Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

first party tracking cookies and hijackthislog

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

first party tracking cookies and hijackthislog

Unread postby kryptkat » August 19th, 2006, 8:57 am

Logfile of HijackThis v1.99.1
Scan saved at 7:15:59 PM, on 8/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\NFTprog9\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://****.com/search
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {****} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Internet Explorer Hot Fix - {****} - C:\WINDOWS\System32\kidmk.dll
O2 - BHO: (no name) - {****} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {****} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {****} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {****} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {****} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)




I did a lookup on 85.255.115.99 and it comes back to "Host Name........: 85.255.115.99-xbox.dedi.inhoster.com".
The toolbar "HPTOOLKT.DLL" and "NPDocBox.dll" look suspicious. One other unusual thing that happens is that when online
if I open "my computer" icon and click "C:\" it will try to access a advertizeing company site. "crl.verisign.com". Eventhough
control pannel and the firefox browser is set to block all first party and third party cookies I still get tracking cookies.
I searched to see what I could find on "Virus: TR/Pipas.A Type: Trojan" and believe it is associated with .spop .
It only said that the file signature has four digit random characters did not find. With a reg entry according to spybot that does not exist
when I use regedit. Even in safe mode.
kryptkat
Active Member
 
Posts: 7
Joined: August 16th, 2006, 7:26 pm
Advertisement
Register to Remove

Unread postby Susan528 » August 19th, 2006, 12:09 pm

Hello kryptcat and Welcome to Malware Removal,

Let's start with the following:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby kryptkat » August 20th, 2006, 2:41 pm

Thank you for the responce.

Downloaded fixwareout.exe and ran it. It tried to download bfu.zip while i was offline which did not work to good. Downloaded it and ran it.
The script xp-2k2.bfu then read the report.txt


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\

...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* thequicklink C:\WINDOWS\System32\AEYGL.DLL

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMKPI.EXE 45,064 2002-08-29

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.



ran hijackthis again....


Logfile of HijackThis v1.99.1
Scan saved at 1:10:39 PM, on 8/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\NFTprog9\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://****.com/search
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {****} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Internet Explorer Hot Fix - {****} - C:\WINDOWS\System32\kidmk.dll
O2 - BHO: (no name) - {****} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {****} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {****} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {****} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {****} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)



AEYGL.DLL and DMKPI.EXE look suspicious. as does IDriverT.exe
kryptkat
Active Member
 
Posts: 7
Joined: August 16th, 2006, 7:26 pm

Unread postby Susan528 » August 20th, 2006, 4:47 pm

Hi kryptcat,

I have a question about your hijackthis log. This is the first log I have ever seen with the **** in it. I cannot tell if entries are legitimate or not because the numbers are not there. Can you post (reply) with another hijackthis log without the **** please?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// **** .com/search
O2 - BHO: AcroIEHlprObj Class - {****} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Internet Explorer Hot Fix - {****} - C:\WINDOWS\System32\kidmk.dll
O2 - BHO: (no name) - {****} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {****} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {****} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {****} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O9 - Extra button: Spyware Doctor - {****} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {****} - C:\WINDOWS\System32\Shdocvw.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{****}: NameServer = 85.255.115.99,85.255.112.95
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby kryptkat » August 22nd, 2006, 1:40 pm

An update a brief history and a few questions.

Update.
I wanted to check the behavior of the computer and take some time to test the results of running the bfu.exe. A few things that I noticed. First on logon to the internet the logon page no longer had advertisements in it. However it did also not display the logon page half of the time. Four of eight logons had to be done again to get the logon page.second deploy.akamaitechnologies.com was a connection that the computer tried to make I think after I ran the bfu.exe I do not remember if it was before or after. With a little research I discovered that it is a company with a lot of computers that provides a service. But that does not explain why the computer tried to connect with out asking from the firewall. All settings on this computer have all automatic updates turned off. I like to research the updates first then do them manually. Third I noticed a lot of dll files and html files and a lot of folders in the recycle bin. All had random looking characters. Recycle bin emptied. Fourth ran spybot before and after each logon. No tracking cookies found so far. Fifth there are still some questionable entries from hijackthis.log such as NameServer = 85.255.115.99,85.255.112.95 which comes back to "Host Name........: 85.255.115.99-xbox.dedi.inhoster.com". And the AEYGL.DLL and DMKPI.EXE look suspicious. That concludes the current behavior.

Before and after logon I always run spybot. Any zip downloaded or file gets Norton av run to check for virii. I deleted the process and prog because it would not let me kill the process. Other av also used. I view all files and all extensions. Java and Javascript are off. Considering disabling JIT. A long time ago I ran an adware program that removed all of the ms games and spyware that came packaged with the computer.

Do not believe the computer is clean yet. I downloaded “trojanhunterâ€
kryptkat
Active Member
 
Posts: 7
Joined: August 16th, 2006, 7:26 pm

Unread postby Susan528 » August 22nd, 2006, 1:54 pm

Please understand that I want to help. But your hijackthis log with the {****} is not like any hijackthis log posted. Did you edit out the numbers? Would you please post (reply) with a log with the numbers?
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Susan528 » August 23rd, 2006, 2:37 pm

You need to cooperate and give the numbers. I cannot help you if you are going to withold information that would aid in cleaning up your computer. I would be wasting both your time and mine.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby kryptkat » August 24th, 2006, 12:29 pm

I wanted to let you know I read your last post. I am appreciative of your help and glad you want to help.

I think I spoke too soon. Last time I logged on twice did the computer contact “.deploy.akamaitechnologies.comâ€
kryptkat
Active Member
 
Posts: 7
Joined: August 16th, 2006, 7:26 pm

Unread postby Susan528 » August 24th, 2006, 12:50 pm

http://www.malwareremoval.com/forum/viewtopic.php?t=233

This forum is dedicated to removal of malware. We work with people to remove it. We are volunteers who have spent countless hours training and learning to remove malware and assist others. Also we must continue learning to stay on top of new infections. But we expect others to cooperate with us in order for us to help them.

If you are wanting to learn, there is a link for the university. But it takes time and effort to learn!

Here is a tutorial on hijackthis. If you insist on not cooperating and trying to do everything yourself, you might start here.
http://www.bleepingcomputer.com/tutoria ... ial42.html
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby 'KotaGuy » August 24th, 2006, 2:17 pm

Since you are unwilling to follow instructions laid out by Susan to help YOU get YOUR computer clean, I am locking/archiving this topic.

If you want help from volunteers on forums you must learn to follow the instructions laid out by the helpers.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 495 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware