Jump to content


Photo

I also got it


  • Please log in to reply
3 replies to this topic

#1 Bonden

Bonden

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 June 2004 - 03:20 PM

Hi
Tried to get rid of this bastard for 2 days now.

Ran hijackthis

Logfile of HijackThis v1.97.7
Scan saved at 22:05:40, on 16-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\SPACE INTERNATIONAL\CDSpace 4.1\LCDPlyer.exe
D:\eMule\emule.exe
C:\WINDOWS\system32\iebo.exe
C:\WINDOWS\system32\wintu.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spjua.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spjua.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spjua.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spjua.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spjua.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spjua.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {05936A67-40A0-A0D5-9587-1B76477FEA8B} - C:\WINDOWS\sdkot32.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Programmer\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iebw.exe] C:\WINDOWS\system32\iebw.exe
O4 - HKLM\..\Run: [ntie32.exe] C:\WINDOWS\system32\ntie32.exe
O4 - HKLM\..\Run: [wintu.exe] C:\WINDOWS\system32\wintu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Programmer\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Programmer\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Programmer\IDA\ida.exe -autorun
O4 - HKLM\..\RunOnce: [iebo.exe] C:\WINDOWS\system32\iebo.exe
O4 - HKLM\..\RunOnce: [mfczh32.exe] C:\WINDOWS\mfczh32.exe
O4 - HKLM\..\RunOnce: [atloc32.exe] C:\WINDOWS\system32\atloc32.exe
O4 - HKLM\..\RunOnce: [winbi.exe] C:\WINDOWS\winbi.exe
O4 - HKLM\..\RunOnce: [crhc.exe] C:\WINDOWS\system32\crhc.exe
O4 - HKLM\..\RunOnce: [ieuc32.exe] C:\WINDOWS\ieuc32.exe
O4 - HKLM\..\RunOnce: [ntvn32.exe] C:\WINDOWS\system32\ntvn32.exe
O4 - HKLM\..\RunOnce: [iplo32.exe] C:\WINDOWS\iplo32.exe
O4 - HKLM\..\RunOnce: [apigs32.exe] C:\WINDOWS\system32\apigs32.exe
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe "Henrik Bonde"
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: Download ALL with IDA - C:\Programmer\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programmer\IDA\idaie.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Internet Download Accelerator (HKLM)
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8136.6030092593
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...366/mcfscan.cab


What to do?

Thanks
Bonden

#2 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 16 June 2004 - 09:00 PM

Open task manager (alt+ctrl+del) and end task the following processes.
iebo.exe

Download coolweb shredder, unzip and click fix.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spjua.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spjua.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spjua.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spjua.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spjua.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spjua.dll/sp.html#96676
O2 - BHO: (no name) - {05936A67-40A0-A0D5-9587-1B76477FEA8B} - C:\WINDOWS\sdkot32.dll
O4 - HKLM\..\RunOnce: [iebo.exe] C:\WINDOWS\system32\iebo.exe
O4 - HKLM\..\RunOnce: [mfczh32.exe] C:\WINDOWS\mfczh32.exe
O4 - HKLM\..\RunOnce: [atloc32.exe] C:\WINDOWS\system32\atloc32.exe
O4 - HKLM\..\RunOnce: [winbi.exe] C:\WINDOWS\winbi.exe
O4 - HKLM\..\RunOnce: [crhc.exe] C:\WINDOWS\system32\crhc.exe
O4 - HKLM\..\RunOnce: [ieuc32.exe] C:\WINDOWS\ieuc32.exe
O4 - HKLM\..\RunOnce: [ntvn32.exe] C:\WINDOWS\system32\ntvn32.exe
O4 - HKLM\..\RunOnce: [iplo32.exe] C:\WINDOWS\iplo32.exe
O4 - HKLM\..\RunOnce: [apigs32.exe] C:\WINDOWS\system32\apigs32.exe

Then reboot into safe mode and delete these files.
C:\WINDOWS\system32\iebo.exe
C:\WINDOWS\mfczh32.exe
C:\WINDOWS\system32\atloc32.exe
C:\WINDOWS\winbi.exe
C:\WINDOWS\system32\crhc.exe
C:\WINDOWS\ieuc32.exe
C:\WINDOWS\system32\ntvn32.exe
C:\WINDOWS\iplo32.exe
C:\WINDOWS\system32\apigs32.exe

You may have to enable hidden files to find all the files.

Then reboot into normal mode.
Next download spybot and adaware. Update and scan with both. Have spybot fix anything it lists in RED and adaware fix everything it finds. Then reboot and run another hijackthis scan and post your new log here.
Posted Image

#3 Bonden

Bonden

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 10:13 AM

Hi, and thanks for helping :-)

Some of the crap is gone, after following your instructions, but i stil get some pop-ups.

New hjt log file

Logfile of HijackThis v1.97.7
Scan saved at 17:09:54, on 17-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\ntie32.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Programmer\Logitech\Profiler\lwemon.exe
C:\Programmer\IDA\ida.exe
C:\Programmer\SPACE INTERNATIONAL\CDSpace 4.1\LCDPlyer.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\ipem32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43E76A8D-E0B1-618A-CF6F-AD2CFE938EC6} - C:\WINDOWS\ieod32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Programmer\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iebw.exe] C:\WINDOWS\system32\iebw.exe
O4 - HKLM\..\Run: [ntie32.exe] C:\WINDOWS\system32\ntie32.exe
O4 - HKLM\..\Run: [wintu.exe] C:\WINDOWS\system32\wintu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Programmer\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Programmer\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Programmer\IDA\ida.exe -autorun
O4 - HKLM\..\RunOnce: [ipem32.exe] C:\WINDOWS\system32\ipem32.exe
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: Download ALL with IDA - C:\Programmer\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programmer\IDA\idaie.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Internet Download Accelerator (HKLM)
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8136.6030092593
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...366/mcfscan.cab


Best rgds
Bonden

#4 Bonden

Bonden

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 11:10 AM

Hi again
I didn't get it all the first time, so i tried again on my own.

This is the log file after my 2. hjt fix

Logfile of HijackThis v1.97.7
Scan saved at 18:05:53, on 17-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
C:\Programmer\Logitech\iTouch\iTouch.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Programmer\Logitech\MouseWare\system\em_exec.exe
C:\Programmer\Logitech\Profiler\lwemon.exe
C:\Programmer\IDA\ida.exe
C:\Programmer\SPACE INTERNATIONAL\CDSpace 4.1\LCDPlyer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Programmer\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Programmer\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Programmer\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Programmer\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Programmer\IDA\ida.exe -autorun
O4 - Global Startup: LCDPlayer.lnk = ?
O8 - Extra context menu item: Download ALL with IDA - C:\Programmer\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Programmer\IDA\idaie.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Internet Download Accelerator (HKLM)
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8136.6030092593
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://scanner.virus...cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...366/mcfscan.cab

Did i get it all?

Rgds
Bonden




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button