943,691 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Help
Ad:
Permalink
Jul 30th, 2005
0

Help

Expand Post »
I have up to date virus, spy and ad ware, however a few items are being missed and or there picking it up and will not let me do anything with them except stop or exclude. Any help would be greatly appreciated.

1. On startup - Windows cannot find C\windows\system32\services\services.exe
Also on startup this virus alert comes up.
Exploit-mhtRedir.gen

2. C:\windows\system32\bulrkfb.exe
C:\windows\system32\lwkkg.dll
C:\windows\system32\patch.exe

Thank you
Steve
Reputation Points: 10
Solved Threads: 0
Newbie Poster
coots is offline Offline
4 posts
since Jun 2005
Permalink
Jul 30th, 2005
1

Re: Help

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Download CCleaner and install it. Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here along with Ewido log.
Reputation Points: 25
Solved Threads: 51
Practically a Master Poster
swatkat is offline Offline
642 posts
since Jul 2005
Permalink
Jul 30th, 2005
0

Re: Help

Swatkat,
First, thank you for the help. I followed your instructions and here are the logs.


Logfile of HijackThis v1.99.1
Scan saved at 5:36:33 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\Spyware Nuker 2004\swn2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\GetSmile\GetSmile.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mdd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\services.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "community.centurytel.net"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nxl24m7i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nxl24m7i.slt\prefs.js)
O1 - Hosts: 127.0.0.0 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B8B3226-EB67-0AC6-8052-62550BAD2F4D} - C:\WINDOWS\System32\lwkkg.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {C51E31FA-4D36-48C2-BFEC-BCD18D3FF594} - C:\WINDOWS\System32\mdd.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Owner\My Documents\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [GetSmile] C:\Program Files\GetSmile\GetSmile.exe
O4 - HKCU\..\Run: [Nuae] C:\Documents and Settings\Owner\Application Data\atpe.exe
O4 - HKCU\..\Run: [Yvzz] C:\WINDOWS\System32\bulrkfb.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54061BF5-8205-4862-90E0-2F35BBB73FF3}: NameServer = 207.230.192.251 209.206.184.249
O18 - Filter: text/plain - {95C6C792-AA1A-4A87-BF6C-596F02A32746} - C:\WINDOWS\System32\mdd.dll
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:24:39 PM, 7/30/2005
+ Report-Checksum: 38240EF1

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{01A9EB7C-69BC-11D2-AB2F-204C4F4F5020} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MailHook.MailTo -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MailHook.MailTo\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MailHook.MailTo\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{01A9EB70-69BC-11D2-AB2F-204C4F4F5020} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindowsUpdate -> Spyware.BrowserAid : Cleaned with backup
HKU\S-1-5-21-1004336348-1645522239-839522115-1003\Software\{2CF0B992-5EEB-4143-99C0-5297EF71F444} -> Spyware.BrowserAid : Cleaned with backup
C:\Program Files\iWon\iWonBar\1.bin\IWON2NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\Program Files\iWon\iWonBar\1.bin\NPIWON0.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc154.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc156.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc163.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc168.txt -> Spyware.Cookie.Enliven : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc172.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc173.txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc174.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc179.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc185.txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc187.txt -> Spyware.Cookie.180solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc188.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc194.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc205.txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc211.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc212.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc221.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc223.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc226.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc227.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc229.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc234.txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc242.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc243.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc261.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc269.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc270.txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc288.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc290.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc295.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc300.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc301.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc306.txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc322.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc323.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc328.txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc342.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc349.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc350.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc352.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc407.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\RECYCLER\S-1-5-21-3486298598-3830921159-470424338-1006\Dc439.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__bulrkfb.exe -> TrojanDownloader.PurityScan.i : Cleaned with backup


::Report End


Steve
Reputation Points: 10
Solved Threads: 0
Newbie Poster
coots is offline Offline
4 posts
since Jun 2005
Permalink
Jul 31st, 2005
0

Re: Help

Hi,

Open NotePad, and copy the contents of the below "Quote" box:-
Quote ...
cd %windir%
attrib -s -r -h uptodate.exe
del uptodate.exe
cd System32
attrib -s -r -h lwkkg.dll
del lwkkg.dll
attrib -s -r -h mdd.dll
del mdd.dll
attrib -s -r -h bulrkfb.exe
del bulrkfb.exe
attrib -s -r -h STLBCL~1.DLL
del STLBCL~1.DLL
cd services
attrib -s -r -h services.exe
del services.exe
Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Download CleanUp! and install it, do not run it now.

Download CWShredder. Download SpSeHjfix to the Desktop and then right click a blank part of Desktop & select new folder, call it spfix unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.

Run SpSeHjfix112 and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder, and click "Fix" button.

Now, run CleanUp!, click the "Options" button. Here move the "Quick Setup" slider to "Thorough CleanUp!" and click "OK" to warning message. Exit from Options and in the main window, click "CleanUp!" to start cleaning. After cleaning, click "Close" and choose "NO" to avoid the restart or logoff.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Uninstall this Software from Add/Remove Programs in Control Panel:-
Spyware Nuker
My Web Seacrh
BrowserAid or BrowserPal


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mdd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\services.exe
O1 - Hosts: 127.0.0.0 localhost
O2 - BHO: (no name) - {1B8B3226-EB67-0AC6-8052-62550BAD2F4D} - C:\WINDOWS\System32\lwkkg.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {C51E31FA-4D36-48C2-BFEC-BCD18D3FF594} - C:\WINDOWS\System32\mdd.dll (file missing)
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Owner\My Documents\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
O4 - HKCU\..\Run: [Nuae] C:\Documents and Settings\Owner\Application Data\atpe.exe
O4 - HKCU\..\Run: [Yvzz] C:\WINDOWS\System32\bulrkfb.exe
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O18 - Filter: text/plain - {95C6C792-AA1A-4A87-BF6C-596F02A32746} - C:\WINDOWS\System32\mdd.dll
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt


Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Exit from HijackThis. Delete this file:-
C:\Documents and Settings\Owner\Application Data\atpe.exe

Delete these folders:-
C:\Program Files\MyWebSearchWB
C:\Documents and Settings\Owner\My Documents\Spyware Nuker 2004



Reboot the PC to normal mode. Run HijackThis, click the "Do a system scan and save log" button, and post the log here along with SpSeHjFix log.
Reputation Points: 25
Solved Threads: 51
Practically a Master Poster
swatkat is offline Offline
642 posts
since Jul 2005
Permalink
Jul 31st, 2005
0

Re: Help

Swatcat,
Did what you instructed. Of the three program to uninstall spyware nuker was the only one found. File atpe.exe was not found however, I did find atpe.exe_.mcq in program files under Mcafee virus scan. left it alone. Under Hijacker seven items that you had listed were not listed on my scan, however everything else was checked. Here are the log files. By the way, I lost all my book marks and no I do not have a recent back up.

Thank You
Steve


Logfile of HijackThis v1.99.1
Scan saved at 2:12:25 PM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\GetSmile\GetSmile.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "community.centurytel.net"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nxl24m7i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nxl24m7i.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [GetSmile] C:\Program Files\GetSmile\GetSmile.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



(7/31/05 12:22:31 PM) SPSeHjFix started v1.1.2
(7/31/05 12:22:31 PM) OS: WinXP Service Pack 2 (5.1.2600)
(7/31/05 12:22:31 PM) Language: english
(7/31/05 12:22:31 PM) Win-Path: C:\WINDOWS
(7/31/05 12:22:31 PM) System-Path: C:\WINDOWS\system32
(7/31/05 12:22:31 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(7/31/05 12:22:38 PM) Disinfection started
(7/31/05 12:22:38 PM) Bad-Dll(IEP): c:\windows\system32\mdd.dll
(7/31/05 12:22:38 PM) BHO: {C51E31FA-4D36-48C2-BFEC-BCD18D3FF594} C:\WINDOWS\System32\mdd.dll
(7/31/05 12:22:38 PM) BHO-deleted
(7/31/05 12:22:38 PM) BHO-CLSID-Key deleted
(7/31/05 12:22:38 PM) UBF: 5 - UBB: 2 - UBR: 25
(7/31/05 12:22:38 PM) FilterKey: HKCR\text/plain (deleted)
(7/31/05 12:22:38 PM) FilterKey: HKCR\CLSID\{95C6C792-AA1A-4A87-BF6C-596F02A32746} (deleted)
(7/31/05 12:22:38 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/31/05 12:22:38 PM) UBF: 4 - UBB: 2 - UBR: 25
(7/31/05 12:22:38 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\mdd.dll/sp.html
(7/31/05 12:22:38 PM) Stealth-String not found
(7/31/05 12:22:38 PM) File added to delete: c:\windows\system32\mdd.dll
(7/31/05 12:22:38 PM) Reboot
Reputation Points: 10
Solved Threads: 0
Newbie Poster
coots is offline Offline
4 posts
since Jun 2005
Permalink
Aug 3rd, 2005
0

Re: Help

Hi,

Sorry for replying late. Had some problems here http://img132.imageshack.us/img132/133/stress9sm.gif , first my SMPS went kaput and then Modem due to power surges because of heavy rain i am really sorry that you lost your bookmarks, but there is a hope, PC Inspector File Recovery can be used to recover deleted files. It is one of the powerful tool to recover deleted data and it's also a freeware.
By the way, your log looks clean
Reputation Points: 25
Solved Threads: 51
Practically a Master Poster
swatkat is offline Offline
642 posts
since Jul 2005
Permalink
Aug 4th, 2005
0

Re: Help

Swatkat,
Thank you for all your help. Computer is running very well now. I,ll give that recovery program a try. Have a good weekend.

Thanks Again,
Steve
Reputation Points: 10
Solved Threads: 0
Newbie Poster
coots is offline Offline
4 posts
since Jun 2005

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Symantec Email Proxy!
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: starware popups and redirect





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC