandleQuotat

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

fùAppInit_DLLsÖ?æG

--------------

--------------

$011C8: AppInit_DLLs

$011F7: UDeviceNotSelectedTimeout

$01247: zGDIProcessHandleQuota

$012E0: TransmissionRetryTimeout

$01330: USERProcessHandleQuotat

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

 

[AppInitDLLs]

Ansi string : ""

0000 00 00 | ..

Edited by Innuendo

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... good job!

 

Last Step:

 

"Flush System Restore" (see "How To" below)

Basically turn off System Restore, reboot, run a full (updated) McAfee scan, reboot and turn System Restore back on and create a new Restore Point.

 

Disabling System Restore (McAfee article)

 

How To: Scan for unwanted programs (McAfee article)

 

I would suggest adding some "Defense" to your system ...

atb_help.gifHow To: Prevent this from happening again? :wave:

Share this post


Link to post
Share on other sites

Thank you. Thank you. Thank you.

 

I'm printing the How to Prevent article so I can configure my Internet Options. One of the funny things with this problem I had was that it didn't happen right after I would delete one of those exe files. It was may-be a day or two later and all of a sudden I would turn on my PC and then it would be there. So if it happens again I'll be sure not to delete anything so you can see the full spectrum.

 

Thanks once again.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0