The usual plea for help

kdcdotty · October 2005

Hello. I have just stumbled upon your site, and am experiencing hope renewed. I am a relative amatuer who has had enough PC troubles and gone through the hours of fixes to know enough to be, as they say, dangerous. Yes, I have deleted system files, and I don't want to do that again!
I have got a hijacker that wants my modem to let it call tajikistan. It changes my user name, password and dial up number. I have loaded AVG, updated, found and deleted a Trojan horse. I have updated and run Adaware, found some junk, deleted. Updated and ran spybot, some alexa stuff, deleted. I got a disk from a friend and loaded McAfee, I believe, virus scan on demand, and it won't let me download hijack this. It keeps coming up that it is a worm, or perhaps it is correct and the download is infected? Any fonts of wisdom would be appreciated. I am already considering throwing my Dell into the creek behind my house and buying a MAC. Thanks to any who offer assistance. dc

profdlp · October 2005

If you send me a PM with an email address (don't post it publicly!) I'll send you a copy of HijackThis as a zipped email attachment. Hopefully that will get past your downloading troubles.

Watch your Private Message Inbox (in your UserCP area) for notification that my email is on it's way, that way you'll know the message is legitimate.

kdcdotty · October 2005

Thanks for your quick replies. I got hijack to run off the cd. Still can't get McAfee to accept it, but don't need to. I think I can guess what I need to delete, but could use help being sure. Thanks again. dc

Logfile of HijackThis v1.99.1
Scan saved at 12:54:52 AM, on 10/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\WebRunner Accelerator\wrcore.exe
C:\WINDOWS\system32\usbn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\WebRunner Accelerator\wrgui.exe
C:\WINDOWS\System32\svchost.exe
D:\CNS\SPYWARE UTILITIES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.frognet.net/search.php"); (C:\Documents and Settings\KIM\Application Data\Mozilla\Profiles\default\61a3hiq9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\KIM\Application Data\Mozilla\Profiles\default\61a3hiq9.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\WebRunner Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebRunner Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\WebRunner Accelerator\Toolband.dll
O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\WebRunner Accelerator\wrcore.exe"
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: WebRunner Accelerator.lnk = C:\Program Files\WebRunner Accelerator\wrgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

kdcdotty · October 2005

thanks. I got it to run off the CD. On to the next step. Deleting the bastard, and flying to Pakistan and blowing up someones computer! dc

Trogan · October 2005

Do you still want help? There are some things in your log that are unwanted.

kdcdotty · October 2005

Yes. I still need help. I simply got past the struggle of getting hijack this to run past McAfee on my computer. Now, I've got the list, I don't know the first thing about what is what. thanks. dc

Trogan · October 2005

I'm not sure why HJT is on your D: but please move HJT to its own folder on your C: so backups can be created. Do this before continuing.
===

Check the following in HJT and click 'Fix Checked'

O3 - Toolbar: WebRunner Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\WebRunner Accelerator\Toolband.dll

O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

Do you know what WebRunner Accelerator and CallWave are?
===

View hidden files and folders - explained here

Go into Safe Mode - explained here
===

Find and Delete the following:

C:\WINDOWS\system32\usbn.exe << this file
===

Reboot into Normal Mode and scan with the following:

Panda Activescan

There maybe files that cannot be removed, post them here.
===

Post a new HJT log

kdcdotty · October 2005

thanks Trojan. We use a dial up modem and webrunner accelerator does just that. Speeds up our usually slow 56kps. Callwave is an internet answering service. We have only one phone line, rather than a busy signal, it takes a message, or gives the option of hanging up and taking the call.
I did get rid of the usbn stuff, and installed some microsoft updates which seems to have solved the problem. Thanks for taking the time to look at it. It is much appreciated. dc

Trogan · October 2005

Do you want to mark this resolved? Or post a new HJT log for us to have a look?

The usual plea for help

Comments