Jump to content


Photo

Persistant Pest


  • Please log in to reply
23 replies to this topic

#1 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 July 2004 - 02:31 PM

To the experts,
I am willing to go to heroic efforts to remove this hijacker but I believe it will require expert help. I have read the FAQ and attmpted to properly follow the instrunctions in the tutorial; it seems that all is well but then the R0 etc, start page, search page etc reappear in the Hijack log file. I have run Spbot, Pest Patrol and Adware, they all show the system as clean. Spyferret from PCFIX online identifies the hijacker but I am suspect of the chance the $39.00 will be well spent. Any advise on moving forward will be aptly appreciated.

#2 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 25 July 2004 - 02:46 PM

Let's have a closer look:

Go to http://computercops....ads-cat-14.html , and download Hijack This.

Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

#3 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 July 2004 - 03:01 PM

Tony,
While I was waiting on a reply I was working with the Hijackthis lof file and i seem to have regained control of my home page. I will send an updated log file in just a minuten I just want to make sure I know where I stand witht the problem.
Kenneth

#4 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 July 2004 - 03:06 PM

Tony,
Everything seems to be back in order but I would appreciate it if you did have a look at the log file.

Logfile of HijackThis v1.98.0
Scan saved at 4:03:10 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\netya.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\syszv.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kenneth\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FEDC98C-99C9-9B34-BD6C-E567DD3175C2} - C:\WINDOWS\mfcep32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [syszv.exe] C:\WINDOWS\system32\syszv.exe
O4 - HKLM\..\Run: [msll32.exe] C:\WINDOWS\system32\msll32.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [sdkhc.exe] C:\WINDOWS\system32\sdkhc.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\RunOnce: [msoq.exe] C:\WINDOWS\msoq.exe
O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
O4 - HKLM\..\RunOnce: [netya.exe] C:\WINDOWS\system32\netya.exe
O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe
O4 - HKLM\..\RunOnce: [windm.exe] C:\WINDOWS\windm.exe
O4 - HKLM\..\RunOnce: [winfz.exe] C:\WINDOWS\winfz.exe
O4 - HKLM\..\RunOnce: [sdkpn.exe] C:\WINDOWS\sdkpn.exe
O4 - HKLM\..\RunOnce: [mfcgm.exe] C:\WINDOWS\system32\mfcgm.exe
O4 - HKLM\..\RunOnce: [crsh32.exe] C:\WINDOWS\system32\crsh32.exe
O4 - HKLM\..\RunOnce: [sysgn.exe] C:\WINDOWS\sysgn.exe
O4 - HKLM\..\RunOnce: [atlvo32.exe] C:\WINDOWS\system32\atlvo32.exe
O4 - HKLM\..\RunOnce: [javaar.exe] C:\WINDOWS\system32\javaar.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe
O4 - HKLM\..\RunOnce: [syswx32.exe] C:\WINDOWS\syswx32.exe
O4 - HKLM\..\RunOnce: [atlrn.exe] C:\WINDOWS\atlrn.exe
O4 - HKLM\..\RunOnce: [netez.exe] C:\WINDOWS\netez.exe
O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\system32\winir.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FA13129-345B-4679-A201-2D84682110AA}: NameServer = 207.44.140.102 64.191.22.247


Thanks Kenneth

#5 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 25 July 2004 - 03:11 PM

You have a massive CoolWebSearch infection.

Copy the contents of the 'QUOTE' box to Notepad, and save as GetServices.vbs (make sure you save as type: 'all files' )

Doubleclick GetServices.vbs (a script by Mosaic1), and it will produce a list of all active services on your computer; please post that list in your reply.

set objIdDictionary = CreateObject("Scripting.Dictionary")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
    ("Select * from Win32_Service Where State <> 'Stopped'")
For Each objService in colServices
    If objIdDictionary.Exists(objService.ProcessID) Then
    Else
        objIdDictionary.Add objService.ProcessID, objService.ProcessID
    End If
Next
colProcessIDs = objIdDictionary.Items
For i = 0 to objIdDictionary.Count - 1
    Set colServices = objWMIService.ExecQuery _
        ("Select * from Win32_Service Where ProcessID = '" & _
            colProcessIDs(i) & "'")
 
    For Each objService in colServices
        msg = msg & vbcrlf &  " " & Ucase(objService.DisplayName) & ":" & " " &  objService.Name & vbcrlf & objService.PathName &  vbcrlf

    Next
Next
Dim fso, Services,Wshshell
Set Wshshell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Set Services = fso.CreateTextFile("Active.txt",true)
Services.Write "These are the Current Active Services:"
Services.WriteLine
Services.Write msg
Services.Close
Wshshell.Run "Active.txt"



If you have script blocking installed, you will get a warning when you try to run the script. Please allow it to run. It is only collecting information so we can help you.

#6 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 25 July 2004 - 03:15 PM

As instructed,
Kenneth

These are the Current Active Services:

APPLICATION LAYER GATEWAY SERVICE: ALG
C:\WINDOWS\System32\alg.exe

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

INFRARED MONITOR: Irmon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

MESSENGER: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM RESTORE SERVICE: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYMANTEC EVENT MANAGER: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

FAX: Fax
C:\WINDOWS\system32\fxssvc.exe

LEXBCE SERVER: LexBceS
C:\WINDOWS\system32\LEXBCES.EXE

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

WAN MINIPORT (ATW) SERVICE: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"

NETWORK SECURITY SERVICE: ŻO.#×éä?§ě┬┤Ô
C:\WINDOWS\system32\netya.exe /s

#7 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 07:20 AM

To Tony,
Did you get the list of active services?
Kenneth

#8 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 26 July 2004 - 07:33 AM

I do now! ;)

Go to Start > Run > Services.msc

Scroll down to the "NETWORK SECURITY SERVICE", stop it, and set its startup type to 'Disabled'.

Now download About:Buster from here

http://www.downloads...AboutBuster.zip

Now start your computer in Safe Mode , and have Hijack This fix all of the following:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5FEDC98C-99C9-9B34-BD6C-E567DD3175C2} - C:\WINDOWS\mfcep32.dll

O4 - HKLM\..\Run: [syszv.exe] C:\WINDOWS\system32\syszv.exe
O4 - HKLM\..\Run: [msll32.exe] C:\WINDOWS\system32\msll32.exe

O4 - HKLM\..\RunOnce: [msoq.exe] C:\WINDOWS\msoq.exe
O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
O4 - HKLM\..\RunOnce: [netya.exe] C:\WINDOWS\system32\netya.exe
O4 - HKLM\..\RunOnce: [iepj32.exe] C:\WINDOWS\iepj32.exe
O4 - HKLM\..\RunOnce: [windm.exe] C:\WINDOWS\windm.exe
O4 - HKLM\..\RunOnce: [winfz.exe] C:\WINDOWS\winfz.exe
O4 - HKLM\..\RunOnce: [sdkpn.exe] C:\WINDOWS\sdkpn.exe
O4 - HKLM\..\RunOnce: [mfcgm.exe] C:\WINDOWS\system32\mfcgm.exe
O4 - HKLM\..\RunOnce: [crsh32.exe] C:\WINDOWS\system32\crsh32.exe
O4 - HKLM\..\RunOnce: [sysgn.exe] C:\WINDOWS\sysgn.exe
O4 - HKLM\..\RunOnce: [atlvo32.exe] C:\WINDOWS\system32\atlvo32.exe
O4 - HKLM\..\RunOnce: [javaar.exe] C:\WINDOWS\system32\javaar.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\winnd.exe
O4 - HKLM\..\RunOnce: [syswx32.exe] C:\WINDOWS\syswx32.exe
O4 - HKLM\..\RunOnce: [atlrn.exe] C:\WINDOWS\atlrn.exe
O4 - HKLM\..\RunOnce: [netez.exe] C:\WINDOWS\netez.exe
O4 - HKLM\..\RunOnce: [winir.exe] C:\WINDOWS\system32\winir.exe



Unzip About:Buster to your desktop. Double click it and hit Ok, then Start, then Ok to start the scan. The scan should take a few seconds. Once it is done save the report.

Reboot normally, and run an online virus scan at http://housecall.antivirus.com/

When done, post the About: Buster report and a new Hijack this log here.

#9 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 09:35 AM

To Tony,
The housecall scan took a while and the results were as follows, 611 infected file in pest patrol and a few others in various locations, they have been deleted.
I ran the hijack this program and the lof is attached along wiht the Buster log.
Kenneth
Logfile of HijackThis v1.98.0
Scan saved at 10:29:04 AM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\atlro.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\iekz32.exe
C:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\syspy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe
O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Buster Log
-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\aberzg.dat
Removed! : C:\WINDOWS\appab32.exe
Error Removing! : C:\WINDOWS\atlwo.dll
Error Removing! : C:\WINDOWS\auyqae.dat
Error Removing! : C:\WINDOWS\d3ct32.dll
Removed! : C:\WINDOWS\eklwpa.dat
Error Removing! : C:\WINDOWS\fegzof.dat
Removed! : C:\WINDOWS\fjyesu.dat
Removed! : C:\WINDOWS\fwnbs.dat
Removed! : C:\WINDOWS\geluj.dat
Removed! : C:\WINDOWS\gpktx.dat
Removed! : C:\WINDOWS\gpznbl.dat
Removed! : C:\WINDOWS\gvjbr.dll
Error Removing! : C:\WINDOWS\hbeceo.dat
Removed! : C:\WINDOWS\hujana.dat
Error Removing! : C:\WINDOWS\ihfdzw.dat
Removed! : C:\WINDOWS\ijrdg.dat
Removed! : C:\WINDOWS\ipqx.exe
Error Removing! : C:\WINDOWS\iprv32.dll
Removed! : C:\WINDOWS\iuqgj.dll
Removed! : C:\WINDOWS\javais32.exe
Error Removing! : C:\WINDOWS\khsjmh.dat
Removed! : C:\WINDOWS\kmpfp.dat
Removed! : C:\WINDOWS\leasy.dat
Error Removing! : C:\WINDOWS\lepsjl.dat
Removed! : C:\WINDOWS\lfpce.dat
Removed! : C:\WINDOWS\lklfzo.dat
Removed! : C:\WINDOWS\lnzfp.dll
Removed! : C:\WINDOWS\madkq.dat
Error Removing! : C:\WINDOWS\mfcep32.dll
Removed! : C:\WINDOWS\mptkh.dll
Removed! : C:\WINDOWS\mshf.exe
Removed! : C:\WINDOWS\msoq.exe
Removed! : C:\WINDOWS\msyo32.exe.bak
Removed! : C:\WINDOWS\nbthr.dat
Removed! : C:\WINDOWS\nczfp.dat
Error Removing! : C:\WINDOWS\nhajlq.dat
Removed! : C:\WINDOWS\nicre.dat
Error Removing! : C:\WINDOWS\nouhyi.dat
Removed! : C:\WINDOWS\nssywd.dat
Error Removing! : C:\WINDOWS\ntcf.dll
Removed! : C:\WINDOWS\ntyv.exe
Removed! : C:\WINDOWS\n_fmukab.dat
Removed! : C:\WINDOWS\n_jzfpvo.dat
Error Removing! : C:\WINDOWS\n_nxlgrh.dat
Error Removing! : C:\WINDOWS\n_zyrgrr.dat
Removed! : C:\WINDOWS\orbkg.dat
Error Removing! : C:\WINDOWS\oxrkda.dat
Removed! : C:\WINDOWS\pkkfvs.dat
Error Removing! : C:\WINDOWS\pmwvgm.dat
Removed! : C:\WINDOWS\qphrtt.dat
Error Removing! : C:\WINDOWS\rknmoq.dat
Removed! : C:\WINDOWS\sdkpn.exe
Error Removing! : C:\WINDOWS\sdkwn.dll
Removed! : C:\WINDOWS\sgeas.dat
Removed! : C:\WINDOWS\sysgn.exe
Removed! : C:\WINDOWS\sysoq32.exe
Removed! : C:\WINDOWS\sysso.dll
Removed! : C:\WINDOWS\sysso.exe.bak
Error Removing! : C:\WINDOWS\tsmzah.dat
Removed! : C:\WINDOWS\uvevvn.dat
Removed! : C:\WINDOWS\uxrmnk.dat
Error Removing! : C:\WINDOWS\vfxkza.dat
Removed! : C:\WINDOWS\vokpxq.dat
Removed! : C:\WINDOWS\waezd.dll
Removed! : C:\WINDOWS\windm.exe
Removed! : C:\WINDOWS\winfz.exe
Removed! : C:\WINDOWS\winnd.exe
Removed! : C:\WINDOWS\wziez.dat
Error Removing! : C:\WINDOWS\xwkfwr.dat
Removed! : C:\WINDOWS\xylyff.dat
Removed! : C:\WINDOWS\ygivmk.dat
Removed! : C:\WINDOWS\ypftsw.dat
Removed! : C:\WINDOWS\yufux.dat
Error Removing! : C:\WINDOWS\yymuma.dat
Removed! : C:\WINDOWS\zrawtb.dat
Error Removing! : C:\WINDOWS\System32\apiuw32.dll
Removed! : C:\WINDOWS\System32\appzf.exe
Removed! : C:\WINDOWS\System32\bhpjl.dat
Removed! : C:\WINDOWS\System32\crcln.dat
Removed! : C:\WINDOWS\System32\crcln.dll
Removed! : C:\WINDOWS\System32\crsh32.exe
Removed! : C:\WINDOWS\System32\crwq.exe
Removed! : C:\WINDOWS\System32\dggir.dat
Removed! : C:\WINDOWS\System32\dlcfg.dat
Removed! : C:\WINDOWS\System32\fcwyo.dat
Removed! : C:\WINDOWS\System32\fpswd.dat
Removed! : C:\WINDOWS\System32\hohdx.dat
Removed! : C:\WINDOWS\System32\hoqot.dll
Removed! : C:\WINDOWS\System32\hwnww.dll
Removed! : C:\WINDOWS\System32\iicxx.dat
Removed! : C:\WINDOWS\System32\jbvxg.dat
Removed! : C:\WINDOWS\System32\jszzk.dll
Removed! : C:\WINDOWS\System32\jtwfj.dat
Removed! : C:\WINDOWS\System32\jzvni.dat
Removed! : C:\WINDOWS\System32\kcgjv.dat
Removed! : C:\WINDOWS\System32\kmaou.dat
Removed! : C:\WINDOWS\System32\lpuwg.dll
Removed! : C:\WINDOWS\System32\lutdf.dat
Removed! : C:\WINDOWS\System32\lxejm.dat
Error Removing! : C:\WINDOWS\System32\mshv32.dll
Removed! : C:\WINDOWS\System32\msll32.exe
Removed! : C:\WINDOWS\System32\netbx.exe
Removed! : C:\WINDOWS\System32\netya.exe
Removed! : C:\WINDOWS\System32\nfmvc.dat
Removed! : C:\WINDOWS\System32\nhoiv.dat
Removed! : C:\WINDOWS\System32\npowb.dat
Removed! : C:\WINDOWS\System32\nssyw.dat
Removed! : C:\WINDOWS\System32\nsuzj.dat
Removed! : C:\WINDOWS\System32\pbkmz.dat
Removed! : C:\WINDOWS\System32\pkgfq.dat
Removed! : C:\WINDOWS\System32\qqowu.dat
Removed! : C:\WINDOWS\System32\qqxay.dat
Removed! : C:\WINDOWS\System32\riqki.dat
Removed! : C:\WINDOWS\System32\syszv.exe
Removed! : C:\WINDOWS\System32\vpzfs.dat
Removed! : C:\WINDOWS\System32\vrudo.dat
Removed! : C:\WINDOWS\System32\winbd.exe
Removed! : C:\WINDOWS\System32\yjqae.dat
Removed! : C:\WINDOWS\System32\ykaam.dat
Removed! : C:\WINDOWS\System32\zbeup.dat
Removed! : C:\WINDOWS\System32\zbeup.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#10 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 26 July 2004 - 10:34 AM

Well, we don't appear to be there just yet...

Go to http://www.wildersse...ead.php?t=14086 , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This. Don't run it as yet.

Now disconnect your computer from the Internet.
Now do a Ctrl-Alt-Delete in order to bring up Task Manager and, on the Processes tab, end task on the IEKZ32.exe processe.

Now find C:\WINDOWS\iekz32.exe, and delete it.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe
O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe



Boot into Safe Mode once again, and run About:Buster once more

Run CWShredder, press 'Fix', and allow it to fix all it finds.

Next, restart you computer, run Hijack This once more, repost to this forum thread, and please show us a fresh log.

Edited by TonyKlein, 26 July 2004 - 10:36 AM.


#11 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 11:20 AM

To Tony,
I followed the instructions given but I think it is still there. Heres the Log.
Kenneth
Logfile of HijackThis v1.98.0
Scan saved at 12:16:48 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\sdkrb.exe
C:\WINDOWS\iecy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\syspy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe
O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#12 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 26 July 2004 - 11:43 AM

Yup, we're not making much progress; I've just heard from other folks who have recently had little success removing this latest version... :(

Would you try this, please?

Click here to download FindnFix.exe by Freeatlast.

Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program will take a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.


And would you please run "GetServices.vbs" once more? I'd like to make sure that nothing has changed there.

#13 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 12:03 PM

Tony Ok here they are.
Kenneth


These are the Current Active Services:

APPLICATION LAYER GATEWAY SERVICE: ALG
C:\WINDOWS\System32\alg.exe

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

INFRARED MONITOR: Irmon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

MESSENGER: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM RESTORE SERVICE: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYMANTEC EVENT MANAGER: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

FAX: Fax
C:\WINDOWS\system32\fxssvc.exe

LEXBCE SERVER: LexBceS
C:\WINDOWS\system32\LEXBCES.EXE

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
"C:\Program Files\Norton AntiVirus\navapsvc.exe"

IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

WAN MINIPORT (ATW) SERVICE: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"


This is the Find Log,

╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

Mon 26 Jul 04 12:47:47
12:47am up 0 days, 0:35

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*updated 7/25)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Use at your own risk!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...


╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

No matches found.

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
syspy.dll Thu Jun 17 2004 12:36:08a A.SH. 91,113 88.98 K

1 item found: 1 file, 0 directories.
Total of file sizes: 91,113 bytes 88.98 K

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\SYSPY.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group TOSHIBA-USER\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
12:50am up 0 days, 0:38
Mon 26 Jul 04 12:50:23

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-26-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-26-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Mon Jul 26 2004 12:47:44p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' f USERProcessHandleQuotau h X
000012D0: (
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuotau
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!

#14 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 26 July 2004 - 12:18 PM

Have Hijack This fix these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htzds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://htzds.dll/index.html#28129
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [iekz32.exe] C:\WINDOWS\iekz32.exe
O4 - HKLM\..\RunOnce: [atlro.exe] C:\WINDOWS\system32\atlro.exe


Using Task Manager end task on the following processes:

fxssvc.exe
sdkrb.exe
iecy.exe

Find and delete:

C:\WINDOWS\iecy.exe
C:\WINDOWS\iekz32.exe
C:\WINDOWS\system32\atlro.exe


In the FindnFix 'keys1' folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open Explorer and navigate to C:\Windows\System32 folder, find the SYSPY.DLL file (it should be visible now). RightClick on ----- , and select -> Cut from the menu.

Immediately Open the C:\FINDnFIX\junkxxx subfolder.
RightClick inside it and select 'Paste' from the menu; hit 'ok' when/if asked on 'read only' file move prompt.

- Make sure the file is now indeed in that Junkxxx subfolder

Open the FINDnFIX folder again and run the "Restore.bat" file.
It will run and generate a log (log2.txt) . Post the contents of that log in your reply.

Also post a fresh log from Hijack This.

Edited by TonyKlein, 26 July 2004 - 12:19 PM.


#15 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 01:01 PM

To Tony,
I want to let you know that IECY.exe and Sdkrb.exe were also in the hijack this log, using task manager I cannot stop the fxssvc.exe from running, it will either ostart back up or nothing will happen when I try to end the process.
Kenneth

#16 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 03:30 PM

To Tony,
I still cannot erase the fxssvc.exe file as I cannot stop the process from running.
Kenneth

#17 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 July 2004 - 04:28 PM

TO Tony,
Ok, Done, Here are the log files but I still could not stop the Fxssvc.exe process from running.


╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Mon 26 Jul 04 17:00:59
5:00pm up 0 days, 0:06

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!(*updated 7/25)***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or
the right file was selected...

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.
Unknown/hidden files...

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped!
RightClick on the file/properties/security
and check the "Allow Inheritable permissions from parent..." box.
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)



C:\FINDNFIX\JUNKXXX\
syspy.dll Thu Jun 17 2004 12:36:08a A.SH. 91,113 88.98 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 91,113 bytes 88.98 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\SYSPY.DLL

fgrep: no files found for C:\FINDNFIX\JUNKXXX\*.*

A--SH- SYSPY .DLL 000163E9 00:36.08 17/06/2004

--ahs W32i - - - - 91,113 06-17-2004 syspy.dll
A SH C:\FINDnFIX\junkxxx\syspy.dll

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
File: <C:\FINDnFIX\junkxxx\syspy.dll>

CRC-32 : 0AEF1BC2

MD5 : 67BE614F 218AE82A F258F464 A3C040A6




╗╗Permissions:
C:\FINDnFIX\junkxxx\syspy.dll Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
TOSHIBA-USER\Kenneth:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: TOSHIBA-USER\Kenneth

Primary Group: TOSHIBA-USER\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: TOSHIBA-USER\Kenneth

Primary Group: TOSHIBA-USER\None

File "C:\FINDnFIX\junkxxx\syspy.dll"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x TOSHIBA-USER\Kenneth
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: TOSHIBA-USER\Kenneth

Primary Group: TOSHIBA-USER\None

C:\FINDnFIX\junkxxx\syspy.dll;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\syspy.dll;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\syspy.dll;TOSHIBA-USER\Kenneth:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\syspy.dll;BUILTIN\Users:RrRaRepX[I]



╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' f USERProcessHandleQuotau h X
000012D0: vk x AppInit_DLLs
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- NEWWIN.TXT
AppInit_DLLs    
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuotau
$012F0: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Jul 26 12:47 .
d.... 0 Jul 26 12:47 ..
.sh.a 91113 Jun 17 0:36 syspy.dll

3 files found occupying 89088 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
SYSPY.DLL : crc16=D520 crc32=0AEF1BC2


===============================================================================
0 bytes 0 cps
Files: 0 Records: 0 Matches: 0 Elapsed Time: 00:00:00.06

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-26-:4 12:47|SYSPY DLL 91113 AHS 06-17-:4 00:36
.. <dir> 07-26-:4 12:47|
---------------------------------------+---------------------------------------
3 files totaling 91113 bytes consuming 130048 bytes of disk space.
17299968 bytes available on Drive C: No volume label

...File dump...


Detecting...

C:\FINDnFIX\junkxxx
syspy.dll ACL has 8 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = TOSHIBA-USER/Kenneth S-1-5-21--197555659--1335958663-1238661117-1005
ACE 6 is an ACCESS_ALLOWED_ACE_TYPE
ACE 6 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 7 is an ACCESS_ALLOWED_ACE_TYPE
ACE 7 mask = 0x001200a9 -R -X
ACL done...

Hijack Log

Logfile of HijackThis v1.98.0
Scan saved at 5:27:48 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\sdkrb.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {77DF93E3-BCDD-83BD-2F81-D52E0646BD26} - C:\WINDOWS\ieir.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#18 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 28 July 2004 - 04:39 AM

Let's try this:

Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg
Save as Type: All Files
****Save on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ŻO.#×éä?§ě┬┤Ô]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ŻO.#×éä?§ě┬┤Ô]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ŻO.#×éä?§ě┬┤Ô]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ŻO.#×éä?§ě┬┤Ô]



start your computer in Safe Mode , and have Hijack This fix all of the following:

Double click on fix.reg to enter into the registry.

Launch Hijack This; DO NOT OPEN ANYTHING ELSE!

Select these items and press fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://htzds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htzds.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {77DF93E3-BCDD-83BD-2F81-D52E0646BD26} - C:\WINDOWS\ieir.dll

O4 - HKLM\..\RunOnce: [sdkrb.exe] C:\WINDOWS\system32\sdkrb.exe



Delete these files:

C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\sdkrb.exe


Empty your Temporary Internet Files and history in Internet Options.

Go to Internet Options>Programs

Click the reset Web Settings Button to reset your home and search pages.

Restart into Regular Windows Mode.


Go to this link and run the free AV scan to clean up the residual files:

http://housecall.tre.../start_corp.asp
-------------------


If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

http://members.aol.c...dbee/hoster.zip
--------
control.exe may have been deleted.

Follow instructions here to replace it: http://www.spywarein...es.html#control
----

Go here and follow the directions to reset your ActiveX
http://www.computerc.../postt7736.html

When done, post a fresh log.

#19 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 28 July 2004 - 08:04 AM

To Tony,
Done, here is the log file. I know it did not work but I could not fine the sdkrb.exe file. The names are changing each time the system runs.
Kenneth
Logfile of HijackThis v1.98.0
Scan saved at 9:00:02 AM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\addlv32.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\netfb32.exe
C:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vxykt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vxykt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vxykt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vxykt.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4034A933-9528-F1BA-1BCD-E091DD256B38} - C:\WINDOWS\d3eb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [addlv32.exe] C:\WINDOWS\addlv32.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\RunOnce: [netfb32.exe] C:\WINDOWS\system32\netfb32.exe
O4 - HKLM\..\RunOnce: [sysxc32.exe] C:\WINDOWS\system32\sysxc32.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#20 rol

rol

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 July 2004 - 06:12 PM

Hi,

I had a similar browser hijacker in my iexplorer ("mysearchnow"), but I did uninstall "Messenger Plus" Program and the problem does not exists anymore.
maybe this helps...


rol

#21 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 30 July 2004 - 01:55 PM

To Rol,
I will give it a try as it is an easy experiment, that along with the information supplied by Tony may work. He has made quite an effort, I think its time to show some appreciation. Thanks for the tip.
Kenneth

#22 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 31 July 2004 - 01:01 PM

To Tony and Rol,
Since I am not an expert I wanted to let you figure out what might have worked as I do not want to mislead the less experienced guest, so far today no hijacker running! This is what I did, and I mean exactly, nothing else was opened during the fix. I am afraid it will come back and that I do not have a real fix but so far so good. I did go to regedit later and change my start page to MSN and I have launched it about 10 times without a problem. Thank you to Tony Klein for the help support is on the way.
Kenneth

Tune up all Active X and Scripting controls in explorer
Uninstall Messenger plus
Boot in Safe mode without other network services.
Run Hijak This
fix: Netfb.32. exe, sysxc32.exe, addlv.exe, all R0,R1,R3
Rem: Netfb.32. exe, sysxc32.exe, addlv.exe and fxssvc.exe
Run Buster until all files are removed, in my case two times
Run Hijak This, In my case clear
Empty Temporary Files
Empty History Files
Empty Recycle Bin
Run Buster One more time
Restart Normally.

#23 temptech

temptech

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 02 August 2004 - 12:53 PM

To Tony,
I wanted to let you know I also fixed one BHO no name under hijack this as well. Otherwise the steps below are correct, was I lucky or os something in the steps doing what it should. Here is a copy of the new log. My computer is working great, no pop-ups or hijacks.
Kenneth

To Tony and Rol,
Since I am not an expert I wanted to let you figure out what might have worked as I do not want to mislead the less experienced guest, so far today no hijacker running! This is what I did, and I mean exactly, nothing else was opened during the fix. I am afraid it will come back and that I do not have a real fix but so far so good. I did go to regedit later and change my start page to MSN and I have launched it about 10 times without a problem. Thank you to Tony Klein for the help support is on the way.
Kenneth

Tune up all Active X and Scripting controls in explorer
Uninstall Messenger plus
Boot in Safe mode without other network services.
Run Hijak This
fix: Netfb.32. exe, sysxc32.exe, addlv.exe, all R0,R1,R3
Rem: Netfb.32. exe, sysxc32.exe, addlv.exe and fxssvc.exe
Run Buster until all files are removed, in my case two times
Run Hijak This, In my case clear
Empty Temporary Files
Empty History Files
Empty Recycle Bin
Run Buster One more time
Restart Normally.

Logfile of HijackThis v1.98.0
Scan saved at 1:51:43 PM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\00THotkey.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MathSoft\Mathcad 2001 Professional\mathcad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://www.gulfresto...ad/tgctlins.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#24 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 02 August 2004 - 02:19 PM

That's a clean log; well done!

Happy surfing! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button