Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Viruses and Popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Viruses and Popups

Unread postby dms » June 16th, 2005, 1:09 pm

A TrendMicro scan of my laptop indicated 2 viruses that cannot be cleaned: Troj Clicker.AQ and Troj Favadd.o - I am also experiencing various pop-ups on the machine that appear without the laptop being connected to the internet (not sure if these are connected to the viruses). My Hijack This log is pasted below - appreciate your help in cleaning my machine. THanks,

Logfile of HijackThis v1.99.1
Scan saved at 1:06:46 PM, on 6/16/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\helper.exe
C:\WINNT\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a2 Scanner\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2 Scanner\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7DCC27-7303-43A2-B540-DE42AF870705}: NameServer = 204.127.160.3 12.102.240.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » June 16th, 2005, 5:50 pm

Well the log looks clean.

where are the virus's being found on the machine - what type of popups do you get, what advert - what URL of the product etc.

also you are at least 2 service packs short of upgrades to this computer. Win2k is now at SP4.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby dms » June 16th, 2005, 9:34 pm

Thanks for your feedback. Trend Micro identifed the following files as containing viruses:
C:\winnt\system32\helper.exe
C:\winnt\system32\ole32vsb.exe

The popups are for a series of products such as Slot Machines, Xanax, etc. and ask the user to click for more information - clicking then brings up http://www.instantsearch.exe. Ironically, I also get popupts warning that my system is infected and that I should click here to get information about products to clean my system (sic!).
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby ChrisRLG » June 17th, 2005, 3:55 am

Can you try a download of this AV :-
http://www.ewido.net/en/download/

It has a free version with manual updates etc.

Run that and let me have a log from it please, anong with a fresh HJT log.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby dms » June 17th, 2005, 10:31 am

Thanks again - Ewido found a number of items including the Trojans reported earlier but unlike Trend Micro, appeared able to eliminate these.
Here is the Ewido scan:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:29:06 AM, 6/17/2005
+ Report-Checksum: D5BAB88A

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 76 min
+ Scanned Files: 42782
+ Speed: 9.37 Files/Second
+ Infected files: 143
+ Removed files: 143
+ Files put in quarantine: 143
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@guide[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@S113241[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User\Cookies\administrator@S113245[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\administrator@guide[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\administrator@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\administrator@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\administrator@S113241[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\administrator@S113245[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\administrator@guide[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\administrator@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\administrator@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\administrator@S113241[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\administrator@S113245[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@16212326(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@16406281[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@26737040[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@51325817[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@56740052[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@69342832[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@73725051.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@7search.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ad4.lbn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@admaximize(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.at.adcenter[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.businessweek[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.cahners[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.fairfax.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.ft[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.intuit[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.link4ads[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.link4ads[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.orbitz[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.quicken[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads.quicken[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_admaximize(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_cahners(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_enliven(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_fairfax_com.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_forbes(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_ft(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_guardianunlimited_co.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_iboost.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_intuit(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_link4ads.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ads_worldpages(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ad_activeadv.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@avenuea(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@avenuea[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@bcentral[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@business2_ads_imaginemedia.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@campaigns.f2.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(2).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(3).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(4).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(5).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cgi-bin(6).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cookies.cmpnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@cookies.cmpnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@counter.mtree[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@enliven.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@eu-adcenter.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@exitfuel[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@gm.preferences[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@gm_preferences.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@icover.realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@imgis.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@linkexchange(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@linkexchange(2).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@list[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@looksmart.com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@looksmart.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@lsads.looksmart.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@my_lygo(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ng3.ads.warnerbros[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@ngadcenter(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@nitrous.exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@oas-central.realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@preferences[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@preferences[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@pubs_mgn(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S001-00-3-12-108541-2010[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S0012-01-1-7-217494-47679.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S0012-01-1-7-217494-47679[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S002-00-6-21-150370-14504[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S002-00-8-24-150370-24067[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S002-00-8-25-156544-24240[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S002-00-8-9-150370-21987[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S003-01-2-15-224879-53982[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-00-5-8-135403-7349.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-00-9-12-185529-26803[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-00-9-15-156544-27301[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-00-9-19-156544-27873[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-00-9-19-156544-27873[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-5-4-245200-72994[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-5-7-245826-73467[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-6-13-253145-80989[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-6-20-233860-83572[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-6-28-254547-85605[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-8-1-233860-93722[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-8-2-233860-94033[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-9-4-275483-101362[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-9-4-275483-101370[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S005-01-9-7-276422-102035[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S009-00-12-20-203449-44541.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S009-00-12-20-203449-44547.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@S111746[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@specificpop[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@stats.klsoft[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@stats_klsoft.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@stats_superstats(1).txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@textomatic_mycomputer.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@track-star.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@track.jpost[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@tryaolfree[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@west.adlink[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@www.adorigin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@www.connectionzone[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@www_goclick.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler\Cookies\dstimler@www_real.txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\administrator@guide[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\administrator@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\administrator@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\administrator@S113241[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\administrator@S113245[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\dstimler@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\dstimler@dcss9l0ug21e5h6ugmb32ovpd_2s8i[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\dstimler@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dstimler.L-DSTIMLER02\Cookies\dstimler@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\popuper.exe -> Trojan.Small.ee -> Cleaned with backup
C:\WINNT\system32\ole32vbs.exe -> Trojan.Favadd.t -> Cleaned with backup
C:\WINNT\system32\wldr.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup


::Report End

Here is the Hijack THis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:27 AM, on 6/17/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a2 Scanner\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2 Scanner\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7DCC27-7303-43A2-B540-DE42AF870705}: NameServer = 12.102.240.1 204.127.160.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Let me know what further action to take.
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby ChrisRLG » June 17th, 2005, 11:59 am

Well that still looks clean - but does it now still have the popups etc.

C:\WINNT\popuper.exe -> Trojan.Small.ee -> Cleaned with backup
C:\WINNT\system32\ole32vbs.exe -> Trojan.Favadd.t -> Cleaned with backup
C:\WINNT\system32\wldr.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup

Those that were found were just cookies, except for the above, The cookies were not 'harmful' in themselves. Those three may have been your problem.

I suggest that you do a cleanup of all the temp files/folders and temp internet files.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.


Then post back with a new HJT log and a discription of any problem you still have.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby dms » June 17th, 2005, 3:13 pm

I deleted Temp files. Unfortunately, the insidious popups remain. Below is a new HJT log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:04:38 PM, on 6/17/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a2 Scanner\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2 Scanner\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby ChrisRLG » June 17th, 2005, 5:52 pm

See next post - :-

We are looking then for something hidden a little deeper than HJT can see.

  • Download FindRK-files.zip from here. http://skads.org/special/rkfiles.zip
  • Extract the RK-files.zip folder from zip to your desktop. (it cannot be run from the zip)
  • Reboot into safe mode. Open the RK-files folder.
  • Double click the "rkfiles.bat" icon. It can take a while to run. Leave it to do its work.
  • When the black cmd.exe window closes reboot your computer in "Normal Mode".
  • A log file was created. It is found at C:\Log.txt.
  • Locate the log and add it to your next post.
[
Last edited by ChrisRLG on June 17th, 2005, 6:11 pm, edited 1 time in total.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » June 17th, 2005, 6:10 pm

See next post please.

Adding a bit - :-

Please Download RKFiles.zip

Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Restart to safe mode. (tap f8 key during bootup)

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT

Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it in a reply to your thread after doing the rest of what follows here.
It'll take a while to run a full scan so please be patient.

Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results.
Last edited by ChrisRLG on June 18th, 2005, 5:08 am, edited 2 times in total.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » June 18th, 2005, 3:27 am

hi.

Its been pointed out I missed a sign of an infection. (Thanks Nonsuch).

====================

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby dms » June 19th, 2005, 7:40 am

Thanks for the help - I found the last set of instructions a little confusing re using Killbox. I was able to run RKFILES.BAT and post the result below:

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\locate.com: WAUPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye

Next, I ran QOOLOGIC and post the resulting text file below:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINNT\VSAPI32.DLL
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\STRINGS.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f842b1

Global Startup:
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

I ran smitfraud.reg and while Virtual Maid appeared in the list of programs in ADD/REMOVE Programs, attempted deletion indicated that only the file name appeared in the program list, the program had already been deleted (the current pop-up infection seems traceable to the time went I had the Search Maid browser hijack that I was able to delete).

I downloaded Killbox but was not sure which Notepad I should be opening (both RKFiles.bat and QOOLOGIC generate Notepads) . I was not sure how to proceed to use Killbox - I pasted the file paths in your email to the clipboard, selected "Paste from Clipboard" but then got an error about entering the file for deletion. Let me know how to proceed from here. THanks.
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby ChrisRLG » June 19th, 2005, 7:47 am

Can I have a new hijackthis log please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby dms » June 19th, 2005, 8:12 am

Oops - here is new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:40 AM, on 6/19/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a2 Scanner\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2 Scanner\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7DCC27-7303-43A2-B540-DE42AF870705}: NameServer = 12.102.244.1 204.127.129.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.corp.scient.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = scient.com,ixl.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: VPN 5000 Service 1.00.00 (VPN5000Service) - Unknown owner - C:\Program Files\IntraPort Client\vpn5000service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby dms » June 23rd, 2005, 8:59 am

Have not heard back since my last post and wondering if any additonal information was needed to assist with the problem? Thanks.
dms
Active Member
 
Posts: 10
Joined: June 13th, 2005, 1:32 pm

Unread postby ChrisRLG » June 23rd, 2005, 9:08 am

Sorry - I must have missed the email - I will check tonight (I should be working now).
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 329 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware