1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

sspMydoom.cih

Discussion in 'Virus & Other Malware Removal' started by cris61, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    Recently, my computer seemes to have been attacked by some sort of trojan horse, virus, or nasty spyware. Every time i open internet explorer, i am taken to a website called home search, and a Microsoft Internet Explorer window that says " Windows detected spy software "sspMydoom.cih" ver.2.018. somebody is trying to access you through port ***. Click "OK" for info on how to remove this spy software." If i click ok, it takes me to "http://www.onemoresearch.net/spyware/index.php?pin=44768&qq=spyware". I have Norton AntiVirus 2003 with all the latest updates, i ran spybot - search and destroy, and i downloaded and ran a symantic program I found at "http://securityresponse.symantec.com/avcenter/venc/data/[email protected]" but it said whatever it looks for was not found on my computer. Also, everytime i try to change my home page, it changes back to the home search page. I tried reaserching this program that seams to be infecting my computer, but so far it seams to be relatively new, and no one has been able to fix it. I also have temporarily turned off my windows restore. I have faith though that their are enough smart people who wish to do good and help people like me, and so others can read this thread and fix thier problem. let me give you my system specs.
    I have windows XP professional with the sp2 installed.
    I have downloaded all critical updates for windows and virus protection software.
    I have cable internet service.
    I dont know if this will help you, but i run an AMD 64 3400+ 939pin, a8v Asus motherboard, a large hard drive, 512 Mb of ddr ram, and a gforce fx 5700le.
    As for my experience, i do not usually find my self on the internet but i have worked with computers since middle school. (I'm in college now)
    I hope someone out there is up for the challenge, i promise to be patient and respectful, and i only expect the same in return. thank you.
     
  2. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello cris61 and Welcome to TSG! :D

    Download Ad-Aware SE from here:
    http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

    Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

    Download Spybot S&D from here:
    http://users.skynet.be/fa936042/spybotsd13.exe

    Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

    Download SpywareBlaster from here:
    http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

    Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

    Download CWShredder from here:
    http://cwshredder.net/bin/CWSInstall.exe

    Install and run CWShredder. Click on "Check for Update" and download the latest updates. Next, click on "Fix". Exit out of CWShredder.

    Restart your computer.

    Download HijackThis from here:
    http://www.click-now.net/cgi-bin/download.pl?file=0965

    Run HijackThis and choose "Do a system scan and save log file".

    Post the HijackThis log on this thread.
     
  3. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    Thank you for your quick response. I downloaded and ran all the programs you listed. after that i restarted my computer like you said, and the programs loaded, scaned, and fixed any issued before load up. here is the log file. One again, thank you. Cris.

    Logfile of HijackThis v1.99.0
    Scan saved at 4:18:23 AM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\netjz.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\MULTI-~1\MMKey.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\addht32.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe
    C:\WINDOWS\system32\Dqkoad.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\ZipGenius 5\zipgenius.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\ZGTemp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4CAA193E-F9F0-5C3A-BE38-36A7FC5DBE10} - C:\WINDOWS\system32\ipfk.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKey.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [addht32.exe] C:\WINDOWS\addht32.exe
    O4 - HKLM\..\Run: [73.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001
    O4 - HKLM\..\Run: [98.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
    O4 - HKLM\..\Run: [73.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Hepzdp.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Dqkoad.exe
    O4 - HKLM\..\Run: [98.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001
    O4 - HKLM\..\RunOnce: [netjz.exe] C:\WINDOWS\system32\netjz.exe
    O4 - HKCU\..\Run: [ResChanger2004] NONE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a839ee16/enter.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104545600363
    O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)
     
  4. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
    Find and "End Process" the following process:
    netjz.exe

    Turn off System Restore by right-clicking on My Computer and choosing "Properties". Click on the "System Restore" tab and put a tick next to "Turn System Restore off". Click "OK".

    Go to My Computer and click on "Tools" then "Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is enabled. Click "OK".

    Find and delete the following file:
    C:\WINDOWS\system32\netjz.exe

    Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

    Run HijackThis and fix the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {4CAA193E-F9F0-5C3A-BE38-36A7FC5DBE10} - C:\WINDOWS\system32\ipfk.dll

    O4 - HKLM\..\Run: [73.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001

    O4 - HKLM\..\Run: [98.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001

    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe

    O4 - HKLM\..\Run: [73.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001

    O4 - HKLM\..\Run: [98.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001

    O4 - HKLM\..\RunOnce: [netjz.exe] C:\WINDOWS\system32\netjz.exe

    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)


    Download DelDomains from here:
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right-Click and select "Install". This will get rid of the O15 entries in HijackThis.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  5. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    i have encountered trouble deleting the file netjz.exe, i have restarted my computer, closed all ie windows. should i continue with the fix or do i need to delete in the order you listed? every time i try to delete it it says access is denied.
     
  6. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Did you "End Process" netjz.exe before trying to delete it?

    I would suggest restarting your computer into Safe Mode and do everything in my previous post.

    If you cannot get rid of netjz.exe, then just carry on to the next step.
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    unfortunately it won't delete doing it that way or fix the problem at all, It will all come back as soon as you reboot because half the files have ben missed

    First YOU MUST move HJT from a temporary folder and place it in it's own folder. The program will make backups in the folder it's in.
    These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers and when we remove the temprary files we will also delete hijackthis

    Read all these instructions carefully, Print them out and download all the things mentioned before starting

    First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
    Also
    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4CAA193E-F9F0-5C3A-BE38-36A7FC5DBE10} - C:\WINDOWS\system32\ipfk.dll

    O4 - HKLM\..\Run: [addht32.exe] C:\WINDOWS\addht32.exe
    O4 - HKLM\..\Run: [73.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001
    O4 - HKLM\..\Run: [98.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
    O4 - HKLM\..\Run: [73.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe 1 10001
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Hepzdp.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Dqkoad.exe
    O4 - HKLM\..\Run: [98.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe 0 10001
    O4 - HKLM\..\RunOnce: [netjz.exe] C:\WINDOWS\system32\netjz.exe
    O4 - HKCU\..\Run: [ResChanger2004] NONE

    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)

    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a839ee16/enter.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.i...llInstaller.exe


    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)


    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

    C:\WINDOWS\system32\d3ow.exe
    C:\WINDOWS\system32\netjz.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\98.tmp.exe
    C:\WINDOWS\system32\Dqkoad.exe
    C:\WINDOWS\system32\Hepzdp.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\73.tmp.exe
    C:\WINDOWS\system32\tibs5.exe
    C:\WINDOWS\addht32.exe
    C:\WINDOWS\system32\ipfk.dll
    C:\WINDOWS\hzowf.dll


    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    then Run Cwshredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    NOW REBOOT

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\winnt\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it of desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

    Then post a new hijackthis log to check please

    then along with the HJT log please also do this

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  8. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
  9. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    Ok, im glad i have two people helping me, but it makes it a bit more confusing for me to follow two sets of directions. Crushed bone dust, i am willing to give the other opion a try if you think it will work. if you have something in mind let me know and ill finish what we started. if it dosent work, i can try the other opion. please advise.
     
  10. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    here are the results after i deleted and fixed what you said, and restarted.

    Logfile of HijackThis v1.99.0
    Scan saved at 6:06:30 AM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\addht32.exe
    C:\WINDOWS\system32\Dqkoad.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\winyk32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ZipGenius 5\zipgenius.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\ZGTemp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E2D21C40-4D0E-92DA-315E-5394C622B623} - C:\WINDOWS\system32\nettq.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKey.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [addht32.exe] C:\WINDOWS\addht32.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Hepzdp.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Dqkoad.exe
    O4 - HKLM\..\RunOnce: [msey32.exe] C:\WINDOWS\msey32.exe
    O4 - HKLM\..\RunOnce: [winyk32.exe] C:\WINDOWS\system32\winyk32.exe
    O4 - HKLM\..\RunOnce: [ntra.exe] C:\WINDOWS\ntra.exe
    O4 - HKCU\..\Run: [ResChanger2004] NONE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/a839ee16/enter.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104545600363
    O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)
     
  11. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    If you want to fix your problem then please follow dvk01's exact instructions :)
     
  12. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706

    Yes, please follow Derek's instructions. Crushbone's method, unfortunately, WILL NOT fix your problem here.
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    OK some new ones have appeared as well as a lot of the old ones having come back which is usual when only a partiial removal takes place so

    Read all these instructions carefully, Print them out and download all the things mentioned before starting

    First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
    Also
    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hzowf.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {E2D21C40-4D0E-92DA-315E-5394C622B623} - C:\WINDOWS\system32\nettq.dll
    O
    O4 - HKLM\..\Run: [addht32.exe] C:\WINDOWS\addht32.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Hepzdp.exe
    O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Dqkoad.exe
    O4 - HKLM\..\RunOnce: [msey32.exe] C:\WINDOWS\msey32.exe
    O4 - HKLM\..\RunOnce: [winyk32.exe] C:\WINDOWS\system32\winyk32.exe
    O4 - HKLM\..\RunOnce: [ntra.exe] C:\WINDOWS\ntra.exe
    O4 - HKCU\..\Run: [ResChanger2004] NONE
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)




    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

    C:\WINDOWS\system32\d3ow.exe
    C:\WINDOWS\ntra.exe
    C:\WINDOWS\system32\winyk32.exe
    C:\WINDOWS\msey32.exe
    C:\WINDOWS\system32\Dqkoad.exe
    C:\WINDOWS\system32\Hepzdp.exe
    C:\WINDOWS\addht32.exe
    C:\WINDOWS\system32\nettq.dll
    C:\WINDOWS\hzowf.dll

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    then Run Cwshredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    NOW REBOOT

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

    then
    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your posts here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted

    Then post a new hijackthis log to check please

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  14. cris61

    cris61 Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    11
    My appolagies to you but I seem to have made an error and changed the results of the log file because when I looked for the specific entries they were changed. I'm sorry for the inconvinience, Ill make sure to be more carful in the future. Here is the new log file. once again, Im deeply sorry.

    Logfile of HijackThis v1.99.0
    Scan saved at 12:34:51 AM, on 2/6/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\ietx32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MULTI-~1\MMKey.exe
    C:\WINDOWS\addht32.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\F.tmp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\DOCUME~1\Chris\LOCALS~1\Temp\ZGTemp\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gswmq.dll/sp.html#44768
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {464EFEE1-E766-B599-42B5-E965691213DD} - C:\WINDOWS\system32\winro32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Multi-Media Keyboard] C:\PROGRA~1\MULTI-~1\MMKey.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [addht32.exe] C:\WINDOWS\addht32.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [F.tmp] C:\DOCUME~1\Chris\LOCALS~1\Temp\F.tmp.exe 1 10001
    O4 - HKLM\..\Run: [F.tmp.exe] C:\DOCUME~1\Chris\LOCALS~1\Temp\F.tmp.exe 1 10001
    O4 - HKLM\..\RunOnce: [ietx32.exe] C:\WINDOWS\ietx32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\d3ow.exe (file missing)
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    It isn't your fault, that happens when an attempt is made to remove this pest

    I think we might have to do the fixes a different way around with this one
    do this first please
    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326608

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice