• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
temptech

Persistant Pest

24 posts in this topic

To the experts,

I am willing to go to heroic efforts to remove this hijacker but I believe it will require expert help. I have read the FAQ and attmpted to properly follow the instrunctions in the tutorial; it seems that all is well but then the R0 etc, start page, search page etc reappear in the Hijack log file. I have run Spbot, Pest Patrol and Adware, they all show the system as clean. Spyferret from PCFIX online identifies the hijacker but I am suspect of the chance the $39.00 will be well spent. Any advise on moving forward will be aptly appreciated.

Share this post


Link to post
Share on other sites

Let's have a closer look:

 

Go to http://computercops.biz/downloads-cat-14.html , and download Hijack This.

 

Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log somewhere, and please show us its contents.

 

Most of what it lists will be harmless or even required, so do NOT fix anything yet.

Someone here will be happy to help you analyze the results.

Share this post


Link to post
Share on other sites

Tony,

While I was waiting on a reply I was working with the Hijackthis lof file and i seem to have regained control of my home page. I will send an updated log file in just a minuten I just want to make sure I know where I stand witht the problem.

Kenneth

Share this post


Link to post
Share on other sites

Tony,

Everything seems to be back in order but I would appreciate it if you did have a look at the log file.

 

Logfile of HijackThis v1.98.0

Scan saved at 4:03:10 PM, on 7/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\netya.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\syszv.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\WINDOWS\System32\TFNF5.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\System32\S3Tray2.exe

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kenneth\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

 

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5FEDC98C-99C9-9B34-BD6C-E567DD3175C2} - C:\WINDOWS\mfcep32.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [syszv.exe] C:\WINDOWS\system32\syszv.exe

O4 - HKLM\..\Run: [msll32.exe] C:\WINDOWS\system32\msll32.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20

O4 - HKLM\..\Run: [sdkhc.exe] C:\WINDOWS\system32\sdkhc.exe

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\RunOnce: [msoq.exe] C:\WINDOWS\msoq.exe

O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe

O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe

O4 - HKLM\..\RunOnce: [netya.exe] C:\WINDOWS\system32\netya.exe

O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe

O4 - HKLM\..\RunOnce: [windm.exe] C:\WINDOWS\windm.exe

O4 - HKLM\..\RunOnce: [winfz.exe] C:\WINDOWS\winfz.exe

O4 - HKLM\..\RunOnce: [sdkpn.exe] C:\WINDOWS\sdkpn.exe

O4 - HKLM\..\RunOnce: [mfcgm.exe] C:\WINDOWS\system32\mfcgm.exe

O4 - HKLM\..\RunOnce: [crsh32.exe] C:\WINDOWS\system32\crsh32.exe

O4 - HKLM\..\RunOnce: [sysgn.exe] C:\WINDOWS\sysgn.exe

O4 - HKLM\..\RunOnce: [atlvo32.exe] C:\WINDOWS\system32\atlvo32.exe

O4 - HKLM\..\RunOnce: [javaar.exe] C:\WINDOWS\system32\javaar.exe

O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe

O4 - HKLM\..\RunOnce: [syswx32.exe] C:\WINDOWS\syswx32.exe

O4 - HKLM\..\RunOnce: [atlrn.exe] C:\WINDOWS\atlrn.exe

O4 - HKLM\..\RunOnce: [netez.exe] C:\WINDOWS\netez.exe

O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\system32\winir.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2FA13129-345B-4679-A201-2D84682110AA}: NameServer = 207.44.140.102 64.191.22.247

 

 

Thanks Kenneth

Share this post


Link to post
Share on other sites

You have a massive CoolWebSearch infection.

 

Copy the contents of the 'QUOTE' box to Notepad, and save as GetServices.vbs (make sure you save as type: 'all files' )

 

Doubleclick GetServices.vbs (a script by Mosaic1), and it will produce a list of all active services on your computer; please post that list in your reply.

 

set objIdDictionary = CreateObject("Scripting.Dictionary")

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colServices = objWMIService.ExecQuery _

    ("Select * from Win32_Service Where State <> 'Stopped'")

For Each objService in colServices

    If objIdDictionary.Exists(objService.ProcessID) Then

    Else

        objIdDictionary.Add objService.ProcessID, objService.ProcessID

    End If

Next

colProcessIDs = objIdDictionary.Items

For i = 0 to objIdDictionary.Count - 1

    Set colServices = objWMIService.ExecQuery _

        ("Select * from Win32_Service Where ProcessID = '" & _

            colProcessIDs(i) & "'")

 

    For Each objService in colServices

        msg = msg & vbcrlf &  " " & Ucase(objService.DisplayName) & ":" & " " &  objService.Name & vbcrlf & objService.PathName &  vbcrlf

 

    Next

Next

Dim fso, Services,Wshshell

Set Wshshell = Wscript.CreateObject("Wscript.Shell")

Set fso = Wscript.CreateObject("Scripting.FileSystemObject")

Set Services = fso.CreateTextFile("Active.txt",true)

Services.Write "These are the Current Active Services:"

Services.WriteLine

Services.Write msg

Services.Close

Wshshell.Run "Active.txt"

 

 

If you have script blocking installed, you will get a warning when you try to run the script. Please allow it to run. It is only collecting information so we can help you.

Share this post


Link to post
Share on other sites

As instructed,

Kenneth

 

These are the Current Active Services:

 

APPLICATION LAYER GATEWAY SERVICE: ALG

C:\WINDOWS\System32\alg.exe

 

WINDOWS AUDIO: AudioSrv

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

COMPUTER BROWSER: Browser

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

CRYPTOGRAPHIC SERVICES: CryptSvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

DHCP CLIENT: Dhcp

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

ERROR REPORTING SERVICE: ERSvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

COM+ EVENT SYSTEM: EventSystem

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

HELP AND SUPPORT: helpsvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

INFRARED MONITOR: Irmon

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SERVER: lanmanserver

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WORKSTATION: lanmanworkstation

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

MESSENGER: Messenger

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

NETWORK CONNECTIONS: Netman

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

NETWORK LOCATION AWARENESS (NLA): Nla

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

REMOTE ACCESS CONNECTION MANAGER: RasMan

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TASK SCHEDULER: Schedule

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SECONDARY LOGON: seclogon

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYSTEM EVENT NOTIFICATION: SENS

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SHELL HARDWARE DETECTION: ShellHWDetection

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYSTEM RESTORE SERVICE: srservice

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TELEPHONY: TapiSrv

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TERMINAL SERVICES: TermService

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

THEMES: Themes

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

DISTRIBUTED LINK TRACKING CLIENT: TrkWks

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

UPLOAD MANAGER: uploadmgr

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WINDOWS TIME: W32Time

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

AUTOMATIC UPDATES: wuauserv

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

WIRELESS ZERO CONFIGURATION: WZCSVC

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYMANTEC EVENT MANAGER: ccEvtMgr

"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

 

DNS CLIENT: Dnscache

C:\WINDOWS\System32\svchost.exe -k NetworkService

 

EVENT LOG: Eventlog

C:\WINDOWS\system32\services.exe

 

PLUG AND PLAY: PlugPlay

C:\WINDOWS\system32\services.exe

 

FAX: Fax

C:\WINDOWS\system32\fxssvc.exe

 

LEXBCE SERVER: LexBceS

C:\WINDOWS\system32\LEXBCES.EXE

 

TCP/IP NETBIOS HELPER: LmHosts

C:\WINDOWS\System32\svchost.exe -k LocalService

 

SSDP DISCOVERY SERVICE: SSDPSRV

C:\WINDOWS\System32\svchost.exe -k LocalService

 

WEBCLIENT: WebClient

C:\WINDOWS\System32\svchost.exe -k LocalService

 

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc

"C:\Program Files\Norton AntiVirus\navapsvc.exe"

 

IPSEC SERVICES: PolicyAgent

C:\WINDOWS\System32\lsass.exe

 

PROTECTED STORAGE: ProtectedStorage

C:\WINDOWS\system32\lsass.exe

 

SECURITY ACCOUNTS MANAGER: SamSs

C:\WINDOWS\system32\lsass.exe

 

REMOTE PROCEDURE CALL (RPC): RpcSs

C:\WINDOWS\system32\svchost -k rpcss

 

PRINT SPOOLER: Spooler

C:\WINDOWS\system32\spoolsv.exe

 

WINDOWS IMAGE ACQUISITION (WIA): stisvc

C:\WINDOWS\System32\svchost.exe -k imgsvc

 

WAN MINIPORT (ATW) SERVICE: WANMiniportService

"C:\WINDOWS\wanmpsvc.exe"

 

NETWORK SECURITY SERVICE: ½O.#ž‚„?õØ´â

C:\WINDOWS\system32\netya.exe /s

Share this post


Link to post
Share on other sites

I do now! ;)

 

Go to Start > Run > Services.msc

 

Scroll down to the "NETWORK SECURITY SERVICE", stop it, and set its startup type to 'Disabled'.

 

Now download About:Buster from here

 

http://www.downloads.subratam.org/AboutBuster.zip

 

Now start your computer in Safe Mode , and have Hijack This fix all of the following:

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {5FEDC98C-99C9-9B34-BD6C-E567DD3175C2} - C:\WINDOWS\mfcep32.dll

 

O4 - HKLM\..\Run: [syszv.exe] C:\WINDOWS\system32\syszv.exe

O4 - HKLM\..\Run: [msll32.exe] C:\WINDOWS\system32\msll32.exe

 

O4 - HKLM\..\RunOnce: [msoq.exe] C:\WINDOWS\msoq.exe

O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe

O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe

O4 - HKLM\..\RunOnce: [netya.exe] C:\WINDOWS\system32\netya.exe

O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe

O4 - HKLM\..\RunOnce: [windm.exe] C:\WINDOWS\windm.exe

O4 - HKLM\..\RunOnce: [winfz.exe] C:\WINDOWS\winfz.exe

O4 - HKLM\..\RunOnce: [sdkpn.exe] C:\WINDOWS\sdkpn.exe

O4 - HKLM\..\RunOnce: [mfcgm.exe] C:\WINDOWS\system32\mfcgm.exe

O4 - HKLM\..\RunOnce: [crsh32.exe] C:\WINDOWS\system32\crsh32.exe

O4 - HKLM\..\RunOnce: [sysgn.exe] C:\WINDOWS\sysgn.exe

O4 - HKLM\..\RunOnce: [atlvo32.exe] C:\WINDOWS\system32\atlvo32.exe

O4 - HKLM\..\RunOnce: [javaar.exe] C:\WINDOWS\system32\javaar.exe

O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe

O4 - HKLM\..\RunOnce: [syswx32.exe] C:\WINDOWS\syswx32.exe

O4 - HKLM\..\RunOnce: [atlrn.exe] C:\WINDOWS\atlrn.exe

O4 - HKLM\..\RunOnce: [netez.exe] C:\WINDOWS\netez.exe

O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\system32\winir.exe

 

 

Unzip About:Buster to your desktop. Double click it and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report.

 

Reboot normally, and run an online virus scan at http://housecall.antivirus.com/

 

When done, post the About: Buster report and a new Hijack this log here.

Share this post


Link to post
Share on other sites

To Tony,

The housecall scan took a while and the results were as follows, 611 infected file in pest patrol and a few others in various locations, they have been deleted.

I ran the hijack this program and the lof is attached along wiht the Buster log.

Kenneth

Logfile of HijackThis v1.98.0

Scan saved at 10:29:04 AM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\atlro.exe

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\toshiba\ivp\ism\pinger.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\iekz32.exe

C:\hijackthis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\syspy.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe

O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

 

Buster Log

-- Scan 1 --------

About:Buster Version 1.31

Removed! : C:\WINDOWS\aberzg.dat

Removed! : C:\WINDOWS\appab32.exe

Error Removing! : C:\WINDOWS\atlwo.dll

Error Removing! : C:\WINDOWS\auyqae.dat

Error Removing! : C:\WINDOWS\d3ct32.dll

Removed! : C:\WINDOWS\eklwpa.dat

Error Removing! : C:\WINDOWS\fegzof.dat

Removed! : C:\WINDOWS\fjyesu.dat

Removed! : C:\WINDOWS\fwnbs.dat

Removed! : C:\WINDOWS\geluj.dat

Removed! : C:\WINDOWS\gpktx.dat

Removed! : C:\WINDOWS\gpznbl.dat

Removed! : C:\WINDOWS\gvjbr.dll

Error Removing! : C:\WINDOWS\hbeceo.dat

Removed! : C:\WINDOWS\hujana.dat

Error Removing! : C:\WINDOWS\ihfdzw.dat

Removed! : C:\WINDOWS\ijrdg.dat

Removed! : C:\WINDOWS\ipqx.exe

Error Removing! : C:\WINDOWS\iprv32.dll

Removed! : C:\WINDOWS\iuqgj.dll

Removed! : C:\WINDOWS\javais32.exe

Error Removing! : C:\WINDOWS\khsjmh.dat

Removed! : C:\WINDOWS\kmpfp.dat

Removed! : C:\WINDOWS\leasy.dat

Error Removing! : C:\WINDOWS\lepsjl.dat

Removed! : C:\WINDOWS\lfpce.dat

Removed! : C:\WINDOWS\lklfzo.dat

Removed! : C:\WINDOWS\lnzfp.dll

Removed! : C:\WINDOWS\madkq.dat

Error Removing! : C:\WINDOWS\mfcep32.dll

Removed! : C:\WINDOWS\mptkh.dll

Removed! : C:\WINDOWS\mshf.exe

Removed! : C:\WINDOWS\msoq.exe

Removed! : C:\WINDOWS\msyo32.exe.bak

Removed! : C:\WINDOWS\nbthr.dat

Removed! : C:\WINDOWS\nczfp.dat

Error Removing! : C:\WINDOWS\nhajlq.dat

Removed! : C:\WINDOWS\nicre.dat

Error Removing! : C:\WINDOWS\nouhyi.dat

Removed! : C:\WINDOWS\nssywd.dat

Error Removing! : C:\WINDOWS\ntcf.dll

Removed! : C:\WINDOWS\ntyv.exe

Removed! : C:\WINDOWS\n_fmukab.dat

Removed! : C:\WINDOWS\n_jzfpvo.dat

Error Removing! : C:\WINDOWS\n_nxlgrh.dat

Error Removing! : C:\WINDOWS\n_zyrgrr.dat

Removed! : C:\WINDOWS\orbkg.dat

Error Removing! : C:\WINDOWS\oxrkda.dat

Removed! : C:\WINDOWS\pkkfvs.dat

Error Removing! : C:\WINDOWS\pmwvgm.dat

Removed! : C:\WINDOWS\qphrtt.dat

Error Removing! : C:\WINDOWS\rknmoq.dat

Removed! : C:\WINDOWS\sdkpn.exe

Error Removing! : C:\WINDOWS\sdkwn.dll

Removed! : C:\WINDOWS\sgeas.dat

Removed! : C:\WINDOWS\sysgn.exe

Removed! : C:\WINDOWS\sysoq32.exe

Removed! : C:\WINDOWS\sysso.dll

Removed! : C:\WINDOWS\sysso.exe.bak

Error Removing! : C:\WINDOWS\tsmzah.dat

Removed! : C:\WINDOWS\uvevvn.dat

Removed! : C:\WINDOWS\uxrmnk.dat

Error Removing! : C:\WINDOWS\vfxkza.dat

Removed! : C:\WINDOWS\vokpxq.dat

Removed! : C:\WINDOWS\waezd.dll

Removed! : C:\WINDOWS\windm.exe

Removed! : C:\WINDOWS\winfz.exe

Removed! : C:\WINDOWS\winnd.exe

Removed! : C:\WINDOWS\wziez.dat

Error Removing! : C:\WINDOWS\xwkfwr.dat

Removed! : C:\WINDOWS\xylyff.dat

Removed! : C:\WINDOWS\ygivmk.dat

Removed! : C:\WINDOWS\ypftsw.dat

Removed! : C:\WINDOWS\yufux.dat

Error Removing! : C:\WINDOWS\yymuma.dat

Removed! : C:\WINDOWS\zrawtb.dat

Error Removing! : C:\WINDOWS\System32\apiuw32.dll

Removed! : C:\WINDOWS\System32\appzf.exe

Removed! : C:\WINDOWS\System32\bhpjl.dat

Removed! : C:\WINDOWS\System32\crcln.dat

Removed! : C:\WINDOWS\System32\crcln.dll

Removed! : C:\WINDOWS\System32\crsh32.exe

Removed! : C:\WINDOWS\System32\crwq.exe

Removed! : C:\WINDOWS\System32\dggir.dat

Removed! : C:\WINDOWS\System32\dlcfg.dat

Removed! : C:\WINDOWS\System32\fcwyo.dat

Removed! : C:\WINDOWS\System32\fpswd.dat

Removed! : C:\WINDOWS\System32\hohdx.dat

Removed! : C:\WINDOWS\System32\hoqot.dll

Removed! : C:\WINDOWS\System32\hwnww.dll

Removed! : C:\WINDOWS\System32\iicxx.dat

Removed! : C:\WINDOWS\System32\jbvxg.dat

Removed! : C:\WINDOWS\System32\jszzk.dll

Removed! : C:\WINDOWS\System32\jtwfj.dat

Removed! : C:\WINDOWS\System32\jzvni.dat

Removed! : C:\WINDOWS\System32\kcgjv.dat

Removed! : C:\WINDOWS\System32\kmaou.dat

Removed! : C:\WINDOWS\System32\lpuwg.dll

Removed! : C:\WINDOWS\System32\lutdf.dat

Removed! : C:\WINDOWS\System32\lxejm.dat

Error Removing! : C:\WINDOWS\System32\mshv32.dll

Removed! : C:\WINDOWS\System32\msll32.exe

Removed! : C:\WINDOWS\System32\netbx.exe

Removed! : C:\WINDOWS\System32\netya.exe

Removed! : C:\WINDOWS\System32\nfmvc.dat

Removed! : C:\WINDOWS\System32\nhoiv.dat

Removed! : C:\WINDOWS\System32\npowb.dat

Removed! : C:\WINDOWS\System32\nssyw.dat

Removed! : C:\WINDOWS\System32\nsuzj.dat

Removed! : C:\WINDOWS\System32\pbkmz.dat

Removed! : C:\WINDOWS\System32\pkgfq.dat

Removed! : C:\WINDOWS\System32\qqowu.dat

Removed! : C:\WINDOWS\System32\qqxay.dat

Removed! : C:\WINDOWS\System32\riqki.dat

Removed! : C:\WINDOWS\System32\syszv.exe

Removed! : C:\WINDOWS\System32\vpzfs.dat

Removed! : C:\WINDOWS\System32\vrudo.dat

Removed! : C:\WINDOWS\System32\winbd.exe

Removed! : C:\WINDOWS\System32\yjqae.dat

Removed! : C:\WINDOWS\System32\ykaam.dat

Removed! : C:\WINDOWS\System32\zbeup.dat

Removed! : C:\WINDOWS\System32\zbeup.dll

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Well, we don't appear to be there just yet...

 

Go to http://www.wilderssecurity.com/showthread.php?t=14086 , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This. Don't run it as yet.

 

Now disconnect your computer from the Internet.

Now do a Ctrl-Alt-Delete in order to bring up Task Manager and, on the Processes tab, end task on the IEKZ32.exe processe.

 

Now find C:\WINDOWS\iekz32.exe, and delete it.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

 

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe

O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe

 

 

Boot into Safe Mode once again, and run About:Buster once more

 

Run CWShredder, press 'Fix', and allow it to fix all it finds.

 

Next, restart you computer, run Hijack This once more, repost to this forum thread, and please show us a fresh log.

Edited by TonyKlein

Share this post


Link to post
Share on other sites

To Tony,

I followed the instructions given but I think it is still there. Heres the Log.

Kenneth

Logfile of HijackThis v1.98.0

Scan saved at 12:16:48 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\sdkrb.exe

C:\WINDOWS\iecy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijackthis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\syspy.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe

O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

Yup, we're not making much progress; I've just heard from other folks who have recently had little success removing this latest version... :(

 

Would you try this, please?

 

Click here to download FindnFix.exe by Freeatlast.

 

Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program will take a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

 

 

And would you please run "GetServices.vbs" once more? I'd like to make sure that nothing has changed there.

Share this post


Link to post
Share on other sites

Tony Ok here they are.

Kenneth

 

 

These are the Current Active Services:

 

APPLICATION LAYER GATEWAY SERVICE: ALG

C:\WINDOWS\System32\alg.exe

 

WINDOWS AUDIO: AudioSrv

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

COMPUTER BROWSER: Browser

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

CRYPTOGRAPHIC SERVICES: CryptSvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

DHCP CLIENT: Dhcp

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

ERROR REPORTING SERVICE: ERSvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

COM+ EVENT SYSTEM: EventSystem

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

HELP AND SUPPORT: helpsvc

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

INFRARED MONITOR: Irmon

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SERVER: lanmanserver

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WORKSTATION: lanmanworkstation

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

MESSENGER: Messenger

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

NETWORK CONNECTIONS: Netman

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

NETWORK LOCATION AWARENESS (NLA): Nla

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

REMOTE ACCESS CONNECTION MANAGER: RasMan

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TASK SCHEDULER: Schedule

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SECONDARY LOGON: seclogon

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYSTEM EVENT NOTIFICATION: SENS

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SHELL HARDWARE DETECTION: ShellHWDetection

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYSTEM RESTORE SERVICE: srservice

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TELEPHONY: TapiSrv

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

TERMINAL SERVICES: TermService

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

THEMES: Themes

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

DISTRIBUTED LINK TRACKING CLIENT: TrkWks

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

UPLOAD MANAGER: uploadmgr

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WINDOWS TIME: W32Time

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

AUTOMATIC UPDATES: wuauserv

C:\WINDOWS\system32\svchost.exe -k netsvcs

 

WIRELESS ZERO CONFIGURATION: WZCSVC

C:\WINDOWS\System32\svchost.exe -k netsvcs

 

SYMANTEC EVENT MANAGER: ccEvtMgr

"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

 

DNS CLIENT: Dnscache

C:\WINDOWS\System32\svchost.exe -k NetworkService

 

EVENT LOG: Eventlog

C:\WINDOWS\system32\services.exe

 

PLUG AND PLAY: PlugPlay

C:\WINDOWS\system32\services.exe

 

FAX: Fax

C:\WINDOWS\system32\fxssvc.exe

 

LEXBCE SERVER: LexBceS

C:\WINDOWS\system32\LEXBCES.EXE

 

TCP/IP NETBIOS HELPER: LmHosts

C:\WINDOWS\System32\svchost.exe -k LocalService

 

SSDP DISCOVERY SERVICE: SSDPSRV

C:\WINDOWS\System32\svchost.exe -k LocalService

 

WEBCLIENT: WebClient

C:\WINDOWS\System32\svchost.exe -k LocalService

 

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc

"C:\Program Files\Norton AntiVirus\navapsvc.exe"

 

IPSEC SERVICES: PolicyAgent

C:\WINDOWS\System32\lsass.exe

 

PROTECTED STORAGE: ProtectedStorage

C:\WINDOWS\system32\lsass.exe

 

SECURITY ACCOUNTS MANAGER: SamSs

C:\WINDOWS\system32\lsass.exe

 

REMOTE PROCEDURE CALL (RPC): RpcSs

C:\WINDOWS\system32\svchost -k rpcss

 

PRINT SPOOLER: Spooler

C:\WINDOWS\system32\spoolsv.exe

 

WINDOWS IMAGE ACQUISITION (WIA): stisvc

C:\WINDOWS\System32\svchost.exe -k imgsvc

 

WAN MINIPORT (ATW) SERVICE: WANMiniportService

"C:\WINDOWS\wanmpsvc.exe"

 

 

This is the Find Log,

 

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»

»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

Mon 26 Jul 04 12:47:47

12:47am up 0 days, 0:35

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

You must know how to ID the file based on the filters provided in

the scan, as not all the files flagged are bad.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided should help narrow down the list, and hopefully

pinpoint the culprit.

Along with that,registry scan logged at the end should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/25)»»»»»»»»»»»»»»»»

 

»»»*»»»*Use at your own risk!»»»*»»»*

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

C:\WINDOWS\SYSTEM32\

syspy.dll Thu Jun 17 2004 12:36:08a A.SH. 91,113 88.98 K

 

1 item found: 1 file, 0 directories.

Total of file sizes: 91,113 bytes 88.98 K

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINDOWS\SYSTEM32\SYSPY.DLL

 

»»»»»(*5*)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»»Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group TOSHIBA-USER\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

 

»»»»»»Backups created...»»»»»»

12:50am up 0 days, 0:38

Mon 26 Jul 04 12:50:23

 

A C:\FINDnFIX\keyback.hiv

--a-- - - - - - 8,192 07-26-2004 keyback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 268 07-26-2004 winkey.reg

*Temp backups...

.

..

keyback2.hi_

winkey2.re_

 

 

C:\FINDNFIX\

JUNKXXX Mon Jul 26 2004 12:47:44p .D... <Dir>

 

1 item found: 0 files, 1 directory.

 

»»Performing string scan....

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' f USERProcessHandleQuotau h X

000012D0: (

00001310:

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

00001590:

000015D0:

 

---------- WIN.TXT

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuotau

--------------

--------------

No strings found.

 

--------------

--------------

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

A handle was successfully obtained for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.

This key has 0 subkeys.

The AppInitDLLs value entry was NOT found!

Share this post


Link to post
Share on other sites

Have Hijack This fix these items:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

R3 - Default URLSearchHook is missing

 

O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe

O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe

 

Using Task Manager end task on the following processes:

 

fxssvc.exe

sdkrb.exe

iecy.exe

 

Find and delete:

 

C:\WINDOWS\iecy.exe

C:\WINDOWS\iekz32.exe

C:\WINDOWS\system32\atlro.exe

 

 

In the FindnFix 'keys1' folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

 

On restart, open Explorer and navigate to C:\Windows\System32 folder, find the SYSPY.DLL file (it should be visible now). RightClick on ----- , and select -> Cut from the menu.

 

Immediately Open the C:\FINDnFIX\junkxxx subfolder.

RightClick inside it and select 'Paste' from the menu; hit 'ok' when/if asked on 'read only' file move prompt.

 

- Make sure the file is now indeed in that Junkxxx subfolder

 

Open the FINDnFIX folder again and run the "Restore.bat" file.

It will run and generate a log (log2.txt) . Post the contents of that log in your reply.

 

Also post a fresh log from Hijack This.

Edited by TonyKlein

Share this post


Link to post
Share on other sites

To Tony,

I want to let you know that IECY.exe and Sdkrb.exe were also in the hijack this log, using task manager I cannot stop the fxssvc.exe from running, it will either ostart back up or nothing will happen when I try to end the process.

Kenneth

Share this post


Link to post
Share on other sites

TO Tony,

Ok, Done, Here are the log files but I still could not stop the Fxssvc.exe process from running.

 

 

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

 

Mon 26 Jul 04 17:00:59

5:00pm up 0 days, 0:06

 

Microsoft Windows XP [Version 5.1.2600]

»»»IE build and last SP(s)

6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/25)***»»»»»»»»»»»»»»»»

 

This log will confirm if the file was successfully moved, and/or

the right file was selected...

 

Scanning for file(s) in System32...

 

»»»»»»» (1) »»»»»»»

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

 

»»»»»»» (3) »»»»»»»

 

No matches found.

Unknown/hidden files...

 

No matches found.

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»»»(5)»»»»»

**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

 

»»»»»(*6*)»»»»»

 

»»»»»»» Search by size...

 

 

No matches found.

 

No matches found.

 

No matches found.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

 

»»»*»»» Scanning for moved file... »»»*»»»

 

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!

RightClick on the file/properties/security

and check the "Allow Inheritable permissions from parent..." box.

Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

 

 

 

C:\FINDNFIX\JUNKXXX\

syspy.dll Thu Jun 17 2004 12:36:08a A.SH. 91,113 88.98 K

 

1 item found: 1 file (1 H/S), 0 directories.

Total of file sizes: 91,113 bytes 88.98 K

 

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\FINDNFIX\JUNKXXX\SYSPY.DLL

 

fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*

 

A--SH- SYSPY .DLL 000163E9 00:36.08 17/06/2004

 

--ahs W32i - - - - 91,113 06-17-2004 syspy.dll

A SH C:\FINDnFIX\junkxxx\syspy.dll

 

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.

MD5 Message Digest Algorithm by RSA Data Security, Inc.

 

File name Size Date Time MD5 Hash

________________________________________________________________________

File: <C:\FINDnFIX\junkxxx\syspy.dll>

 

CRC-32 : 0AEF1BC2

 

MD5 : 67BE614F 218AE82A F258F464 A3C040A6

 

 

 

 

»»Permissions:

C:\FINDnFIX\junkxxx\syspy.dll Everyone:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

BUILTIN\Administrators:F

NT AUTHORITY\SYSTEM:F

TOSHIBA-USER\Kenneth:F

BUILTIN\Users:R

 

Directory "C:\FINDnFIX\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth

Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: TOSHIBA-USER\Kenneth

 

Primary Group: TOSHIBA-USER\None

 

Directory "C:\FINDnFIX\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000000 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth

Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER

Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users

Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users

Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

 

Owner: TOSHIBA-USER\Kenneth

 

Primary Group: TOSHIBA-USER\None

 

File "C:\FINDnFIX\junkxxx\syspy.dll"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000010 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth

Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

 

Owner: TOSHIBA-USER\Kenneth

 

Primary Group: TOSHIBA-USER\None

 

C:\FINDnFIX\junkxxx\syspy.dll;Everyone:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;TOSHIBA-USER\Kenneth:RrRaRepWwAWaWePXDDcO

C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Users:RrRaRepX

 

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

00001150: vk UDeviceNotSelecte

00001190:dTimeout 1 5 P h vk ' zGDIProce

000011D0:ssHandleQuota" 9 0 vk Spooler2

00001210: y e s _ vk 5swapdisk h

00001250: X vk . TransmissionRetryTimeout vk

00001290: ' f USERProcessHandleQuotau h X

000012D0: vk x AppInit_DLLs

00001310:

00001350:

00001390:

000013D0:

00001410:

00001450:

00001490:

000014D0:

00001510:

00001550:

 

---------- NEWWIN.TXT

AppInit_DLLsÿÿÿÿ

--------------

--------------

$0117F: UDeviceNotSelectedTimeout

$011C7: zGDIProcessHandleQuota

$01270: TransmissionRetryTimeout

$012A0: USERProcessHandleQuotau

$012F0: AppInit_DLLs

--------------

--------------

No strings found.

 

 

d.... 0 Jul 26 12:47 .

d.... 0 Jul 26 12:47 ..

.sh.a 91113 Jun 17 0:36 syspy.dll

 

3 files found occupying 89088 bytes

 

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

 

C:\FINDNFIX\JUNKXXX

SYSPY.DLL : crc16=D520 crc32=0AEF1BC2

 

 

===============================================================================

0 bytes 0 cps

Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

 

VDIR v1.00

Path: C:\FINDNFIX\JUNKXXX\*.*

---------------------------------------+---------------------------------------

. <dir> 07-26-:4 12:47|SYSPY DLL 91113 AHS 06-17-:4 00:36

.. <dir> 07-26-:4 12:47|

---------------------------------------+---------------------------------------

3 files totaling 91113 bytes consuming 130048 bytes of disk space.

17299968 bytes available on Drive C: No volume label

 

...File dump...

 

 

Detecting...

 

C:\FINDnFIX\junkxxx

syspy.dll ACL has 8 ACE(s)

SID = /Everyone S-1-1-0

ACE 0 is an ACCESS_ALLOWED_ACE_TYPE

ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 1 is an ACCESS_ALLOWED_ACE_TYPE

ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 2 is an ACCESS_ALLOWED_ACE_TYPE

ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 3 is an ACCESS_ALLOWED_ACE_TYPE

ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Administrators S-1-5-32-544

ACE 4 is an ACCESS_ALLOWED_ACE_TYPE

ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = NT AUTHORITY/SYSTEM S-1-5-18

ACE 5 is an ACCESS_ALLOWED_ACE_TYPE

ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = TOSHIBA-USER/Kenneth S-1-5-21--197555659--1335958663-1238661117-1005

ACE 6 is an ACCESS_ALLOWED_ACE_TYPE

ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

SID = BUILTIN/Users S-1-5-32-545

ACE 7 is an ACCESS_ALLOWED_ACE_TYPE

ACE 7 mask = 0x001200a9 -R -X

ACL done...

 

Hijack Log

 

Logfile of HijackThis v1.98.0

Scan saved at 5:27:48 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\sdkrb.exe

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\toshiba\ivp\ism\pinger.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijackthis\hijackthis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {77DF93E3-BCDD-83BD-2F81-D52E0646BD26} - C:\WINDOWS\ieir.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

Let's try this:

 

Copy the contents of the Quote Box to Notepad.

 

Name the file as fix.reg

Save as Type: All Files

****Save on the desktop

 

REGEDIT4

 

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„?õØ´â]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#ž‚„?õØ´â]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#ž‚„?õØ´â]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#ž‚„?õØ´â]

 

 

start your computer in Safe Mode , and have Hijack This fix all of the following:

 

Double click on fix.reg to enter into the registry.

 

Launch Hijack This; DO NOT OPEN ANYTHING ELSE!

 

Select these items and press fix checked:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {77DF93E3-BCDD-83BD-2F81-D52E0646BD26} - C:\WINDOWS\ieir.dll

 

O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe

 

 

Delete these files:

 

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\sdkrb.exe

 

 

Empty your Temporary Internet Files and history in Internet Options.

 

Go to Internet Options>Programs

 

Click the reset Web Settings Button to reset your home and search pages.

 

Restart into Regular Windows Mode.

 

 

Go to this link and run the free AV scan to clean up the residual files:

 

http://housecall.trendmicro.com/housecall/start_corp.asp

-------------------

 

 

If you were using a Hosts File it was deleted.

 

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

 

http://members.aol.com/toadbee/hoster.zip

--------

control.exe may have been deleted.

 

Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control

----

 

Go here and follow the directions to reset your ActiveX

http://www.computercops.biz/postt7736.html

 

When done, post a fresh log.

Share this post


Link to post
Share on other sites

To Tony,

Done, here is the log file. I know it did not work but I could not fine the sdkrb.exe file. The names are changing each time the system runs.

Kenneth

Logfile of HijackThis v1.98.0

Scan saved at 9:00:02 AM, on 7/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\toshiba\ivp\ism\pinger.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\addlv32.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\netfb32.exe

C:\hijackthis\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vxykt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vxykt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vxykt.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4034A933-9528-F1BA-1BCD-E091DD256B38} - C:\WINDOWS\d3eb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [addlv32.exe] C:\WINDOWS\addlv32.exe

O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe

O4 - HKLM\..\RunOnce: [netfb32.exe] C:\WINDOWS\system32\netfb32.exe

O4 - HKLM\..\RunOnce: [sysxc32.exe] C:\WINDOWS\system32\sysxc32.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

Hi,

 

I had a similar browser hijacker in my iexplorer ("mysearchnow"), but I did uninstall "Messenger Plus" Program and the problem does not exists anymore.

maybe this helps...

 

 

rol

Share this post


Link to post
Share on other sites

To Rol,

I will give it a try as it is an easy experiment, that along with the information supplied by Tony may work. He has made quite an effort, I think its time to show some appreciation. Thanks for the tip.

Kenneth

Share this post


Link to post
Share on other sites

To Tony and Rol,

Since I am not an expert I wanted to let you figure out what might have worked as I do not want to mislead the less experienced guest, so far today no hijacker running! This is what I did, and I mean exactly, nothing else was opened during the fix. I am afraid it will come back and that I do not have a real fix but so far so good. I did go to regedit later and change my start page to MSN and I have launched it about 10 times without a problem. Thank you to Tony Klein for the help support is on the way.

Kenneth

 

Tune up all Active X and Scripting controls in explorer

Uninstall Messenger plus

Boot in Safe mode without other network services.

Run Hijak This

fix: Netfb.32. exe, sysxc32.exe, addlv.exe, all R0,R1,R3

Rem: Netfb.32. exe, sysxc32.exe, addlv.exe and fxssvc.exe

Run Buster until all files are removed, in my case two times

Run Hijak This, In my case clear

Empty Temporary Files

Empty History Files

Empty Recycle Bin

Run Buster One more time

Restart Normally.

Share this post


Link to post
Share on other sites

To Tony,

I wanted to let you know I also fixed one BHO no name under hijack this as well. Otherwise the steps below are correct, was I lucky or os something in the steps doing what it should. Here is a copy of the new log. My computer is working great, no pop-ups or hijacks.

Kenneth

 

To Tony and Rol,

Since I am not an expert I wanted to let you figure out what might have worked as I do not want to mislead the less experienced guest, so far today no hijacker running! This is what I did, and I mean exactly, nothing else was opened during the fix. I am afraid it will come back and that I do not have a real fix but so far so good. I did go to regedit later and change my start page to MSN and I have launched it about 10 times without a problem. Thank you to Tony Klein for the help support is on the way.

Kenneth

 

Tune up all Active X and Scripting controls in explorer

Uninstall Messenger plus

Boot in Safe mode without other network services.

Run Hijak This

fix: Netfb.32. exe, sysxc32.exe, addlv.exe, all R0,R1,R3

Rem: Netfb.32. exe, sysxc32.exe, addlv.exe and fxssvc.exe

Run Buster until all files are removed, in my case two times

Run Hijak This, In my case clear

Empty Temporary Files

Empty History Files

Empty Recycle Bin

Run Buster One more time

Restart Normally.

 

Logfile of HijackThis v1.98.0

Scan saved at 1:51:43 PM, on 8/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\s3hotkey.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\00THotkey.exe

C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\wuauclt.exe

C:\toshiba\ivp\ism\ivpsvmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MathSoft\Mathcad 2001 Professional\mathcad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\hijackthis\hijackthis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfrestorationnetwork.org/sdcc...ad/tgctlins.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0