Jump to content


Photo

Hijacked by your-searcher.com


  • Please log in to reply
11 replies to this topic

#1 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 May 2004 - 10:48 AM

I am experiencing two problems; I don't know if they are related.

(1) My browser has been hijacked to your-searcher.com.

(2) At shutdown (running Win2k), I always get a mysterious program called Win Min which is " not responding".

Here is my log. Any help is highly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 11:34:45 AM, on 5/30/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\realjukebox\tsystray.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Download\aim\aim.exe
C:\winnt\dllhelp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Programs\MFIndexer.exe
D:\Microsoft Office\Office\1033\msoffice.exe
E:\Download\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe
O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 31 May 2004 - 08:02 AM

Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.
Posted Image

#3 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 11:19 AM

Thanks for your help.

I had already run CWShredder, Spybot and Ad-Aware prior to my initial post. Anyway, I reran them using the switches you recommended.

The one change I can see in the new log is that now I seem to have also winlogin.exe among the running processes...Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 12:07:33 PM, on 5/31/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\realjukebox\tsystray.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Download\aim\aim.exe
C:\winnt\dllhelp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Programs\MFIndexer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
D:\Microsoft Office\Office\1033\msoffice.exe
E:\Download\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe
O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 31 May 2004 - 12:56 PM

OK. Click here to download TheKillbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Make sure the 'Create backup before deleting file' box is checked. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:

c:\winnt\dllhelp.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". In the window that opens up, click on the File menu and choose "Add File". The c:\winnt\dllhelp.exe listing should show up in the window. Then repeat the process, this time adding:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

If that's successful you should have the two files listed. Then repeat so that these files appear in the list as well:

C:\documents and settings\luki\local settings\temp\p3w.exe
C:\Program Files\Internet Explorer\IEengine.exe

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Open HijackThis, scan and when complete, remove the following entries (if still there) by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKLM\..\Run: [p3w.exe] C:\documents and settings\luki\local settings\temp\p3w.exe
O4 - HKLM\..\Run: [WinISO] TASKMANAGE.EXE
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - Global Startup: winlogin.exe

Reboot when done. Rescan with HJT and post a new log.
Posted Image

#5 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 03:36 PM

Thanks for your help.

I followed your instructions and the problem seems to be gone. Here is the current log; please let me know if there is still anything suspicious...

Logfile of HijackThis v1.97.7
Scan saved at 4:35:22 PM, on 5/31/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\realjukebox\tsystray.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Download\aim\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Programs\MFIndexer.exe
D:\Microsoft Office\Office\1033\msoffice.exe
E:\Download\Security\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 31 May 2004 - 04:37 PM

Looks OK - how is it running now?
Posted Image

#7 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 May 2004 - 11:37 PM

Well, everything was fine, but unfortunately only for a little while...

In no time one of my kids went on the web and managed to get into new trouble..but I will start a new post with that one.

Thanks very much for your help.

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 June 2004 - 01:01 AM

Just continue in this one.
Posted Image

#9 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 June 2004 - 09:35 AM

OK, here is the problem. I now get all kinds of popups and weird behavior as soon as I try to go on the Web.

After taking a look, I seem to have the bookedspace BHO. The HJT log shows this bxxs5.dll that I cannot get rid of. I have tried to delete it in Safe model, fix it with HJT etc, but it keeps coming back...

Here is my current log.


Logfile of HijackThis v1.97.7
Scan saved at 10:32:44 AM, on 6/1/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\realjukebox\tsystray.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Download\aim\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Programs\MFIndexer.exe
D:\Microsoft Office\Office\1033\msoffice.exe
E:\Download\Security\HijackThis.exe

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 June 2004 - 10:49 AM

I'm looking suspiciously at the Media Player entry. Lets try something. With only HJT running, have it fix:

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun


Then delete this folder:

C:\Program Files\Windows Media Player\

Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.

If you find that WMP has been affected, download the legitimate version from here:

http://www.microsoft...ies/player.aspx
Posted Image

#11 lukdani

lukdani

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 June 2004 - 10:37 PM

Well, I think you were right. The wmplayer.exe file had a date stamp of yesterday, when the re-infection (or whatever) occurred.

After following your instructions, everything seems to be back to normal. Here is the current HJT log -- let me know if you see any other suspect entries...

Thanks very much for your help.

Logfile of HijackThis v1.97.7
Scan saved at 11:24:59 PM, on 6/1/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\realjukebox\tsystray.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Download\aim\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Programs\MFIndexer.exe
D:\Microsoft Office\Office\1033\msoffice.exe
E:\Download\Security\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] D:\realjukebox\tsystray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] E:\Download\aim\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 01:23 AM

That's a clean log - well done :D
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button