Jump to content


Photo

Wtoolsa and Wsup


  • Please log in to reply
18 replies to this topic

#1 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2004 - 10:20 AM

I just ran an updated version of SpyBot, then ran the latest 'Hijackthis'. Below is my log. How do I get rid of Wsup and Wtoolsa and is there anything else in the log that needs to be deleted?

Logfile of HijackThis v1.97.7
Scan saved at 11:14:20 AM, on 6/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [%SP_SHORT_TITLE%] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

#2 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 21 June 2004 - 11:44 AM

Hi
Restart in Safe mode and
To unhide hidden files,
  • On desktop select My Computer and select View>Folder Options
  • Under the View tab,
  • Tick show all files
  • Untick hide file extensions for all file types. Select Apply
Run hijackand please place a check in the following entries.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


While still in safe mode, Select Start-> Settings-> Control panel-> add/remove and select and remove the following programs if present:Wintools
find and delete the following files/folders if they still exist:
C:\Program Files\Common files\WinTools <--delete only this folder

Open an IE and select Tools> Internet options and delete all temporary internet files and tick offline content
c:\temp <--delete all files in this folder
c:\windows\ temp <--delete all files in this folder

Then, in hijack go to "Config" and select "ignorelist" at the top. If anything is listed in that window, select "delete all".
Then go to Start> Run and type msconfig and hit OK. Under the "General" tab, ensure that "Normal startup" is selected

Restart your system and repost here with a new log from hijack.

#3 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2004 - 02:01 PM

Hey thanks, heres the new 'Hijackthis' log file:


Logfile of HijackThis v1.97.7
Scan saved at 2:57:27 PM, on 6/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593

#4 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 21 June 2004 - 03:34 PM

hi again thirdeyeopen

First can you temporarily disable spyware guard and then
Please place a check in the following entries.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\TEMP\WTUNINST.EXE remove


There are some missing items in your log, In hijack, could you please click config> select backups from the top of the page,
see if any of the entries below are listed. If so, highlight each one, one at a time and select restore.

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun,
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\Windows\Taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe


Restart your unit and repost a fresh log.
Report any info you found with the backups list or the ignorelist from the previous instructions.

thanks

#5 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2004 - 04:46 PM

Ok, I checked the items you listed and had 'Hijackthis' fix them. I did not see any of the items that you said were missing in the backup list. Below is my new log. thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 5:41:56 PM, on 6/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593

#6 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 21 June 2004 - 08:42 PM

HI again thrirdeye.

Good job, things look better now.
I'm curious that the missing entries I listed are not showing up anywhere. They help the smooth operation of windows, particularily scanregw. I'd like to investigate further.

Can you please generate a stratuplist. Run hijackthis, Click Config> Misc tools> then choose generate startuplist log.
Then copy and past the entire result from notepad into your next post along with a fresh hijack log..
thanks

#7 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2004 - 10:39 AM

hello,

I tried to run a startup log in hijack this morning before work and it wasnt cooperating with me. when i click on "generate start up list", it acknowledged my "click" but didnt do anything. I closed the program and tried again and still nothing. Are you just wanting to know what programs I have configured to launch automatically at startup? I have tampered with the natural settings of the system before using , start>run>msconfig>startup. I did this as sort of a quick fix when i was having speed issues as a result of the imense amount of spyware on my system. Programs that i didnt need all the time, i.e. quicktime, AIM, and the like, i unticked to conserve resources. I may have gotten a little carried away with it though, bc I continued to untick things that looked strange bc i thought they might be spyware. It is very likely that I unticked critical components I guess.

If I cant get hijack to generate the list, would you like for me to manually post all the programs that are unticked in start>run>msconfig>startup?

#8 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 22 June 2004 - 11:55 AM

Third eye.

When you click yes to the prompt for creating the startuplist, the list should open right up in notepad. That list was just another way to look into the registry.

Neverthless, If you could go to msconfig and check everything, reboot and post a new log from hijack, that would be great. Most bits like quicktime and the like can be disable through hijack without using selective startup in msconfig.

Perhaps the ones I'm looking for may be there. We can go through the list and disable the hogs and any un-needed startups you don't use, so as to keep things tuned up for you. :cool:

Edited by pfofit, 22 June 2004 - 11:59 AM.


#9 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2004 - 12:58 PM

sounds good. ill do that first thing when i get home tonight (~6:00 Rocky Mnt US time)and post a new log.

#10 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2004 - 07:39 PM

Ok here it is:

Logfile of HijackThis v1.97.7
Scan saved at 8:08:33 PM, on 6/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SCANREGW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
D:\PROGRAM\DISTILLR\ACROTRAY.EXE
C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [I] C:\WINDOWS\TEMP\I.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [23TQNBX3#F9XXK] C:\WINDOWS\SYSTEM\KxrWfD1.exe
O4 - HKLM\..\Run: [spiyzfgkozxs] C:\WINDOWS\SYSTEM\wurpcz.exe
O4 - HKLM\..\Run: [o74U36U] REGCNV32.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [NOMAD Detector] "C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: NetZero and NZ Platinum.lnk = D:\program\nzStart.exe
O4 - Startup: Acrobat Assistant.lnk = D:\program\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593

#11 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 22 June 2004 - 10:39 PM

Hi there thirdeyeopen, good work.
Good news is that we found the good items but bad news is we found a couple more bits of malware,trojans etc.

First, you have picked up the Peper trojan. To remove it, can you please download the PeperFix tool,
  • save it to your desktop,
  • close all browsers and doubleclick on it,
  • click 'Find and Fix' and reboot if prompted
Then please run hijack and place a check in the following entries.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix them:
O4 - HKLM\..\Run: [I] C:\WINDOWS\TEMP\I.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [23TQNBX3#F9XXK] C:\WINDOWS\SYSTEM\KxrWfD1.exe
O4 - HKLM\..\Run: [spiyzfgkozxs] C:\WINDOWS\SYSTEM\wurpcz.exe
O4 - HKLM\..\Run: [o74U36U] REGCNV32.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


These items in blue are unnecessary programs running at start and/or that hog resources: Having hijack fix it does not remove the program, just their start up command. We can look at others later.
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl


Next, restart in Safe mode and find and delete the following files/folders if they still exist:

C:\WINDOWS\SYSTEM\DP-HIM.EXE <--delete only this file
C:\WINDOWS\SYSTEM\KxrWfD1.exe <--delete only this file
C:\WINDOWS\SYSTEM\wurpcz.exe <--delete only this file
REGCNV32.EXE <--delete only this file

C:\Program Files\Common files\WinTools <--delete only this folder

c:\ temp <--delete all files in this folder
c:\windows\ temp <--delete all files in this folder
Open an IE and select Tools> Internet options and delete all temporary internet files and tick offline content

Restart your system and do a free online virus scan and delete anything it finds from:To be on the safe side, we should do a free online trojan scan as well and delete anything it finds from:
Repost here with a new log from hijack.

#12 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2004 - 08:16 AM

Ok i tried to do everything you said but ran into some problems...

1. when trying to manually delete the temp files from windows, the following file would not let me delete it. It gave me that "the source file may be in use" crap

C:\WINDOWS\TEMP\DfBA42.TMP

2. housecall found 44 viruses but it wouldnt let me delete any of them. It said they were "unaccessible"

#13 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 23 June 2004 - 09:21 AM

Hello thirdeye. Thanks for the feedback.

Its probable that they are in the system restore.
To clear some of these viruses out, we need to temporarily disable system restore. This will delete all of your restore points and may clean some of those uncleanable viruses out.

To disable Windows Me System Restore
Right-click My Computer, and then click Properties.
On the Performance tab click File System.
Select the Troubleshooting tab, and then check Disable System Restore.
Click OK twice. Click Yes, when you are prompted to restart Windows.
Press F8 while the system restarts and select safe mode.
Once in safe mode, delete the files under the _Restore folder

Rerun the online AV and trojan scans, and when completed, re-enable System Restore by doing this

To enable Windows Me System Restore
Right-click My Computer, and then click Properties.
On the Performance tab click File System.
Select the Troubleshooting tab, uncheck Disable System Restore.
Click OK twice. Click Yes, when you are prompted to restart Windows.

Thirdeyeopen, as for the temp files, sometimes there are a couple of those temp files that are hooked into windows. If you select all others, except the ones they mention then you should be able to delete the rest.

This one in particular is a trojan. Make sure you get him deleted.
C:\WINDOWS\TEMP\I.EXE

keep me posted and when finshed repost a fresh log.

Edited by pfofit, 23 June 2004 - 09:23 AM.


#14 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2004 - 08:19 PM

Pfofit,

Ok i ran the virus scans and was successfully able to delete the offending programs. I dont think that having hijack fix the programs you listed in blue helped bc they are still loading when the computer turns on. Also what about the program RB32.EXE. That little bastard keeps trying to access the internet. I did a google on it and one of the results said that it was spyware. Is it? Heres my latest log...


Logfile of HijackThis v1.97.7
Scan saved at 9:14:32 PM, on 6/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
D:\PROGRAM\DISTILLR\ACROTRAY.EXE
C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [rb32 0l8341] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: NetZero and NZ Platinum.lnk = D:\program\nzStart.exe
O4 - Startup: Acrobat Assistant.lnk = D:\program\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#15 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 23 June 2004 - 08:58 PM

Hi there, The blue items: quicktime, Aim, Messenger and office that we did in are gone. The others that are not so problematic I will deal with later. For the time I am focusing on getting rid of the garbage and then we will houseclean.

Your doing well, but you got a new fly in the ointment.

You have picked up the RapidBlaster Infection, which requires an uninstaller to properly remove it!

Please Download Rapidblaster Killer 1.61 and Run The Program and select 'Scan'

Please, then reboot. To help keep from being reinfected, lets put up some barriers by installingSpywareBlaster, if you do not already have it.. It's free and will help prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Just download, install and check for updates and enable all protection.

Then repost a fresh log
Thanks

Edited by pfofit, 23 June 2004 - 09:00 PM.


#16 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 07:38 AM

pfofit,

fresh log...

Logfile of HijackThis v1.97.7
Scan saved at 8:04:13 AM, on 6/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
D:\PROGRAM\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOCUMENTS\SHANES CS1321\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [rb32 0l8341] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: NetZero and NZ Platinum.lnk = D:\program\nzStart.exe
O4 - Startup: Acrobat Assistant.lnk = D:\program\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#17 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 24 June 2004 - 09:08 AM

Hi
Restart in Safe mode and run the rapid blaster scan again.
then reboot and please run hijack and place a check in the following entry if present.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix it:
O4 - HKLM\..\Run: [rb32 0l8341] "C:\Program Files\RapidBlaster\rb32.exe"

find and delete the following folder if it still exist:
C:\Program Files\ RapidBlaster <--delete only this folder

--------------------------------------------------------------------------
These items in blue can be fixed if you choose, they are programs that you had disabled in msconfig that are optional. Having hijack fix an item does not remove the program, just their start up command. Please read the details carefully and decide what you would like to keep or disable.

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
For Creative sound cards. Detects when you insert a CD, DVD, etc

O4 - HKLM\..\Run: [Creative Launcher] C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
Adds a System Tray icon for your soundcard

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
System tray application for SB Live functions.

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
Loads up MSN Queue Manager

O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
Adds a printer icon in the System Tray for quick access

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
Causes applications to launch on insertion of a disk in an Iomega Zip drive

O4 - HKCU\..\Run: [NOMAD Detector] "C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
This is required if you want PlayCentre 2 to take control of the NOMAD jukebox/MP3 once connected

O4 - Startup: NetZero and NZ Platinum.lnk = D:\program\nzStart.exe
You had this disabled. Do you use netZero

O4 - Startup: Acrobat Assistant.lnk = D:\program\Distillr\AcroTray.exe
Used to create PDF files with Acrobat Distiller

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
It is needed by some graphics professionals who want their to adjusts monitor colours.


Restart your system and repost here with a new log from hijack.

Edited by pfofit, 24 June 2004 - 09:12 AM.


#18 thirdeyeopen

thirdeyeopen

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 24 June 2004 - 07:54 PM

pfofit,

SCHEW!!!! I think we may have gotten them all finally! You have been a big help, and I really appreciate it. You been such a big help that I think I would like to run this same process on my computer with you. The one we've been slaving over belongs to my father. My computer should be in much better shape and alot easier to work with. It's super fast and doesnt have memory issues like my father's. He only has 64Mb of RAM. Im over 500. Anyway, heres the latest log...

Logfile of HijackThis v1.97.7
Scan saved at 8:47:00 PM, on 6/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPID.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O4 - Global Startup: ZoneAlarm Pro - Integrity Desktop.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapid.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.gci-ga.com/iNotes.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.8189467593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#19 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 24 June 2004 - 08:54 PM

Ta-daa. I think you are right. Things look better now.
Below is my standard speech. Some we have done along the way, but check them all out.

I'll also add at the end, setup instructions for ad-aware and spybot. Print out some copies and keep them handy for occasional cleanings.
------------------------------------------------------------------------------------------------
Please read through the recommended ideas and free software listed below that will help to keep your computer from being reinfected
  • Do not let any site install anything if you do not know what it is.

  • Ensure that an Antivirus is updated weekly and running. AVG antivirus from Grisoft is a very good FREE antivirus program if you do not have one already.

  • Make sure you have the latest critical updates from windows update.

  • SpywareBlaster will prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

  • IE-SPYAD puts over 4000 known 'bad' sites into your IE restricted zone so that they cannot install malware on your PC.

  • Google toolbar has a very good built in popup blocker with a nice search bar. To provide privacy, select disable advanced features when installing.

  • Check your system for latest virus definitions with an online virus scan
    Check your system for latest trojan definitions with an Online trojan scan

  • Spybot S&D 1.3 and/or Ad-aware 6 Free are excellent removal tools are are updated often.

  • And also see this link for additional security information.
    So how did I get infected in the first place?
------------------------------------------------------------------------------------------------
Spybot 1.3 setup
If you are running Version 1.2, you can safely upgrade (Install over) the old version. BE SURE YOU REBOOT after install.
It's recommended that if you've been using 1.3 RC's(release candidates) to uninstall them first.
  • Select Search for updates.
  • Then select all available updates that are displayed in the white box.
  • Select a download mirror nearest your location.
  • Then select Download updates .
  • Shut down and restart Spybot.
  • Select the Search and destroy icon and click on Check for Problems.
  • Delete/fix anything that spybot shows in RED.
While spybot is running, a counter will be displayed in the lower left corner like xxxx/17000+. There is currently about 17000+ detections.

Reboot your unit

-------------------------------------------------------------------------------------------------------------
Ad-aware 6 setup
Run a FULL adaware scan using the following configuration below
Before scanning with Ad-aware 6 Free:
  • Update by selecting Check for updates. Then Connect and download the latest file 01R324 22.06.2004. When finished, shut down and restart Ad-Aware.
  • Select the gear wheel at the top and ensure at least the following are ticked.
  • Under General
    • Automatically save log-file.
    • Automatically quarantine objects prior to removal.
    • Safe mode.
  • Under Scanning
    • Select all available options.
    • Select Check Drives & Folders, make sure all hard drives are selected.
  • Under Tweaks > Scanning Engine
    • Unload recognized processes during scanning.
    • Include basic ad-aware settings.
    • Include additional ad-aware settings.
  • Under Tweaks > Cleaning Engine:
    • Select all available options.
  • Click Proceed, then Start and make sure Activate in-depth scan is green.
  • Select ‘Use custom scan’ and hit ‘Next’ to let Ad-Aware scan your drives.
It will list "bad" files and registry keys. Click ‘Next’.
Rightclick in the list and select all and click next.

It will ask for verification of checked items. Choose OK.

Finally, close Ad-Aware, Shut down and reboot your unit.

cheers, pfofit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button