Hjt Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Hi I'm having trouble clearing out my sisters computer. I ran cws shredder and fixed what it came up with. I ran spybot s&d and it said it couldn't fix everything. I'm trying to run adware but it keeps freezing at a sys32 file can't remember the name of the file. So I was wonder what is next should I run online antivirus first or fix the hjt log. Here is the log and as always thank you for your help.

Logfile of HijackThis v1.98.2
Scan saved at 9:06:19 PM, on 9/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Owner\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Ran Rav online antivirus and this is what it came up with!
Scan started at 9/1/2004 9:30:52 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Q230903.exe->(ASPack 1.084) - TrojanDownloader:Win32/WinShow.A -> Infected
C:\Program Files\Hide 2 dog\32.exe - TrojanDropper:Win32/Small.FL -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1024\A0034488.exe - TrojanDownloader:Win32/Swizzor.NAB -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035729.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035730.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035731.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035746.exe - Tool:pornDialer.EA -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035827.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Downloaded Program Files\UGO20.exe - TrojanDownloader:Win32/Small.FE -> Infected
C:\WINDOWS\SYSTEM\Sleep.exe - Trojan:Win32/VB.AA -> Infected
C:\WINDOWS\SYSTEM32\TFTP260 - Win32/Msblast.A.dam#2 -> Infected
C:\WINDOWS\Temp\THI4BA1.tmp\twaintec.cab->twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI4BA1.tmp\twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI7FFD.tmp\twaintec.cab->twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI7FFD.tmp\twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected

Scanned
============================
Objects: 56517
Directories: 3403
Archives: 12172
Size(Kb): -1420768
Infected files: 12

Found
============================
Viruses found: 8
Suspicious files: 3
Disinfected files: 0
Mail files: 114
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Saw this in another post and thought you guys might need this info too!

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\6ko4svc.dll
C:\WINDOWS\System32\anaamon.dll
C:\WINDOWS\System32\autxprxy.dll
C:\WINDOWS\System32\ayctres.dll
C:\WINDOWS\System32\ayptif.dll

Additional Files---
C:\WINDOWS\System32\wincore.dll
C:\WINDOWS\System32\cidrules.dll
C:\WINDOWS\System32\winupd.dll
C:\WINDOWS\System32\inetadpt
C:\WINDOWS\System32\winhost32.exe

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{6CE8139E-A061-462E-B2EA-44F5EA2F82D7}
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,659
Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

Download the LPS Fix:

http://cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of lspak.dll and cdlsp.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\lspak.dll - file
C:\windows\system32\cdlsp.dll - file

Then Please download and run the following programs:

CWSHREDDER

http://www.majorgeeks.com/download4086.html

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer.

IMPORTANT! To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Disable your system restore and do a couple of on-line virus scans:

http://www.pchell.com/virus/systemrestore.shtml

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Hi and thank you for your help....I gone thru all parts up to adware. When I run adware it scans up to C:\Windows\System32\MsDtc and stalls out everytime. I was wondering if this is a problem file that can be deleted or something?? I've checked this file out and it's some kind of trace file. If you need more info on it let me know. Thank you
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Ok I ran both antivirus checks as reccomended. Panda (which I did last) removed 4 viruses they didn't say what they removed. Trend found 2 but could not clean here is what they found.

TROJ VB.AA Non Cleanable C:\Windows\System\Sleep.exe
TROJ WINSHOW.A Non Cleanable C:\Q230903.exe

Here are the programs I've run so far:
CWS shredder
Spybot S&D
LSP fix
Kazzabeggone
And here is the latest HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 4:29:39 PM, on 9/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bkdjldfprskyaeicvsdwfd.i...7iCLZql4HkaA39jJYmr4nP1MFtOzvG6GhuxlsRRhB.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab


Here is my latestest HJT Log......
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,659
I'm sorry but I made a mistake when I told you to run LSP the first time, one of the files I mentioned was incorrect and that's why this one is still there:

Please run LSP fix again:

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\inetadpt.dll - file

Then, run VX2Finder again. Close ALL running programs and windows except VX2Finder. Sign off and stay off the Internet until the entire procedure is complete.

Run VX2Finder again and check off all those files found and click the Delete these Files button.
(for as many as you have)

Next click the UserAgent$ button (to remove that reg value)

Then click the Import.reg (to repair QuickLaunch Toolbar)

Finally click the Restore Desktop ...to restore the desktop (Explorer.exe will end while doing this fix)

Restart your computer and run VX2 Finder and post another log from it and Hijack This.
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Ok here is the homework you required...hehe

Vx2 log:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\system32\wincore.dll
C:\WINDOWS\system32\cidrules.dll

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 9:42:23 AM, on 9/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.edzedxfoqycntoogi.com/Xb...7iCLZql4HkaA39jJYmr5Lnsfty9kAnqGhuxlsRRhB.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,659
Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

Go to Control Panel - Add/Remove programs and remove these if there:

VirtualBouncer or VBouncer
WinTools (or WinTools for Internet Explorer V2)


Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.edzedxfoqycntoogi.com/Xb...qGhuxlsRRhB.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
localhost

O1 - Hosts: arch.msn.com

O1 - Hosts: tElementById('myScript').src = "";

O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe

O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe

O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v5.cab


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\PROGRA~1\UPFLAW~1\Datethunk.exe - folder (the name of the folder will start with UPFLAW and it will contain the file Datehunk.exe)
C:\PROGRA~1\HIDE2D~1\CoalCast.exe folder (the name of the folder will start with HIDE2D and it will contain the file CoalCast.exe)
C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe - folder
C:\Program Files\VBouncer\BundleOuter.EXE - folder
C:\Program Files\Common Files\WinTools\WToolsA.exe - folder
C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe - folder
C:\PROGRA~1\MYDAILYHOROSCOPE\MYDAIL~1.EXE - folder

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Now do this:
Close Ad-Aware SE Personal and Ad-Watch (if running)
Download the free VX2 Cleaner here : http://www.majorgeeks.com/download4283.html

Install the VX2 Cleaner
Start Ad-Aware 6 build 181
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

If your computer is infected

Select “Clean system”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Then post a new Hijack This log please.
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Ok here's the latest.....I've done all those things except adware it still stalls out in the system32 folder I'm not sure why. It does pull up criticals but because it doesn't finish I can't get rid of them. I've tried uninstalling adware and reinstalling both the new version and the 6.181 version I have both stall out. I have not tried installing a fresh copy mabey I'll do that next. Here is my latest HJT log. I also wanted to mention a few programs in the add/remove list that look to be suspect. Some have a little icon that reads SE and there's about 5 of these in there when I try to uninstall them it says I have to be the admin to remove. Another is medialoader not sure what this is. Then theres one called IE toolbar search or helper, this one I try to uninstall it and it brings me to a webpage that says it will remove it and has a little survey to fill out but I click remove and it doesn't remove it from the add/remove list??? I'm not at that computer so I'm trying to recall these by memory.

Logfile of HijackThis v1.98.2
Scan saved at 6:30:14 PM, on 9/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Just a small update I didn't have much time today(I work 12hr shifts on the weekends). I uninstalled adware downloaded a new copy and still had the same results I also tried running adware in safe mode but same results stalls out in the system32 file. It is still finding bad items but because it does not finish(I have to close it out) It doesn't take care of the problems. Panda found nothing and trend was running when I left for work. I will let you know what if anything if found in the morning and also post a new HJT log. Hope your having a great labor day(if your in this neck of the woods that is)!! And thanks again for all your help!! PS Are there any other programs comparable to adware that I could download and run mabey get rid of the baddies that are left?
 

Camlee98

Thread Starter
Joined
Mar 21, 2004
Messages
184
Ok here's what trend found: TROJ_WINSHOW.A C:Q230903.EXE
There's instructions there on how to remove this should I do that or use something else?

Here's the latest HJT log.
Logfile of HijackThis v1.98.2
Scan saved at 9:29:36 AM, on 9/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top