Stubborn, Recurrent problems

Posted 19 July 2004 - 08:45 PM

I have three network connected systems, and have been mostly able to stem the tide using Spybot and Adaware. One system, however, has developed a recurrent problem and seems to get infected immediately and severely with all manner of junk. I've read the FAQ and run AdAware and SpyBot.

The system in question is running XP/IE with all updates, Norton Antivirus and ZoneAlarm with only a few authorized programs.

Right now Spybot (1.3) reports C2.lop plus 11 other problems (the usual casinos and sex lists) but can't remove any; running Spybot at bootup reports that it has C2.lop (with 4 components) but can't remove it then either. I don't see anything in the process list that looks suspicious.

How do I clean the stuff SpyBot can't get to, what is exposing me to the constant recurrence of these problems and how can I close the door? I see a few things in this log that make me suspicious, but only know enough to be dangerous, so I'll solicit your expert advice.

Here is my log. I will be glad to supply any additional info needed. Thanks in advance, you guys perform a great service to the community.

Added: Perhaps another clue: since doing the scans above I get a popup telling me that "Spybot Has Blocked the Download of DoubleClick" when accessing certain websites (notably Yahoo mail).

Logfile of HijackThis v1.98.0
Scan saved at 9:26:31 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Documents and Settings\JGM\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = +s
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: WhistleHlprObj Class - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\WhistleSoftware\WselServices\WhistleHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DNSRestore] "C:\PROGRA~1\AT&TNE~1\DNSRestore.exe" -R
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\Lynn\LOCALS~1\Temp\ins8.tmp /R /A
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - Global Startup: HawkEye IV Control Panel.lnk = C:\WINDOWS\NUMBER9\HAWK_32.EXE
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .gils: C:\Program Files\EACom\Netscape_Plugin\NPGils.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = +s

Posted 20 July 2004 - 12:46 PM

Another clue, possibly: when navigating to certain sites (notably weather.com) I also get a message that SpyBot has blocked download of Avenue A. So it looks like my browser is trying to download stuff that Spybot is now blocking.


