[Solved] Host redirect

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
I'm being beat up by a bug of some sort that ad-aware can't seem to fix. If I enter a word on my search engine, it will come up, but another window from out of nowhere comes up from another site with several pop-up windows.

Ad-aware will delete all of the files but this: c:\winnt\system32\awsetupc.cpy.dll

When I reboot the same files will come back and ad-aware will delete all but the same one again.

I have included the scan details of the problem files. The first one is the one I can't get rid of.
I am running windows 2000 professional

Any help or direction to a similar post is greatly appreciated.

thanks,
bdbmog

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : File
Data : awsetupc.cpy.dll
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileSize : 301 KB
Created on : 4/23/2004 12:02:10 PM
Last accessed : 4/23/2004 12:02:10 PM
Last modified : 4/8/2004 2:36:08 PM




Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Warning!
Bad hosts file entry:207.36.196.189:ieautosearch


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 207.36.196.189
Category : Misc
Comment : Possible Hosts File Hijack
Bad Hostfile entry : 207.36.196.189:ieautosearch

Warning!
Bad hosts file entry:207.36.196.189:auto.search.msn.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 207.36.196.189
Category : Misc
Comment : Possible Hosts File Hijack
Bad Hostfile entry : 207.36.196.189:auto.search.msn.com

Warning!
Bad hosts file entry:207.36.196.189:search.netscape.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 207.36.196.189
Category : Misc
Comment : Possible Hosts File Hijack
Bad Hostfile entry : 207.36.196.189:search.netscape.com


Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
38 entries scanned.
New objects :3
Objects found so far: 4




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 5


8:19:28 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:03:54:837
Objects scanned :52384
Objects identified :5
Objects ignored :0
New objects :5
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
Thanks dai, but it didn't work. It did cause ad-aware to detect the files every time I run the scan now. I don't have to reboot for it to detect them.
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
I hope this helps

Logfile of HijackThis v1.97.7
Scan saved at 1:43:31 PM, on 4/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bruce Bennett.MAIN\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [WAPI] C:\WINNT\system32\wtssvit.exe
O4 - Startup: Palm Desktop for CLIÉ.lnk = Sony Handheld\palm.exe
O4 - Global Startup: Acrobat Assistant.lnk = Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2565261e4b4bf45cc420/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3716782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Oct 9, 2001
Messages
9,396
Ye.you need to show us a HijackThis log.....there are things in there which need removing.
;)
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
Here is the most current scan:
I hope this helps
Thanks
bdbmog

Logfile of HijackThis v1.97.7
Scan saved at 2:31:10 PM, on 4/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bruce Bennett.MAIN\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [WAPI] C:\WINNT\system32\wtssvit.exe
O4 - Startup: Palm Desktop for CLIÉ.lnk = Sony Handheld\palm.exe
O4 - Global Startup: Acrobat Assistant.lnk = Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2565261e4b4bf45cc420/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3716782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Oct 9, 2001
Messages
9,396
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O4 - HKCU\..\Run: [WAPI] C:\WINNT\system32\wtssvit.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2565261e4b4bf4...ip/RdxIE601.cab


Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Locate and remove:
C:\WINNT\system32\wtssvit.exe

See if that sorts it.

;)
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
Hi $teve,
It got rid of all but 2 files. I couldn't find "C:WINNT\system32\wtssvit.exe" to delete.

Here are the 2 files that keep coming back after they are deleted (copied from Ad-Aware log). and another Hijack This log.

Thanks for all your help.
bdbmog


Ad-aware file:
-------------------------------

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : File
Data : awsetupc.cpy.dll
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileSize : 301 KB
Created on : 4/23/2004 8:29:04 PM
Last accessed : 4/23/2004 9:00:08 PM
Last modified : 4/8/2004 2:36:08 PM




Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
999 entries scanned.
New objects :0
Objects found so far: 1




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2


Hijack This File:
-------------------------

Logfile of HijackThis v1.97.7
Scan saved at 5:37:56 PM, on 4/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bruce Bennett.MAIN\My Documents\HIJACK THIS\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Terminate Popup] C:\Program Files\Free-Popup-Killer\fpuk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: Palm Desktop for CLIÉ.lnk = Sony Handheld\palm.exe
O4 - Global Startup: Acrobat Assistant.lnk = Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.3716782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Oct 9, 2001
Messages
9,396
Clean log.....I would have HijackThis "fix" this one:
O15 - Trusted Zone: http://*.windowsupdate.com

Dont worry about the 2 files.....unless you block all cookies you will get the odd one sneaking through.

Consider installing the following:

SpywareBlaster v 3.0 and SpywareGuard v2.2, to prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection: http://www.wilderssecurity.net/index.html

IE-SPYAD, a registry file that adds a long list of known "sites" to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm

;)
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
Hi $teve,
I'm sorry to be a pest, but I still have the same problem as when we first started. Nothing has changed. I deleted Item 15 from Hjt as you suggested, cleared all cookies, history, and files, run Ad-aware, rebooted, run Ad-aware again, to no avail.

I'm still being redirected, same as before, but now there's only the two files ad-aware detects.

I can delete them and re-scan and they will be right back there. Nothing I do seems to be able to delete them.

These are the two files causing the problem:

C:\WINNT\system32\awsetupc.cpy.dll
and
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian

I have enclosed the ad-aware log.
Thanks again for all the help.
bdbmog

Ad-aware Log:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, April 25, 2004 6:39:05 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R299 22.04.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R299 22.04.2004
Internal build : 231
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1070822 Bytes
Signature data size : 1052604 Bytes
Reference data size : 18154 Bytes
Signatures total : 23634
Target categories : 10
Target families : 455

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:52 %
Total physical memory:392688 kb
Available physical memory:202784 kb
Total page file size:819496 kb
Available on page file:642024 kb
Total virtual memory:2097024 kb
Available virtual memory:2047184 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Remember window positions
Set : Snap windows to desktop border
Set : Always back up reference file, before updating
Set : Create and save WebUpdate logfile
Set : Dump details about unhandled exceptions to disk


4/25/2004 6:39:05 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 4/25/2004 9:41:26 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:32 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:33 AM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/25/2004 9:41:33 AM
Last modified : 6/19/2003 7:05:04 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:33 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 7/22/2002 7:54:58 PM
Last accessed : 4/25/2004 9:41:33 AM
Last modified : 2/25/2004 11:59:07 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:37 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/25/2004 9:41:37 AM
Last modified : 12/7/1999 12:00:00 PM

#:6 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:38 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 4/24/2003 11:28:18 PM
Last accessed : 4/25/2004 9:41:38 AM
Last modified : 6/19/2003 7:05:04 PM

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 4/25/2004 9:41:38 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/25/2004 9:41:37 AM
Last modified : 12/7/1999 12:00:00 PM

#:8 [hidserv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:38 AM
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
OriginalFilename : HIDSERV.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 7/17/2003 12:03:55 PM
Last accessed : 4/25/2004 9:41:38 AM
Last modified : 6/19/2003 7:05:04 PM

#:9 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 4/25/2004 9:41:38 AM
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 2/23/2001 2:07:30 PM
Last accessed : 4/25/2004 9:41:38 AM
Last modified : 2/23/2001 2:07:30 PM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 4/25/2004 9:41:39 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 4/25/2003 9:19:11 PM
Last accessed : 4/25/2004 9:41:39 AM
Last modified : 2/27/2002 3:29:26 PM

#:11 [nvsvc32.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:40 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.4523
ProductVersion : 6.14.10.4523
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.23
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 45.23
Created on : 7/28/2003 8:19:00 PM
Last accessed : 4/25/2004 9:41:40 AM
Last modified : 7/28/2003 8:19:00 PM

#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:40 AM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 7/17/2003 12:05:08 PM
Last accessed : 4/25/2004 9:41:40 AM
Last modified : 6/19/2003 7:05:04 PM

#:13 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:41 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 7/17/2003 12:04:43 PM
Last accessed : 4/25/2004 9:41:41 AM
Last modified : 6/19/2003 7:05:04 PM

#:14 [stisvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:41 AM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
Copyright : Copyright (C) Microsoft Corp. 1996-1997
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 7/17/2003 12:05:15 PM
Last accessed : 4/25/2004 9:41:41 AM
Last modified : 6/19/2003 7:05:04 PM

#:15 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 4/25/2004 9:41:43 AM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 7/17/2003 12:05:29 PM
Last accessed : 4/25/2004 9:41:43 AM
Last modified : 6/19/2003 7:05:04 PM

#:16 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:41:44 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/25/2004 9:41:37 AM
Last modified : 12/7/1999 12:00:00 PM

#:17 [rundll32.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:51:03 AM
BasePriority : Normal
FileSize : 9 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 4/25/2004 9:51:04 AM
Last modified : 12/7/1999 12:00:00 PM

#:18 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 4/25/2004 9:52:03 AM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 7/17/2003 12:03:49 PM
Last accessed : 4/25/2004 10:32:55 AM
Last modified : 6/19/2003 7:05:04 PM

#:19 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ThreadCreationTime : 4/25/2004 9:52:08 AM
BasePriority : Normal
FileSize : 73 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.EXE
ProductName : Norton AntiVirus
Created on : 4/25/2003 9:19:11 PM
Last accessed : 4/25/2004 9:52:08 AM
Last modified : 2/27/2002 3:27:58 PM

#:20 [tfswctrl.exe]
FilePath : C:\WINNT\system32\dla\
ThreadCreationTime : 4/25/2004 9:52:08 AM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1.02.93a
Copyright : Copyright
CompanyName : VERITAS Software, Inc.
FileDescription : Direct Access Component
Created on : 11/28/2003 7:24:30 PM
Last accessed : 4/25/2004 9:52:08 AM
Last modified : 11/30/2001 6:02:00 AM

#:21 [iwctrl.exe]
FilePath : C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\
ThreadCreationTime : 4/25/2004 9:52:09 AM
BasePriority : Normal
FileSize : 816 KB
FileVersion : 4.0.2.3
ProductVersion : 4.0.0.0
Copyright : Copyright
CompanyName : Pinnacle Systems, Inc.
FileDescription : InstantWrite Control Center
InternalName : iwctrl
ProductName : InstantWrite
Created on : 2/21/2003 3:27:14 PM
Last accessed : 4/25/2004 9:52:09 AM
Last modified : 2/21/2003 3:27:14 PM

#:22 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ThreadCreationTime : 4/25/2004 9:52:12 AM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
OriginalFilename : HPCmpMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/26/2003 10:50:24 PM
Last accessed : 4/25/2004 9:52:12 AM
Last modified : 6/26/2003 10:50:24 PM

#:23 [hpwuschd2.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ThreadCreationTime : 4/25/2004 9:52:12 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 3, 0, 38, 1
ProductVersion : 3, 0, 38, 1
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : hpwuSchd
InternalName : hpwuSchd
OriginalFilename : hpwuSchd.exe
ProductName : HP Software Update Application
Created on : 2/18/2004 8:55:28 PM
Last accessed : 4/25/2004 9:52:12 AM
Last modified : 2/18/2004 8:55:28 PM

#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 4/25/2004 9:52:14 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 4/22/2004 11:37:56 AM
Last accessed : 4/25/2004 9:52:14 AM
Last modified : 7/13/2003 2:00:20 AM

#:25 [ctfmon.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:52:17 AM
BasePriority : Normal
FileSize : 8 KB
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
Copyright : Copyright (C) Microsoft Corporation. 1981-2001
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
OriginalFilename : CICLOAD.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 2/20/2001 5:09:54 PM
Last accessed : 4/25/2004 9:52:17 AM
Last modified : 2/20/2001 5:09:54 PM

#:26 [psfree.exe]
FilePath : C:\Program Files\Panicware\Pop-Up Stopper Free Edition\
ThreadCreationTime : 4/25/2004 9:52:17 AM
BasePriority : Normal
FileSize : 512 KB
FileVersion : 3, 1, 0, 1010
ProductVersion : 1, 0, 0, 1
Copyright : Copyright (C) 2002-2003
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
OriginalFilename : PSFree.exe
ProductName : Pop-Up Stopper Free Edition
Created on : 10/16/2003 6:40:27 PM
Last accessed : 4/25/2004 9:52:17 AM
Last modified : 4/29/2003 2:40:10 PM

#:27 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ThreadCreationTime : 4/25/2004 9:52:19 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
OriginalFilename : AcroTray.exe
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
Created on : 4/8/2004 1:40:26 PM
Last accessed : 4/25/2004 9:52:19 AM
Last modified : 3/15/2001 9:18:18 AM

#:28 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ThreadCreationTime : 4/25/2004 9:52:21 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 5.31.0.147
ProductVersion : 005.031.000.147
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
OriginalFilename : HPQTRA00.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 7/7/2003 5:20:40 AM
Last accessed : 4/25/2004 9:52:21 AM
Last modified : 7/7/2003 5:20:40 AM

#:29 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ThreadCreationTime : 4/25/2004 9:52:23 AM
BasePriority : Normal
FileSize : 164 KB
FileVersion : 1.8.0
ProductVersion : 1, 8, 0, 0
Copyright : Copyright 1999-2003 InterVideo, Inc. All rights reserved.
CompanyName : InterVideo Inc.
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
OriginalFilename : WinCinemaMgr.EXE
ProductName : WinCinema Manager for InterVideo WinCinema products
Created on : 12/25/2003 1:32:24 AM
Last accessed : 4/25/2004 9:52:23 AM
Last modified : 10/3/2003 6:31:16 AM

#:30 [hptskmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\comp\
ThreadCreationTime : 4/25/2004 9:52:34 AM
BasePriority : Normal
FileSize : 124 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Task Management Component
InternalName : HP Task Management Component
OriginalFilename : HPTskMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/26/2003 10:50:24 PM
Last accessed : 4/25/2004 9:52:34 AM
Last modified : 6/26/2003 10:50:24 PM

#:31 [hpzipm12.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 4/25/2004 9:52:58 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 4/12/2004 6:08:34 PM
Last accessed : 4/25/2004 9:52:58 AM
Last modified : 8/11/2003 8:07:38 AM

#:32 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 4/25/2004 9:53:09 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:14:40 AM
Last accessed : 4/25/2004 10:32:43 AM
Last modified : 8/29/2002 11:14:40 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : File
Data : awsetupc.cpy.dll
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileSize : 301 KB
Created on : 4/25/2004 4:04:05 AM
Last accessed : 4/25/2004 10:35:27 AM
Last modified : 4/8/2004 2:36:08 PM




Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
999 entries scanned.
New objects :0
Objects found so far: 1




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2


6:42:56 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:03:51:102
Objects scanned :53341
Objects identified :2
Objects ignored :0
New objects :2
 
Joined
Jul 26, 2002
Messages
46,353
You have the Look2Me parasite.

Start with these steps:
Download:

http://download.broadbandmedic.com/VbStuff/VX2Finder.exe

Run VX2Finder.exe and click the FindVX2 button. It will display a list of what it found. Now click the Log button. The log should open in Notepad. Copy
and post it's contents.
(It is saved by default to your
%User%\Local Settings\Temp directory)

Next, go here:

http://www10.brinkster.com/expl0iter/freeatlast/dumprights.htm

Download the DumpRights.exe & Privilege.exe file and the ProcessFinder(tool)

UnZip the files.


First, DoubleClick on the tool.bat file found inside the ProcessFinder(tool).
*It'll generate a report . Copy and post it here.

Next, Run both 'Privilege.exe' and 'DumpRights.exe' tools.
in: "privilege": Check for the location of this string:
"SeDebugPrivilege->(Debug Programs)"
It should appear in one of the columns:
->'privileges that you have...'
or ->'privileges that you don't...'
*Post that info as well.(which column)

In 'DumpRights' Check for same string:
'SeDebugPrivilege'; whether it contains "+" sign and
can be expanded..
--Or not!
*Post that info as well.
 

bdbmog

Thread Starter
Joined
Apr 23, 2004
Messages
55
Hi flrman1,
Here are the the items in order you wanted me to post.

Thank-you for helping.
bdbmog

-----------------------------------------------------------

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\awsetupc.cpy.dll
C:\WINNT\system32\awsetupc.dll

Guardian Key---
Asynchronous 000
DllName C:\WINNT\system32\awsetupc.dll
Impersonate 000
Logon WinLogon
Version 122
ID {E73CFD2D-B492-45B7-9213-B918090B76C1}
IDex N1

User Agent String---
{E73CFD2D-B492-45B7-9213-B918090B76C1}

--------------------------------------------------------------------

DiamondCS Commandline Retrieval Tool for Windows NT4/2K/XP
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au
---
8 - Ÿ
<Error> Unable to read memory from PID 8
152 - \SystemRoot\System32\smss.exe
<Error> Unable to read memory from PID 152
200 - \??\C:\WINNT\system32\winlogon.exe
winlogon.exe
228 - C:\WINNT\system32\services.exe
C:\WINNT\system32\services.exe
240 - C:\WINNT\system32\lsass.exe
C:\WINNT\system32\lsass.exe
456 - C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost -k rpcss
480 - C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\spoolsv.exe
512 - C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
532 - C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\hidserv.exe
568 - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
596 - C:\Program Files\Norton AntiVirus\navapsvc.exe
"C:\Program Files\Norton AntiVirus\navapsvc.exe"
648 - C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\nvsvc32.exe
688 - C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\regsvc.exe
712 - C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\MSTask.exe
736 - C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\stisvc.exe
844 - C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
892 - C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe -k wugroup
760 - C:\WINNT\Explorer.EXE
C:\WINNT\Explorer.EXE
1228 - C:\PROGRA~1\NORTON~1\navapw32.exe
"C:\PROGRA~1\NORTON~1\navapw32.exe"
1252 - C:\WINNT\system32\dla\tfswctrl.exe
"C:\WINNT\system32\dla\tfswctrl.exe"
1256 - C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
"C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe"
1276 - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
1208 - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
1340 - C:\WINNT\system32\ctfmon.exe
"C:\WINNT\system32\ctfmon.exe"
1368 - C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
1376 - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
"C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"
1428 - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"
1452 - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
"C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
1704 - C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
"C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe" -Embedding
1436 - C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\HPZipm12.exe
1308 - c:\Program Files\PestPatrol\ppcontrol.exe
"c:\Program Files\PestPatrol\ppcontrol.exe"
288 - C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1220 - C:\Documents and Settings\Bruce Bennett.MAIN\Local Settings\Temporary Internet Files\Content.IE5\AJCBT2NA\VX2Finder[1].exe
"C:\Documents and Settings\Bruce Bennett.MAIN\Local Settings\Temporary Internet Files\Content.IE5\AJCBT2NA\VX2Finder[1].exe"
848 - C:\WINNT\system32\cmd.exe
cmd /c ""C:\Documents and Settings\Bruce Bennett.MAIN\Desktop\ProcessFinder\tool.bat" "

-----------------------------------------------------------------------

SE Debug Privilege is in Privileges that you don't have

--------------------------------------------------------------------

In DumpRights, it does not have a + sign
 
Joined
Jul 26, 2002
Messages
46,353
Ok here's what you need to do:

You will need get KillBox ver.2.00.0179 from here http://download.broadbandmedic.com/VbStuff/KillBox.zip, so download that and keep it handy, we will need it to remove the Look2Me files.(unzip the files to your Desktop)

1.) From Control Panel>>Administrative Tools>>Local Security Policy & Under Local Profiles>>User Rights Assignment...and on the right side look for Debug Programs>>Right Click>>Select Properties.

2.)Click Add User or Group and when the next Window opens, click the Object Types button, and now put a Check in the box for Groups. click OK

3.)That Window will close, and the one you are left with click Advanced and from the next Window Find Now
*Look under Name(RDN) for Administrators and select it & Click OK.

4.)Administrators should show up in the box beside "Check Names" just Click OK, then that Window will close..and the next Window under the only Tab "Local Security Setting" should have Administrators listed in it, if it does Click Apply then OK again.

Here's a ScreenShot of what you should have.

http://www.broadbandmedic.com/download/VbStuff/images/Pol.JPG

Here's a screenshot of what an infected system looks like:

http://www.broadbandmedic.com/download/VbStuff/images/NFG.JPG

With a reboot that fixes that.
*Make sure you reboot!


After rebooting...
Close all open Windows, open KillBox and under Fix L2M click Kill VX2.BetterInternet.
Your Computer will Shut down..
On rebooting, the 2 files will be deleted.

*The Problem
Because we accessed these .dll files, they will have corrupted the User Rights Assignment again , but no big deal.
Repeat the Process of Adding the Administrators Group to the Debug Programs again, and since the offending files are gone, this time those settings will stay put.


Things to do with Killbox after removing these files:
1.)Click Find>>Find VX2.BetterInternet
*Nothing Should show up in the next window, if it does you are infected still. But if Clean then...

2.)Click Find>>User Agent String, click on the CLSID key, and under Action>>Delete User Agent String

3.)Click Fix L2M>>Import L2M.reg to remove various registry keys set by the software.

Run Ad-aware using an Updated reference file to remove anything else I missed.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top