0

:-| Norton found this download trojan 11 times on my laptop and can't clean it even on safe mode... When I set up our new broadband connection at work I was horrified to get a porn links page popup instead of the ISP's home page... I've never gone to any porn sites or music download sites at work so i dunno where it came ffrom...

I'd appreciate any help you guys can offer. You've saved my posterior in the past with great patience and good humour, so can you help out again, please?

Go raibh maith agat!

Geezer

2
Contributors
11
Replies
12
Views
11 Years
Discussion Span
Last Post by geezer
0

Ay up Tayspen!

Thanks for the quick reply... I know you just Love these HJT logs so here goes...

Logfile of HijackThis v1.99.1
Scan saved at 15:37:59, on 3/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\windows\mousepad4.exe
C:\survey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\MCYP\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GoogleCatch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - C:\Program Files\2search\2search.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [REGRUN] C:\survey.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [2Search] C:\Program Files\2search\main.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

There is some improvement... Ithink that whatever was opening the porn links page can't find it any more...

Anyway, good luck with that log and thanks for your help...

Slan abhaile agus adh mor ort!

0

I know you just Love these HJT logs so here goes...

Oh yes, I love em ;).

Ok, lets get started, first I will let you know that your Internet explorer is out of date. You can run Windows Update to fix this.

Next lets boot into safe mode, and configure windows to show hidden files/folders. to do that the the following.


1 Click the Start Button

2 In the Start menu click Control Panel

3 In the Control panel Window click the Folder Options Icon

4 The folder Options Window will now Open

5 Click the View Tab

6 In the view tab window look down the list for a section marked Hidden Files and Folders

7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the

left of the option with your mouse. Then uncheck Hide protected operating system files.

CLick yes to the dialog.

8 Press the Apply button

9 On the next screen press OK to exit

10 You should now be able to view the hidden files and folders.

------------------------

1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start

tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the

list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.

When in safe mode, run HJT again, and check the following items.


C:\survey.exe

C:\windows\mousepad4.exe

C:\Program Files\webHancer\Programs\whagent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O2 - BHO: GoogleCatch.clsIESpy - {4508E20C-ACAD-11D2-9FC0-00550076E06F} - C:\Program Files\2search\2search.dll

O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe

O4 - HKLM\..\Run: [REGRUN] C:\survey.exe

O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe

O4 - HKLM\..\Run: [2Search] C:\Program Files\2search\main.exe

O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

Close All Browers, and click Fix Checked

---------------------------------------

Then go to Start>Control panel>Add/Remove Programs. Remove

webHancer

and

2search

if they are there.

------------------------------------------------

This next step is critical, Please browse to and delete these files.

C:\survey.exe

C:\windows\mousepad4.exe

C:\Program Files\webHancer\Programs\whagent.exe

C:\Program Files\2search\2search.dll

C:\WINDOWS\DH.dll

C:\windows\keyboard4.exe

C:\windows\newname4.exe

C:\Program Files\2search\main.exe

Some files may not be there if the programs were in the Add/Remove programs list.

Empty the recycle bin

---------------------------------------------------

Reboot normally

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

----------------------------------------------------

Then please post a new HJT log, and the ewido log.


Thanks

0

Thanks Tayspen!

I got as far as "empty recycle bin" tonight as I can only access the web by wireless, this evening, which i don't have on the work laptop...

I really appreciate you going through the HJT log, I have only the vaguest inkling of what a pain in the arse it must be... ;)

Anyway, couple of things happenned...

On running HJT in safe mode it said
"HJT cannot repair 010 Winsock LSP entries. You should use LSPFix for thatwhich is available from http://www.cexx.org/lspfix.htm

If the 010 item belongs to webhancer, new.net or commonname, SpybotS&D can remove it automatically..."


Also I couldn't find whagent.exe in Webhancer/programs... "whinstaller.exe"was there along with "webhdll.dll" (labelled 3.8.1.0 webHancer Winsock2 SPI)

2search.dll was not to be found either though there was "get.exe" and "uninstall.exe"

These all looked pretty suss but I didn't delete them just in case.

I also found a whole bunch of suspicious stuff:

drsmartload2.dat
keyboard41.dat
installer.exe
keyboard21.dat
newname.dat
keyboard11.dat
gimmegames9.exe
gimmegames1.dat

There was more stuff I found the other day before contacting International Rescue @ Daniweb (wierd folders called lots of numbers and letters full of web pages and jpegs for sites about celebrities that I never visited) I moved them all to a folder in My Documents as a kind of quarantine.

Anyway, I'll do the ewido scan when I get a chance, Thanks again

Go Raibh maith agat agus adh mor ort!

0

Ay up, Tayspen... I managed to work out a way of getting ewido onto the other laptop without using the net...

Wow! ewido really kicks! It asked if I wasnted to delete a couple of things that had nasties embedded in them that it couldn't clean on their own. I told it "what the hell wipe em out..."

here's the log:

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          00:20:35, 3/25/2006
 + Report-Checksum:     51BF443C

 + Scan result:

    HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup
    HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup
    HKU\S-1-5-21-840360825-2317538923-1809067083-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4508E20C-ACAD-11D2-9FC0-00550076E06F} -> Adware.2Search : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\MCYP\Application Data\Mozilla\Firefox\Profiles\2eicetx9.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\MCYP\Application Data\Mozilla\Firefox\Profiles\2eicetx9.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\MCYP\Desktop\HijackThis\backups\backup-20060324-222123-370.dll -> Adware.WebHancer : Cleaned with backup
    C:\Documents and Settings\MCYP\Desktop\HijackThis\backups\backup-20060324-222123-689.dll -> Adware.2Search : Cleaned with backup
    C:\Documents and Settings\MCYP\Local Settings\TEMP\installer.exe -> Dropper.PurityScan.q : Cleaned with backup
    C:\Documents and Settings\MCYP\mt-uninstaller.exe -> Adware.PurityScan : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\AYIP0XMP\d72[1].exe -> Downloader.Adload.q : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\AYIP0XMP\d72[2].exe -> Downloader.Adload.q : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\AYIP0XMP\mousepad1[1].exe -> Hijacker.VB.li : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\AYIP0XMP\winsysupd11[1].exe -> Trojan.VB.ajo : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\LJEY96IG\gimmygames11[1].exe -> Downloader.Adload.u : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\LJEY96IG\gimmygames12[1].exe -> Downloader.Adload.v : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\LJEY96IG\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\mt-uninstaller.exe -> Adware.PurityScan : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\PGQXCIYV\d72[1].exe -> Downloader.Adload.t : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\PGQXCIYV\drsmartload[1].exe -> Downloader.VB.wr : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\PGQXCIYV\drsmartload[2].exe -> Downloader.VB.wr : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\PGQXCIYV\winsysban12[1].exe -> Hijacker.VB.li : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@ehg-sonyesolutions.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\sony@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\X1JSPJA7\gimmygames9[1].exe -> Downloader.VB.ww : Cleaned with backup
    C:\gimmygames11.exe -> Downloader.Adload.u : Cleaned with backup
    C:\gimmygames12.exe -> Downloader.Adload.v : Cleaned with backup
    C:\gimmygames9.exe -> Downloader.VB.ww : Cleaned with backup
    C:\inst32.exe -> Downloader.Adload.t : Cleaned with backup
    C:\mousepad1.exe -> Hijacker.VB.li : Cleaned with backup
    C:\mt-uninstaller.exe -> Adware.PurityScan : Cleaned with backup
    C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
    C:\Program Files\2search\get.exe -> Adware.2Search : Cleaned with backup
    C:\Program Files\2search\uninstall.exe -> Adware.2Search : Cleaned with backup
    C:\Program Files\eZula -> Adware.eZula : Cleaned with backup
    C:\Program Files\ncmyb.dll -> Adware.180Solutions : Cleaned with backup
    C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
    C:\WINDOWS\gimmygames9.exe -> Downloader.VB.ww : Cleaned with backup
    C:\WINDOWS\Installer.exe -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\2search.exe/main.exe -> Adware.2Search : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\install.exe -> Downloader.Agent.ww : Cleaned with backup
    C:\WINDOWS\system32\omjsel.dll -> Adware.Look2Me : Cleaned with backup
    C:\winsysban12.exe -> Hijacker.VB.li : Cleaned with backup
    C:\winsysupd11.exe -> Trojan.VB.ajo : Cleaned with backup


::Report End

How come Norton can't do this stuff and you pay through the nose for it? rant whinge moan etc...

Anyway here's the HJT log you've been looking forward to:

Logfile of HijackThis v1.99.1
Scan saved at 00:28:07, on 3/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\MCYP\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Thanks Tayspen, do your stuff! Really appreciated...

Slan!

Edited by mike_2000_17: Fixed formatting

0

I just downloaded the lspfix but I'm not really sure what I'm doing, I need sleep now so I'll look at it tomorrow...

Slan lat!

0

Oh yea. ewido is a very nice program. To be perfectly honest with you I think norotn is a waste of money. To me your paying for something when there are ather programs that do a better job and are free (Ewido). Not to mention norton is a huge resource hog. If you want you should look into:

AVG Free Anti Virus (Free) - http://free.grisoft.com/doc/1

Its good.

Anyway on to the HJT log!

Looks alot cleaner. I hope its functioning better? THere still are a few items to clean up. Run HJT and scan, place a check next to these.


O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Then please do this.


Start>Run type Services.msc
-Right click Microsoft Windows Update Service (Windows Update Service)
and choose Stop
-Now choose Properties and change Startup Type to disabled


Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Microsoft Windows Update Service (Windows Update Service)
into the box and delete it.


Please verify that this file in indeed gone. If not delete it, and tell me it wasnt gone.

C:\WINDOWS\services.exe

Submit a new log. and Hang in there :)

0

Ay up, tayspen!

Sorry its been a while... been a mad couple of days...

Anyway, C\WINDOWS\services.exe is gone or I couldn't find it anyway :)

HJT couldn't find the windows updater either, I dunno if this is a good or a bad thing...

I scanned again with ewido and it found a few more things here's the log:

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          10:34:29, 3/28/2006
 + Report-Checksum:     FA23FD6B

 + Scan result:

    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\AYIP0XMP\mousepad2[1].exe -> Hijacker.VB.li : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\LJEY96IG\domain[1].exe -> Downloader.VB.vz : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\PGQXCIYV\newname2[1].exe -> Downloader.Adload.aa : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\X1JSPJA7\drsmartload[1].exe -> Downloader.Adload.x : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\X1JSPJA7\keyboard1[1].exe -> Downloader.VB.ys : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\X1JSPJA7\keyboard2[1].exe -> Downloader.VB.yn : Cleaned with backup
    C:\Documents and Settings\MCYP\My Documents\QUARANTINE!\X1JSPJA7\sbc[1].exe -> Dropper.PurityScan.o : Cleaned with backup
    C:\drsmartload1.exe -> Downloader.VB.vz : Cleaned with backup
    C:\keyboard1.exe -> Downloader.VB.ys : Cleaned with backup
    C:\keyboard2.exe -> Downloader.VB.yn : Cleaned with backup
    C:\mousepad2.exe -> Hijacker.VB.li : Cleaned with backup
    C:\newname2.exe -> Downloader.Adload.aa : Cleaned with backup
    C:\WINDOWS\system32\1 -> Dropper.PurityScan.o : Cleaned with backup
    C:\winhlp32.exe -> Downloader.VB.vz : Cleaned with backup


::Report End

Did a new HJT log you'll be delighted to know and after doing what you said and here's the result:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:17, on 3/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\MCYP\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Erm , that's it! There still looks like there's one or two oddities in there to my untrained but terminally suspicious eye...

Looks like we're giving it a bit of a kicking though!

Anyway thanks for all your help, its over to you now I s'pose. I hope you don't see HJT logs when you close your eyes at night!

Sin e! Go raibh mile maith agat agus slan!

Edited by mike_2000_17: Fixed formatting

0

Sorry, must have missed your reply ;).

But, good news, your log is clean :).

You should really run windows update, www.windowsupdate.com - to update your computer. As always, that is optional though.


-T

0

Ay up Tayspen!

Thanks a million for all your help... You folks at Daniweb are flippin great! I still haven't worked out why you do it, but you do it well!

Good luck with everyone elses problems and thanks saving my posterior again!

Go raibh maith agat agus adh mor ort!

Slan!!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.