954,229 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
6 Years Ago
0

IE Hijack - Can't shake it

I'm not exactly sure what I'm infected with, but when I do a search in google and click on a link - I'm not taken to the url of the link, but I am redirected to various ads.

After realizing I was infected, I restarted in safe mode and ran Spybot and Trend Micro's Anti-Spyware app. Those seemed to get rid of most of the major problems. I can't get rid of this explorer hijack though.

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:26 AM, on 10/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Server\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
D:\Server\Apache2\bin\Apache.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\PS Hot Folders\PSHotFolders.exe
D:\Program Files\PS Hot Launch VVL\PSHotLaunchVVL.exe
D:\Server\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Skyfrm\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Skyfrm\LOCALS~1\Temp\Adobelm_Cleanup.0001
D:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Skyfrm\Desktop\hijackthis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [awxDTools] rundll32 D:\PROGRA~1\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [PS Hot Folders] D:\Program Files\PS Hot Folders\PSHotFolders.exe
O4 - HKCU\..\Run: [PS Hot Launch VVL] D:\Program Files\PS Hot Launch VVL\PSHotLaunchVVL.exe
O4 - HKCU\..\Run: [DriveCrypt Startup] C:\Program Files\DriveCrypt\DriveCrypt.exe /WS
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Server\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: SnagIt 7.lnk = D:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119592881205
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Apache2 - Unknown owner - D:\Server\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

Sentient
Newbie Poster
2 posts since Oct 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

Your log indicates the presence of two files named "svchost.exe"; one in your C:\WINDOWS\system32 folder, and one in your C:\WINDOWS folder. Only the one in C:\WINDOWS\system32 is legit; the other is almost certainly malicious.

There are probably other infectious components still present in your system as well. Please download, install, and run the following two utilities:

Microsoft Antispyware beta
ewido Security Suite

Be sure to use each program's automatic update feature to get the most current detection databases installed before actually running the scans/fixes. If you initially receive a warning message from ewido saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run the full system scan.

Once you've done the above, run HijackThis again and post the new log. Also post the scan report log that ewido generated.

DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
 
6 Years Ago
0

Logfile of HijackThis v1.99.1
Scan saved at 1:22:07 AM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Server\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Server\Apache2\bin\Apache.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\PS Hot Folders\PSHotFolders.exe
D:\Program Files\PS Hot Launch VVL\PSHotLaunchVVL.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
D:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\AIM\aim.exe
D:\Program Files\Winamp\Winamp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Skyfrm\Desktop\hijackthis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [awxDTools] rundll32 D:\PROGRA~1\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "D:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [PS Hot Folders] D:\Program Files\PS Hot Folders\PSHotFolders.exe
O4 - HKCU\..\Run: [PS Hot Launch VVL] D:\Program Files\PS Hot Launch VVL\PSHotLaunchVVL.exe
O4 - HKCU\..\Run: [DriveCrypt Startup] C:\Program Files\DriveCrypt\DriveCrypt.exe /WS
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Server\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: SnagIt 7.lnk = D:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119592881205
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - D:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Apache2 - Unknown owner - D:\Server\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:48:52 AM, 10/4/2005
+ Report-Checksum: E915D84F

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{110FA82F-DB6C-3C24-8929-60961D10C56E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1417001333-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B83FC273-3522-4CC6-92EC-75CC86678DA4} -> Spyware.CnsMin : Cleaned with backup
[1128] VM_00D60000 -> TrojanDownloader.Agent.uj : Error during cleaning
[1152] VM_00BF0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3396] VM_009D0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3484] VM_00810000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3528] VM_003A0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3540] VM_00910000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3564] VM_00390000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3784] VM_00F00000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3888] VM_009D0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[2868] VM_014F0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3004] VM_003D0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3256] VM_00840000 -> TrojanDownloader.Agent.uj : Error during cleaning
[3916] VM_003C0000 -> TrojanDownloader.Agent.uj : Error during cleaning
[4036] VM_00B10000 -> TrojanDownloader.Agent.uj : Error during cleaning
[2880] VM_003F0000 -> TrojanDownloader.Agent.uj : Error during cleaning
C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$hf_mig$\KB887472\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$hf_mig$\KB887472\update\update.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$hf_mig$\KB898461\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$hf_mig$\KB898461\update\update.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\iun6002.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\LOOP.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\spuninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\SoftwareDistribution\Download\126638ad80a740243aeee66683d803a7\update\update.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\bndmod.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\hlmicro.exe -> Spyware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\hwiper.exe -> Trojan.Qhost.dv : Cleaned with backup
C:\WINDOWS\system32\javaws.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\keystone.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\NeroCheck.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvappbar.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvcolor.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvdspsch.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvudisp.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvuide.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\NVUNINST.EXE -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvunrm.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\nvusmb.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\OALINST.EXE -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\QuickTime\QTPluginInstaller.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\system32\WISPTIS.EXE -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Binary\Drivers\wdm\common\i386\CtPanel.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Binary\Drivers\wdm\common\i386\oalinst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Binary\DrvInst\Setup.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Binary\MasterInst\New\Setup.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Binary\MasterInst\Old\Setup.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Temp\CRF000\Setup.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\uninst.exe -> Worm.Hidrag : Cleaned with backup
C:\WINDOWS\Uzerox_bs.exe -> Worm.Hidrag : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@ehg-ipswitchinc.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@ehg-warnerbrothers.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@gettyimages.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@microsofteup.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Skyfrm\Cookies\skyfrm@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End


This is definitely no good ... many of my exes seem to be infected with hidrag. heh. I'm guessing there is no way to mass un-infect exe's? :(

Sentient
Newbie Poster
2 posts since Oct 2005
Reputation Points: 10
Solved Threads: 0
 
6 Years Ago
0

1. In your latest log, I don't see anything indicating that you installed MS Antispyware beta. Did you install and run that program in addition to ewido? If not, please do that now.


2. Click Start – Run - and type in:

services.msc

Click OK.

In the services window find: Power Manager (PowerManager)

Right click and choose Properties. On the General tab under Service Status click the Stop button to stop the service. Beside Startup Type in the dropdown menu select Disabled. Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


3. Boot into Safe Mode.

a) Open Hijack This and click on the "Open Misc Tools section" button. Click on the "Delete an NT Service" button.

Copy and paste this line in that box:

PowerManager

Click OK.

b) Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


4. While still in Safe Mode, run full scans/fixes with both ewido and MS Antispyware.


5. Reboot normally, run HijackThis again, and post the new log. Also let us know if the original problem still persists.

DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed