Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help... I have quite a few problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please help... I have quite a few problems

Unread postby silverleaf » April 13th, 2005, 9:52 am

My computer seems to be infected with malware of some sort... I've tried running AdAware Pro and Microsoft AntiSpyware and they've supposedly removed a fair few items but I continue to have the same problems. Both programs claim my system is clean.

1) Green hyperlinks in web pages, but I can't find any of the files associated with Surf+ so it must be something else.

2) Browser windows to gambling, search, antispyware, etc, sites open randomly, but especially when I first open IE.

3) A window with the word "Aurora" often opens when I'm in IE. It brings up one of a series of webpages. It has an icon which is exactly the same as one I used to get with Ceres (which AdAware claimed to remove).

4) After restart, my computer tries to connect to the internet and opens a browser window, usually something to do with sex or porn or something. I don't restart too often so I don't have much info on this one.

All these problems have been getting worse the last few days.

I've used AGV Free Edition anti-virus software, thinking that since these problems aren't picked up by my anti-spyware software they might be caused by a virus. AGV found no viruses.

Panda Software's ActiveScan identified loads of adware and trojans but couldn't remove them.

I've tried deleting all temp files but I can't see that it's made a difference.

Logfile of HijackThis v1.99.1
Scan saved at 14:55:26, on 13/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\abasa5jrp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
F:\Programs\BullGuard 5.0\bullguard.exe
c:\winnt\system32\tcgrstm.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
f:\Programs\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\rtneg3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [abasa5jrp] C:\WINNT\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [gqmqxh] c:\winnt\system32\tcgrstm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06c9a23d53ef44021a ... xIE601.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am
Advertisement
Register to Remove

Unread postby ChrisRLG » April 13th, 2005, 3:40 pm

Hi there, and welcome to the forums!

  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Press Control-Alt-Del to enter the Task Manager.
    Click on the Processes tab and end the following processes:

    C:\WINNT\system32\abasa5jrp.exe
    c:\winnt\system32\tcgrstm.exe


    Exit the Task Manager when finished.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\system32\rtneg3.dll
    O4 - HKLM\..\Run: [abasa5jrp] C:\WINNT\system32\abasa5jrp.exe
    O4 - HKLM\..\Run: [gqmqxh] c:\winnt\system32\tcgrstm.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06c9a23d53ef44021a ... xIE601.cab


    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINNT\system32\abasa5jrp.exe
    c:\winnt\system32\tcgrstm.exe
    C:\WINNT\Nail.exe


    Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 14th, 2005, 5:19 am

Hi Chris!

Thank you very much for your help.

I followed the instructions you gave me except for the following:

C:\WINNT\system32\abasa5jrp.exe and c:\winnt\system32\tcgrstm.exe were not running, so obviously I didn't end them.

I couldn't find O4 - HKLM\..\Run: [gqmqxh] c:\winnt\system32\tcgrstm.exe in HijackThis, and I didn't find c:\winnt\system32\tcgrstm.exe either.

So far I've noticed that the green hyperlinks have gone, and have not seen any pop-ups yet. Yay! :)

Logfile of HijackThis v1.99.1
Scan saved at 10:14:07, on 14/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

New HijackThis log:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\winnt\system32\knnqtzz.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [wgvwfd] c:\winnt\system32\knnqtzz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 14th, 2005, 6:22 am

OK if you have rebooted since, this current bad file may have changed again. If when you scan with HJT you can't find that knnqtzz.exe file, look for a new one in roughly the same place in the log. Ensure that it did not appear in the previous log, and that you had not installed anything since, than fix/delete that file instead.

We are disabling the M$ anti spyware program while we do the fix with HJT as it might stop some of the fix otherwise. It might not be running , if so, do not worry about it.

  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Press Control-Alt-Del to enter the Task Manager.
    Click on the Processes tab and end the following processes:

    c:\winnt\system32\knnqtzz.exe
    f:\Programs\Microsoft AntiSpyware\gcasServ.exe


    Exit the Task Manager when finished.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
    O4 - HKLM\..\Run: [wgvwfd] c:\winnt\system32\knnqtzz.exe


    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Windows Explorer, locate the following files/folders, and delete them:

    c:\winnt\system32\knnqtzz.exe
    C:\WINNT\Nail.exe

    (check to make sure that nail file had gone from the previous fix.)

    Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 14th, 2005, 6:52 am

c:\winnt\system32\knnqtzz.exe wasn't there when I rebooted in Safe mode.

New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:54:46, on 14/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\winnt\system32\ktaonv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
f:\Programs\Microsoft AntiSpyware\gcasDtServ.exe
F:\Programs\BullGuard 5.0\bullguard.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nebzou] c:\winnt\system32\ktaonv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth

Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) -

https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -

http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -

https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer =

195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft

Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 14th, 2005, 7:05 am

O4 - HKLM\..\Run: [nebzou] c:\winnt\system32\ktaonv.exe

there it is now :(

and that F1 line too is still there.

(Remember this could rename itself again)

Could you boot to safe mode first.

Check that those programs are not running in taskmanager. Endtask if they are.

Then fix those two lines in HJT. (with the new name if it has morphed)

Then delete the files with windows explorer.

If that does not work we have other tools.

Post back with a new HJT log, but please from now on only reboot/turn off when I ask for it.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby silverleaf » April 14th, 2005, 12:56 pm

Did I reboot when I wasn't supposed to? :(

Okay, that morphing program was running, but every time I tried to end it a new version with a different name started running. So I gave up on that.

I fixed the nail.exe file and the morphingprogram.exe, but when I went into windows explorer the nail.exe was still there (I deleted it, but it's obviously back again), and because the rmorphingprogram.exe had morphed I didn't know which one it was and i didn't want to guess and delete something vital.

Logfile of HijackThis v1.99.1
Scan saved at 17:46:57, on 14/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\jotqepl.exe
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ulfvaj] c:\winnt\system32\jotqepl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 14th, 2005, 1:40 pm

Hi,
We don't normally butt into each other's Topic Fixes but ChrisRLG might not get back to you until later this evening.

Please create a new Folder in C:\ named Findits then download and unzip this file into the C:\Findits Folder
Find_It_s.zip
Open the Folder and double click FindIt's.bat
Then leave machine running until prompted to click any button to continue (or a text file opens)
Copy/paste the contents of that text file into your next post please.
Oh, and don't reboot ;)
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 14th, 2005, 7:23 pm

That program doesn't want to run. I've tried to run it about 10 times, the last time I just left it for 4 hours but every time iives the same message:

General failure reading drive C
Abort, Retry, Fail?
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby 3162 » April 14th, 2005, 8:03 pm

That's odd. I just ran it again here on Win2k so the likelihood is that the malware is blocking it from running.
Let's get a fresh hijackthis log please, then we can end task on any running processes which might be interfering. Try not to reboot after posting the log.
thanks
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 15th, 2005, 5:31 am

I left the computer on overnight and when I checked it this morning there was a Stop screen so I had to reboot. :evil:

When windows restarted about 70 IE windows opened one after the other... seemed to all be the same window but I don't know where they were trying to go as I wasn't connected. They would have kept on opening I think, but I used taskmanager to shut them down.

Also I thought I'd mention that last night Bullguard was reporting about every 5 minutes that nail.exe was trying to infect me. It blacks or quarentines the file but obviously it keeps coming back. Could this have something to do with why the FindIt's program doesn't want to work?

New HijackThis log coming up....

Logfile of HijackThis v1.99.1
Scan saved at 10:37:17, on 15/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\zrpcvoq.exe
F:\Programs\BullGuard 5.0\bullguard.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
c:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] c:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] c:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "f:\Programs\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bvigdj] c:\winnt\system32\zrpcvoq.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BullGuard 5.0] "F:\Programs\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {74EC0CB3-E304-11D4-AD00-00508BF6CCD1} (IMContainerG Control) - https://i10.uktransco.com/gals/galsmaps.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templa ... ontrol.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F6F16-5CBD-4FC5-92FA-EC49131572EC}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 15th, 2005, 5:57 am

Yes it could be the problem.

We think you may have a new infection. That does not mean that we can't fix you, but does mean that we may ask you to run a process or two to try to find out some info.

The smaller number of reboots you do the better, so please keep your machine turned on if possible.

I would like you to first try to zip up those two files and send them to 3162 AT spywarewarrior.com and also to cjwd-sub AT hostingatessex.com (Replace the AT with @ in both cases) - please if you are able add a link to this topic so we know what it resoonds too, and if you are able add a password to the zip file, which will hopefully stop any AV program from killing the copies as they make thier way to us.

This is the standard submission post I normally make but it mostly refers to winXP.

You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, go to . Locate the first file you want to zip.

c:\windows\system\xxxxxx.exe

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on


c:\windows\system\xxxxxx.exe

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

6. Repeat steps 3. to 5. for the following files

c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe

Note that the folder should have NN files in it if you found them all.

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. add address of topic you are using

Paste it in the text field.

and send please.


Now take a look at this tutorial.

http://www.malwareremoval.com/forum/viewtopic.php?t=320
It is for a program called the killbox. Download and install it please.
We will use that later as one method of seeing if we can delete this.

First try endtasking the running process
c:\winnt\system32\zrpcvoq.exe

If that works - try running that findit bat file again.

If that works post back with that report and a new HJT log.


IF it does not:-
We are going to use the kill on reboot option for these:-

c:\winnt\system32\zrpcvoq.exe
C:\WINNT\Nail.exe

Use the option to delete on reboot - both files in the list before you do or allow the reboot to happen.

Then try the findit bat file again and post back with that and the a fresh HJT log.
Last edited by ChrisRLG on April 15th, 2005, 6:09 am, edited 1 time in total.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby 3162 » April 15th, 2005, 6:05 am

Hello again,
This is a new infection we're getting a handle on, so I'd like you to do a few things for me. It's early here so I'm on my home box but when I get to the shop in a few hours I'll reply again.

In the meantime, could you zip up and email me this file?
c:\winnt\system32\zrpcvoq.exe
and this one:
C:\WINNT\Nail.exe
You can send them to 3162 -at- spywarewarrior.com
If you can't zip, then send them as-is...they'll be small. I don't have AV turned on on that account, so they won't be stripped out.

EDIT...what ChrisRLG said ;)
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby silverleaf » April 15th, 2005, 6:37 am

I can't add either file to WinZip.

I get the following error message.

Action: Add (and replace) files Include subfolders: yes Save full path: no
Include system and hidden files: yes
Adding Nail.exe
Warning: could not open for reading: C:\WINNT\Nail.exe
copying Zip file

When you say endtasking... do you mean using Killbox, or using taskmanager?
User avatar
silverleaf
Regular Member
 
Posts: 33
Joined: April 13th, 2005, 8:11 am

Unread postby ChrisRLG » April 15th, 2005, 6:43 am

When you say endtasking... do you mean using Killbox, or using taskmanager?


Taskmanager.

When killbox is used it will create a folder called submit! in the root of the c: drive - you may then be able to zip those files to be able to email.

Have you any idea what website you may have got this infection from. If we can trace the installer for this it will help us 1. Stop the website 2. Get the files for this to the AV companies.

What virus name did/does your AV report that nail.exe file as.

If that killbox instruction does not work we do still have other methods.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware