Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help

Unread postby bobl » June 13th, 2005, 12:54 pm

Help! Even after running S&D and Ad aware, successive runs just turn up more junk!
IE keeps reverting to some porn site as a homepage.

Logfile of HijackThis v1.99.1
Scan saved at 11:52:07 AM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\hobgslx.exe
C:\WINDOWS\system32\svhost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\program files\180searchassistant\sac.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\WINDOWS\system32\cmd.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\services.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [izin] C:\WINDOWS\izin.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [qnzyery] c:\windows\system32\hobgslx.exe r
O4 - HKLM\..\Run: [rkrkhyt] C:\WINDOWS\rkrkhyt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4. ... egular.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm
Advertisement
Register to Remove

Unread postby zbestwun2001 » June 13th, 2005, 2:22 pm

Hi and welcome to the fourm,

Let's see if this doesn't help you out a bit?
============================================

Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.

===============
Download the Backdoor Agent cleanup utility from Symantec and follow the instructions on their page.
===============
Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

svhost.exe*
services.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============
Go to Add/Remove programs and remove(uninstall) the following, if present:

Desktop Search

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============
Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
c:\windows\system32\hobgslx.exe
C:\WINDOWS\system32\svhost.exe
C:\program files\180searchassistant\sac.exe
C:\Program Files\Common Files\services.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u Catcher.dll
regsvr32 /u vbrundll.dll
regsvr32 /u sachook.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\sachook.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [izin] C:\WINDOWS\izin.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [qnzyery] c:\windows\system32\hobgslx.exe r
O4 - HKLM\..\Run: [rkrkhyt] C:\WINDOWS\rkrkhyt.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4. ... egular.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...
C:\program files\180searchassistant
C:\Program Files\DNS
C:\WINDOWS\isrvs
C:\Program Files\webHancer

files...
c:\windows\system32\hobgslx.exe
C:\WINDOWS\system32\svhost.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\regsync.exe
C:\WINDOWS\izin.exe
C:\WINDOWS\rkrkhyt.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\winstall.exe
C:\WINDOWS\svcproc.exe

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".
===============
Reboot and post back a new log, and let me know how everything goes.

Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby bobl » June 13th, 2005, 4:33 pm

Well I must have missed something. desktop and ffisearch keep showing up even though the directory has been deleted. Heres the latest HJT file. let me know what you think...

Thanks mucho

Logfile of HijackThis v1.99.1
Scan saved at 3:27:23 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Palm\HOTSYNC.EXE
c:\windows\system32\jkwuuj.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [rlvipqn] c:\windows\system32\jkwuuj.exe r
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby zbestwun2001 » June 13th, 2005, 4:45 pm

You've done excellent ... sometimes it will take a couple passes to get it all clean up. There were alot of entries that you did fix and only a few that didn't take the fix.

This time we will do it in Safe Mode.

=========================

Boot into Safe Mode.

=========================
Go to Add/Remove programs and remove(uninstall) the following, if present:

Desktop Search

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

=============================
Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
c:\windows\system32\jkwuuj.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============================
Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [rlvipqn] c:\windows\system32\jkwuuj.exe r
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

==============================
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...
C:\WINDOWS\isrvs

files...
c:\windows\system32\jkwuuj.exe

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

=============================
Now exit Safe Mode and boot normally. Post back a new log, and let me know how everything goes.

Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby bobl » June 13th, 2005, 6:19 pm

Steve

Boy, this is one persistent booger. Seems like half of what we zapped came right back. Even Hairy Granny's back! We've got to be missing something. What about nail.exe? or nwiz.exe?

Logfile of HijackThis v1.99.1
Scan saved at 5:14:38 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\fqjxvl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [hqjplnb] c:\windows\system32\fqjxvl.exe r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4. ... egular.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for working with me. I consider myself pretty computer savvy, but this one is driving me nuts.

Bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby zbestwun2001 » June 13th, 2005, 6:26 pm

The question is how did you pick up the Nail.exe infection since the last log you posted?

This is not normal for this to happen when doing a fix. Are you doing anything on your own, if so please don't.

We will now attempt to get rid of this Nail.exe. There is a specific fix for this.
Please do not do anything but what I instruct you to do, thanks.

================================

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php? ... 5010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan

Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby bobl » June 13th, 2005, 10:34 pm

OK, you're starting to scare me. I've done nothing up to this point but what you've instructed me to do. Are you saying this nail problem has nothing to do with my original ordeal? It all seemed to happen at the same time...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:46:03 PM, 6/13/2005
+ Report-Checksum: 58065E08

+ Date of database: 6/13/2005
+ Version of scan engine: v3.0

+ Duration: 91 min
+ Scanned Files: 148302
+ Speed: 27.03 Files/Second
+ Infected files: 97
+ Removed files: 60
+ Files put in quarantine: 60
+ Files that could not be opened: 0
+ Files that could not be cleaned: 37

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
E:\
F:\
C:\

+ Scan result:
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\mp3.ocx -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\Fonts\web.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINDOWS\imgthin.exe -> TrojanDownloader.VB.if -> Cleaned with backup
C:\WINDOWS\inst\3p_1n2.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch -> Cleaned with backup
C:\WINDOWS\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Cleaned with backup
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINDOWS\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINDOWS\system32\djzhpxs.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINDOWS\system32\elitegjo32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenzm32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitergp32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\nscD.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nshA.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsj83.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsn4E.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsv4A.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsx5.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsz341.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsz5.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk -> Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@etype.adbureau[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@stat.onestat[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@gator[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@x10[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@bravenet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@server.iad.liveperson[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@adserver.news.com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@web4.realtracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@bluestreak[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
F:\Sharonbackup\1\Lost Files\Recovered_Zip_317.ZIP/c:/documents and settings/sharon/cookies/sharon@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ysbactivex.dll -> TrojanDownloader.IstBar -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\ysbactivex.dll -> TrojanDownloader.IstBar -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\mp3.ocx -> TrojanDownloader.Agent.ex -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar -> Error during cleaning
C:\WINDOWS\Fonts\web.exe -> Backdoor.Generic -> Error during cleaning
C:\WINDOWS\imgthin.exe -> TrojanDownloader.VB.if -> Error during cleaning
C:\WINDOWS\inst\3p_1n2.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\isrvs\delprot.sys -> Trojan.Delprot.a -> Error during cleaning
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch -> Error during cleaning
C:\WINDOWS\isrvs\ffisearch.exe -> Spyware.Isearch -> Error during cleaning
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Error during cleaning
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Error during cleaning
C:\WINDOWS\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Error during cleaning
C:\WINDOWS\system32\djzhpxs.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Error during cleaning
C:\WINDOWS\system32\elitegjo32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitenzm32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\elitergp32.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\nscD.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nshA.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsj83.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsn4E.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsv4A.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsx5.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsz341.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\nsz5.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\thn32.dll -> TrojanProxy.Small.bk -> Error during cleaning
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a -> Error during cleaning


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:20:27 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/mp3.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


As you can see, much of what we got rid of is back. Are we back to square one?

Thanks for being patient.

Bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby zbestwun2001 » June 13th, 2005, 11:01 pm

Don't mean to scare you, It will be fine.

I won't be on again today but will post another fix for you tomorrow.

Didn't mean to scare you !!!

Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby zbestwun2001 » June 14th, 2005, 9:15 am

No were are making progress.

-

Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.

===============
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u Catcher.dll
regsvr32 /u mfiltis.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/mp3.ocx

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\DNS
C:\WINDOWS\isrvs

Search for...

*.sea

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.
Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby bobl » June 14th, 2005, 6:16 pm

OK, here goes again. Spybot and adaware show clear, but my desktop is still locked to where I can't get my wallpaper back. IE still acting strange, but hairy granny gone (for now...). Lemme know what you think...

Logfile of HijackThis v1.99.1
Scan saved at 5:11:06 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby zbestwun2001 » June 14th, 2005, 6:54 pm

I have some questions.

When you boot up do you get a blue screen with a Smitfruad error message?

When you say the IE is acting strange please explain that for me?

The your log is clean at this point of malware now to figure out why it is still actiing up?

Steve
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA

Unread postby bobl » June 14th, 2005, 10:53 pm

When I first ran IE after the last clean, it would open up with an about:blank page rather than my defauld Google page. This is what it would do right before Hairy Granny appeared. I changed it in internet options to Google again, and am keeping my fingers crossed.

The blue desktop had a message telling me I had spyware (duh!) and I needed to clean it with their special program. Right. Another, or maybe the same, program calling itself SpySheriff kept re-installing itself and barfing all over the screen at the most inconvenient times. Nothing calling itself smitfraud, though. Presently, only the blue background shows, along with my screen icons. If I set adaware to run on reboot, I can see my normal desktop behind it, but the blue returns after I finish the scan.

Now, as I write this, Ewido is popping up telling me it's intercepting bad stuff and prompting me to clean it. I may not be out of the woods yet...

bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby bobl » June 14th, 2005, 10:54 pm

Hairy Granny's back. I'll run another scan and post. (sigh)
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby bobl » June 14th, 2005, 11:09 pm

She's baaaack......

rdgUS1742.exe looks a little suspicious to me. Mean anything to you?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:41 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\FxRedir.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairy-granny.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {18387D19-1DAD-20AE-5219-456D3BD0FA00} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/mc ... tPrint.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4058212286
O16 - DPF: {74AA9FF8-4A2E-275D-556A-731E7B7B81E7} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... _v1-32.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby zbestwun2001 » June 15th, 2005, 12:47 pm

ahhhhhhhh, didn't see that .exe file there in the O16's thanks


maybe now this hairy grandma will go....:)

thanks
User avatar
zbestwun2001
Regular Member
 
Posts: 673
Joined: January 28th, 2005, 4:49 pm
Location: Southern California, USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware