Options
Searchweb2; I'm continually reinfected
I have to say that your OmegaKiller for Searchweb2 problems is absolutely fantastic:Thank You!
However I am now getting reinfected every time I run it and it is slowly and surely driving me mad.
I am running Windows XP Home SR2 and I have updated and run both Adaware and Spybot just before starting this thread. They were clean apart from DSO Exploit which I have "ignored" as instructed.
I have run HijackThis before and removed a lot of questionable looking files. However searchweb2 keeps coming back and Spybot is continually generating requests to change my SeachAssistant to a randomly generated web address which I continually deny.
Here is my HJT log; anything you can advise me to do to help will be very much appreciated, many thanks, Robin:
Logfile of HijackThis v1.98.2
Scan saved at 09:07:49, on 23/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EPSON\SMART PANEL\SmaPanel.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\Robin\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Atomaxis] C:\PROGRA~1\BOLDPL~1\Vc upload obj.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DataViz Messenger.lnk.disabled
O4 - Global Startup: EPSON SMART PANEL.lnk = C:\Program Files\EPSON\SMART PANEL\SmaPanel.exe
However I am now getting reinfected every time I run it and it is slowly and surely driving me mad.
I am running Windows XP Home SR2 and I have updated and run both Adaware and Spybot just before starting this thread. They were clean apart from DSO Exploit which I have "ignored" as instructed.
I have run HijackThis before and removed a lot of questionable looking files. However searchweb2 keeps coming back and Spybot is continually generating requests to change my SeachAssistant to a randomly generated web address which I continually deny.
Here is my HJT log; anything you can advise me to do to help will be very much appreciated, many thanks, Robin:
Logfile of HijackThis v1.98.2
Scan saved at 09:07:49, on 23/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EPSON\SMART PANEL\SmaPanel.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\Robin\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Atomaxis] C:\PROGRA~1\BOLDPL~1\Vc upload obj.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DataViz Messenger.lnk.disabled
O4 - Global Startup: EPSON SMART PANEL.lnk = C:\Program Files\EPSON\SMART PANEL\SmaPanel.exe
0
Comments
First of all, I want you to download the following file:
www.dyskinetic.com/stuffs/process.zip ...
Unzip the files to a folder named PV. Then run the proc.bat file by double clicking it. Wait a few moments while it works. Then you should see a file called process.txt appear in the directory. Take that text file, and e-mail it to me, using the e-mail address I will send you by PM. I will forward that on to Mondi, who is actively studying this new variant problem.
After you have done that, let's try to fix your problem manually.
Please make sure that HijackThis.exe is in its own folder, as explained here. You currently have HJT running from a Temp folder, which indicates that you are running it straight out of the Zip file. You need to right-click the ZIP file, and EXTRACT the contents to a folder called C:\HJT.
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
Reboot into Safe Mode.
Run Hijack This. FIX THE FOLLOWING:
**************
O4 - HKLM\..\Run: [Atomaxis] C:\PROGRA~1\BOLDPL~1\Vc upload obj.exe
**************
Stay in Safe mode, manually locate that exe file in the entry above, and quarantine them.
Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
Dexter...