1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I can't take it anymore

Discussion in 'Virus & Other Malware Removal' started by jlbsmom, Oct 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jlbsmom

    jlbsmom Thread Starter

    Joined:
    Oct 11, 2004
    Messages:
    4
    O.K. This is the third time I've typed this and I'm now beyond Pi...mad.:mad:
    Here's my hijack this log:

    Logfile of HijackThis v1.98.2
    Scan saved at 3:25:40 PM, on 10/11/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\ron\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iwon.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    I've tried all the stuff that has led me to the HijackThis program as I'd never heard of it prior to your site. I've followed the advice shown on other threads dealing with my same problem, but I suspect mine might be much deeper than I want to acknowledge.

    Some additional info:
    I have two hard drives and they both seem to be infected.
    I also ran House Call and received these results:
    1. Collector.A located in Windows/DownloadedPrograms
    2. Small.xc located in system32\msgk

    Here is the log from RAV AntiVirus' scan:

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Documents and Settings\ron\Local Settings\Temp\senh.exe - TrojanDropper:Win32/Delf -> Infected

    C:\Documents and Settings\ron\Local Settings\Temp\~AceTemp\hijackthis\backups\backup-20041011-103720-296.dll - TrojanDownloader:Win32/Lemmy.B -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\3VPH5PDM\abetterinternet[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\6K5P3ZNR\MediaMotor25[1].exe - TrojanDownloader:Win32/Small.FE -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\BW95VK0C\hh[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\G1MVSTYZ\abetterinternet[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\G1MVSTYZ\hh[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\G1MVSTYZ\sah[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\G1MVSTYZ\searchenhancer[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\G1MVSTYZ\toprebates[1].exe - TrojanDownloader:Win32/IstBar.Q -> Infected

    C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\OXIJS923\_kitchen[1].htm->(SCRIPT0000) - JS/Drost.A* -> Infected

    C:\QUARANTINE\ATPartners.dll.0 - TrojanDownloader:Win32/Rameh.C -> Infected

    C:\QUARANTINE\localNrd.cab->polall1l.exe - TrojanDownloader:Win32/Agent.AE -> Infected

    C:\QUARANTINE\upgrade.exe - TrojanDropper:Win32/Small.GT -> Suspicious

    C:\WINDOWS\system32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C -> Infected

    C:\WINDOWS\system32\bi4.exe - PWS:Win32/Bispy -> Suspicious

    C:\WINDOWS\system32\biJ.exe - PWS:Win32/Bispy -> Infected

    D:\WINDOWS\SYSTEM32\bdlds.dll - TrojanDropper:Win32/Small.GV -> Infected

    D:\WINDOWS\SYSTEM32\ATPartners.dll - TrojanDownloader:Win32/Rameh.C -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-
    00E0291BE16A}\Microsoft\Outlook Express\Inbox.dbx->Message.617: ("Stephen.x.winbun" [ ])->(part0001:price.zip)->price.html->(SCRIPT0001) - JS/Dword.dr* -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Inbox.dbx->Message.617: ("Stephen.x.winbun" [ ])->(part0001:price.zip)->price/price.exe - Win32/[email protected] -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Inbox.dbx->Message.616: ("Stephen.x.winbun" [ ])->(part0001:new_price.zip)->price.html->(SCRIPT0001) - JS/Dword.dr* -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Inbox.dbx->Message.616: ("Stephen.x.winbun" [ ])->(part0001:new_price.zip)->price/price.exe - Win32/[email protected] -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Deleted Items.dbx->Message.52: (Untitled)->(part0000:)->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Deleted Items.dbx->Message.52: (Untitled)->(part0001:hniid.pif) - Win32/[email protected] -> Infected

    D:\Documents and Settings\Home\Application Data\Identities\{88F11C40-0835-11D6-9D49-00E0291BE16A}\Microsoft\Outlook Express\Deleted Items.dbx->Message.46: (Untitled)->(part0004:Qt.exe) - Win32/[email protected] -> Infected

    D:\System Volume Information\_restore{6F7BB9A3-DC7F-4C3C-A389-FAAC25A5B2D6}\RP274\A0037383.exe - Trojan:Win32/Small.I -> Infected

    Sorry if this isn't enough information. I'm trying to hurry b4 I lose everything again.
     
  2. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Use TaskManager (Ctrl+Alt+Delete) to end these processes (if applicable):

    cashback.exe

    nls.exe

    bargains.exe

    exdl2.exe


    Go to add or remove programs and uninstall BargainBuddy (may also be named CashBack or NaviSearch)



    Restart your computer and post another log.
     
  3. jlbsmom

    jlbsmom Thread Starter

    Joined:
    Oct 11, 2004
    Messages:
    4
    O.K. I'm in a much better mood now!

    I did as you said only none of it applied or I've already deleted it or attempted to delete it and now it's hidden.

    I did see two listings on the Add/Remove Programs that were the MediaMotor program. From what I understand, Uninstalling or attempting to uninstall MediaMotor is a big no,no.

    The processes I see which I know are issues are 6 svchost.exe on the Local Service, 2x-Network Service, 3x-System. Other images I see that look suspicious to me or at least I don't know what they are:
    alg.exe Local Service
    nvsvc32.exe System
    mdm.exe System
    VsTskMgr.exe System
    ctfmon.exe Cheryl
    spoolsv.exe System
    the 6 svchost.exe's listed above
    lsass.exe System
    csrss.exe System
    smss.exe System
    wdfmgr.exe Local Service
    I'm sure some of the above may be legit, I just don't know what they are.

    Programs on my Add/Remove Programs that I know are bad or suspect are:
    2020Search
    ATP
    Media-motor
    Media-motor
    Search2020
    Uninstall 180searchAssistant
    I have tried to uninstall Search 2020 and 180searchAssistant. I have also tried searching for files containing those names and deleting them. I have also gone in to my hijackthis log and deleted corresponding whatever's to those listed for another post with the same issue only that seemed to do it for him!

    If there is any other information I can get you, please let me know. I'm willing to do all I can. Do you know if I re-image the machine, will that rid the trojans or will they still exist? I really don't want to do that, but that may be my only choice.

    Thanks for the help.
    :)
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,397
    Hi..........Uninstall "SpyHunter" in Add/Remove programs,Its SCAMWARE!!
    ================================================
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows including this one and "fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iwon.com/
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe


    ==============================
    Empty the Recycle Bin.

    Open internet Explorer Click on "Tools">"Internet Options">And delete temp internet files.
    And clean out your %Userprofile%\Local Settings\Temp
    folder. [It's a good idea to do that regularly.]
    ==============================
    Open Control Panel
    Click on Internet Options
    On the General Tab....click on Delete Files
    You may also want to check the box "Delete all offline content"
    Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files......
    You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
    ==============================
    Go to Internet Options>Programs
    Click the "Reset Web Settings" Button to reset your prefered home and search pages.
    ==============================
    Custom made hosts file:
    http://www.mvps.org/winhelp2002/hosts.htm
    Stops lots of unwanted sites being accessed by your computer
    and also stops lots of unwanted sites accessing you.
    ==============================
    As for your list above [Eg:alg.exe Local Service].....Google each one in turn and you will find they are ALL legit.

    ;)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/283472