spyware and strange search windows... please HELP with HJT log file
azzzul
New
Hi again Short Media 
I was here some time ago and you helped me clean up my computer
thank you so much!
I wonder if I could ask your help once more, this time for my brother's computer. His PC is taken by adware and horrible pop up windows and unknown search engines.
I ran CWShreder, Spybot and they detected a few items that were cleaned.
I tried to run AdwareSE but every time I do it it stops and the system gives me the message that it is going to end and it reboots.
I went to those online antivirus and...
Panda was ok, it detected lots of stuff and cleaned it.
But I couldn't go to TrendMicro or Symantec online virus scan because everytime I type the address in IExplorer it takes me to that unknown search engine.
(in fact, it happens most of the time, I type the correct addresses up there but I'm taken to the search window in spite of the correct address remaining in the address box.)
I hope I'm making sense to you?
sorry
Here is the HJT log file after all that I described above:
Logfile of HijackThis v1.99.1
Scan saved at 0:48:47, on 18-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
C:\Programas\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O1 - Hosts: 66.250.57.252 google.com
O1 - Hosts: 66.250.57.252 msn.com
O1 - Hosts: 66.250.57.252 yahoo.com
O1 - Hosts: 66.250.57.252 altavista.com
O1 - Hosts: 66.250.57.252 www.google.com
O1 - Hosts: 66.250.57.252 www.msn.com
O1 - Hosts: 66.250.57.252 www.yahoo.com
O1 - Hosts: 66.250.57.252 www.altavista.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\5626K1~1.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [34763] Bogobot.exe
O4 - HKLM\..\Run: [NsCplTray] powerdll.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [driver64] 34763.exe
O4 - HKCU\..\Run: [stuffmon] sound64.exe
O4 - HKCU\..\Run: [SYSTRAV] zxc.exe
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O15 - Trusted Zone: http://*.porno-search.biz/porn/
O15 - Trusted Zone: http://*.porno-search.biz/sex/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Filter: tœ†5ò!DÆR - {282632AA-1856-408B-8ED5-E7A8E2DDAB2B} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òˆEÆR - {E1A8D064-DDEC-4753-A04B-97E51671A304} - C:\WINDOWS\System32\qwsxp.dll
O20 - AppInit_DLLs: z16vhcp8jr17lhll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
Thank you so much in advance for all the help
I was here some time ago and you helped me clean up my computer
thank you so much!I wonder if I could ask your help once more, this time for my brother's computer. His PC is taken by adware and horrible pop up windows and unknown search engines.
I ran CWShreder, Spybot and they detected a few items that were cleaned.
I tried to run AdwareSE but every time I do it it stops and the system gives me the message that it is going to end and it reboots.
I went to those online antivirus and...
Panda was ok, it detected lots of stuff and cleaned it.
But I couldn't go to TrendMicro or Symantec online virus scan because everytime I type the address in IExplorer it takes me to that unknown search engine.
(in fact, it happens most of the time, I type the correct addresses up there but I'm taken to the search window in spite of the correct address remaining in the address box.)
I hope I'm making sense to you?
sorryHere is the HJT log file after all that I described above:
Logfile of HijackThis v1.99.1
Scan saved at 0:48:47, on 18-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
C:\Programas\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O1 - Hosts: 66.250.57.252 google.com
O1 - Hosts: 66.250.57.252 msn.com
O1 - Hosts: 66.250.57.252 yahoo.com
O1 - Hosts: 66.250.57.252 altavista.com
O1 - Hosts: 66.250.57.252 www.google.com
O1 - Hosts: 66.250.57.252 www.msn.com
O1 - Hosts: 66.250.57.252 www.yahoo.com
O1 - Hosts: 66.250.57.252 www.altavista.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\5626K1~1.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [34763] Bogobot.exe
O4 - HKLM\..\Run: [NsCplTray] powerdll.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [driver64] 34763.exe
O4 - HKCU\..\Run: [stuffmon] sound64.exe
O4 - HKCU\..\Run: [SYSTRAV] zxc.exe
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O15 - Trusted Zone: http://*.porno-search.biz/porn/
O15 - Trusted Zone: http://*.porno-search.biz/sex/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Filter: tœ†5ò!DÆR - {282632AA-1856-408B-8ED5-E7A8E2DDAB2B} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òˆEÆR - {E1A8D064-DDEC-4753-A04B-97E51671A304} - C:\WINDOWS\System32\qwsxp.dll
O20 - AppInit_DLLs: z16vhcp8jr17lhll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
Thank you so much in advance for all the help
0
This discussion has been closed.
Comments
Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O1 - Hosts: 66.250.57.252 google.com
O1 - Hosts: 66.250.57.252 msn.com
O1 - Hosts: 66.250.57.252 yahoo.com
O1 - Hosts: 66.250.57.252 altavista.com
O1 - Hosts: 66.250.57.252 www.google.com
O1 - Hosts: 66.250.57.252 www.msn.com
O1 - Hosts: 66.250.57.252 www.yahoo.com
O1 - Hosts: 66.250.57.252 www.altavista.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\5626K1~1.DLL
O4 - HKLM\..\Run: [34763] Bogobot.exe
O4 - HKLM\..\Run: [NsCplTray] powerdll.exe
O4 - HKCU\..\Run: [driver64] 34763.exe
O4 - HKCU\..\Run: [stuffmon] sound64.exe
O4 - HKCU\..\Run: [SYSTRAV] zxc.exe
O9 - Extra button: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B2468236-9773-43D3-9230-47801911DD52} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D9A98E2C-F44A-4195-8B45-377966DF592B} - (no file) (HKCU)
O15 - Trusted Zone: http://*.porno-search.biz/porn/
O15 - Trusted Zone: http://*.porno-search.biz/sex/
O18 - Filter: tœ†5ò!DÆR - {282632AA-1856-408B-8ED5-E7A8E2DDAB2B} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5òˆEÆR - {E1A8D064-DDEC-4753-A04B-97E51671A304} - C:\WINDOWS\System32\qwsxp.dll
O20 - AppInit_DLLs: z16vhcp8jr17lhll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll
Reboot your computer into Safe Mode
Now run CWShredder, making sure to click "Fix".
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\qwsxp.dll
C:\WINDOWS\System32\5626K1~1.DLL
C:\WINDOWS\System32\z16vhcp8jr17lhll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll
Bogobot.exe
powerdll.exe
34763.exe
sound64.exe
zxc.exe
Run a full scan with Adaware.
Reboot your computer to go back to normal mode.
Please download DLLCompare from here (unless you have downloaded it previously) http://downloads.subratam.org/DllCompare.exe
*Save it to your desktop and run it.
*Click 'Run Locate.com'to scan.
*When the scan has completed, click 'Compare'.
*When completed, click "Make a Log of What Was Found".
*Please Copy/Paste the entire contents of the logfile to this thread.
Note: If you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.
Also post a new hijackthis log.
1) I first downloaded the programs you asked.
2) Then I made sure I could see the hidden files
3) Then I ran HJT and was going to fix the lines you mentioned but… the oddest thing happened… this log was very different from the one I posted here yesterday
I don’t know why at all… everybody at my brother’s assured me that the PC was off since yesterday (I asked them not to use it… especially the kids who I think are responsible for most of the problems)
The only thing I remember doing before following your instructions, was uninstalling the older version of ADware (the one that couldn’t run) and an old version of MSN messenger (6.7 I guess)
This was today’s HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 18:45:58, on 19-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\programas\quicktime\qttask.exe
C:\Programas\SETI@home\SETI@home.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\winlogon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31130
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31130
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [34763] Bogobot.exe
O4 - HKLM\..\Run: [NsCplTray] powerdll.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [driver64] 34763.exe
O4 - HKCU\..\Run: [stuffmon] sound64.exe
O4 - HKCU\..\Run: [SYSTRAV] zxc.exe
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: 4xh3ro4rjmrvjjll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
So, from all those lines of the HJT log file that you advised me to delete I just could delete the ones in red... the others were not there as you can see.
4) Then I rebooted into Safe mode
5) I ran CWShreder and it just reported removing “CWS.MSConfig”
6) From the list of files I had to delete
C:\WINDOWS\System32\qwsxp.dll
C:\WINDOWS\System32\5626K1~1.DLL
C:\WINDOWS\System32\z16vhcp8jr17lhll.dll.dll.dll.d ll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll
Bogobot.exe
powerdll.exe
34763.exe
sound64.exe
zxc.exe
I didn’t find any of them, but I saw there a similar one… should I delete this?
C:\WINDOWS\System32\5626K1uuju5i.dll
Also, at this same location I found about 10 suspicious files with 7 or 10 or even 20 “.dll” and really suspicious names like:
Oojsygl2h771orll.dll.dll.dll.dll.dll.dll.dll.dll
Are they supposed to exist or should I delete them?
7) Then I ran Adware full scan
It reported 39 critical objects but in the end it couldn’t delete a few of them and most of them were those “.dll.dll…” files
8) I rebooted to normal mode
9) I ran DLLCompare and got this log file:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
________________________________________________
1.270 items found: 1.270 files, 0 directories.
Total of file sizes: 245.371.504 bytes 234,00 M
Administrator Account = True
AppInit_DLLs value = kxyfxlw46gkejjll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll (not hidden)
End log
10) I ran HJT again and got this logfile:
Logfile of HijackThis v1.99.1
Scan saved at 19:39:41, on 19-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\programas\quicktime\qttask.exe
C:\Programas\SETI@home\SETI@home.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\HPZipm12.exe
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: kxyfxlw46gkejjll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
Thanks again for all your help
Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.
Fix this line with Hijackthis.
O20 - AppInit_DLLs: kxyfxlw46gkejjll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll
Now reboot into Safe Mode and delete any of those dll files you find with the multiple file extensions .dll.dll.... If there are any that will not let you delete them, try to rename them first.
Run Adaware again, while in Safe Mode.
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Doubleclick rkfiles.bat that you downloaded earlier.
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.
Post the contents of C:\log.txt in your next reply.
Reboot back to normal mode and post a new hijackthis log and the log from rkfiles.
Here’s my report:
1) Downloaded rkfiles.zip and unzipped to a permanent folder.
2) Fixed this line with Hijackthis.
O20 - AppInit_DLLs: kxyfxlw46gkejjll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll
3) Rebooted into Safe Mode but when I was going to delete those dll files with the multiple extensions .dll.dll.... there were NONE in c:\windows\system32\ anymore
4) Ran Adaware again, in Safe Mode and it reported 12 critical objects – all of them “Coolwebsearch” and “malware” and deleted them
5) Deleted temp files – in temp folder… in prefetch folder… through %temp% command… and through Internet options
6) Emptied Recycle Bin.
7) Doubleclicked rkfiles.bat and waited (forever, by the way
Here is the content of the LOG:
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
C:\WINDOWS\system32\iecustme.exe: UPX!
C:\WINDOWS\system32\diantzpt.exe: UPX!
C:\WINDOWS\system32\docntrop.dll: UPX!
C:\WINDOWS\system32\audissrp.exe: UPX!
C:\WINDOWS\system32\srpcsrv32.dll: UPX!
C:\WINDOWS\system32\chkntfsfat.exe: UPX!
C:\WINDOWS\system32\mxbkup.exe: FSG!
C:\WINDOWS\system32\dosxpd.exe: FSG!
C:\WINDOWS\system32\fixmapirs.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dnsping.exe: PEC2
C:\WINDOWS\system32\Stamin32.Tlb: +]FileSpec2WWW
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dnsping.exe: PEC2
C:\WINDOWS\system32\Stamin32.Tlb: +]FileSpec2WWW
C:\WINDOWS\itshta.exe: PEC2
Files Found in all users startup Folder............
C:\WINDOWS\system32\iecustme.exe: UPX!
C:\WINDOWS\system32\diantzpt.exe: UPX!
C:\WINDOWS\system32\docntrop.dll: UPX!
C:\WINDOWS\system32\audissrp.exe: UPX!
C:\WINDOWS\system32\srpcsrv32.dll: UPX!
C:\WINDOWS\system32\chkntfsfat.exe: UPX!
C:\WINDOWS\system32\mxbkup.exe: FSG!
C:\WINDOWS\system32\dosxpd.exe: FSG!
C:\WINDOWS\system32\fixmapirs.exe: FSG!
Files Found in all users windows Folder............
C:\WINDOWS\Unwash5.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\sys758.exe: FSG!Y
C:\WINDOWS\sys659.exe: FSG!Y
C:\WINDOWS\sys854.exe: FSG!Y
C:\WINDOWS\sys155.exe: FSG!Y
C:\WINDOWS\sys1935.exe: FSG!Y
Finished
bye
8) Rebooted back to normal mode and got a new hijackthis LOG that you can see here:
Logfile of HijackThis v1.99.1
Scan saved at 19:19:33, on 21-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Programas\Norton Internet Security\ccPxySvc.exe
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\programas\quicktime\qttask.exe
C:\Programas\SETI@home\SETI@home.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Programas\Messenger\msmsgs.exe
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programas\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
Again thank you for your precious help!!!!!!!!!!!
http://www.downloads.subratam.org/KillBox.zip
Run KillBox, select the option: Replace on Reboot
Then, in the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\system32\iecustme.exe
Select the option: Use Dummy
Press the button with a red circle and a white X (Delete File button)
Click Yes at the Replace on Reboot confirmation prompt.
Click No at the request to reboot.
Do the exact same as above for each and every one of the files that follow, and select No at the request to reboot!
C:\WINDOWS\system32\diantzpt.exe
C:\WINDOWS\system32\docntrop.dll
C:\WINDOWS\system32\audissrp.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\chkntfsfat.exe
C:\WINDOWS\system32\mxbkup.exe
C:\WINDOWS\system32\dosxpd.exe
C:\WINDOWS\system32\fixmapirs.exe
C:\WINDOWS\sys758.exe
C:\WINDOWS\sys659.exe
C:\WINDOWS\sys854.exe
C:\WINDOWS\sys155.exe
Finally, in the Full Path of File to Delete, copy and paste the following:
C:\WINDOWS\sys1935.exe
Press the button with a red circle and a white X.
Click Yes at the Replace on Reboot prompt.
Click Yes at the request to reboot.
On this last file, close KillBox and Notepad, and Reboot the computer!!
Please run at least two of these online scans.
Make sure they are set to clean automatically:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://housecall.trendmicro.com/housecall/start_corp.asp
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log.
Here’s my new report:
1) Downloaded and ran KillBox, and did as you advised with all those 12 files except that I ALSO chose “Use Dummy” with the last one, or it wouldn’t work.
2) Then I Reboot the computer
3) Then I ran:
http://housecall.trendmicro.com/hou.../start_corp.asp
It reported having found 3 files infected:
TROJ STARTPAG.FM
TROJ STARTPGE.CW
TROJ SMALL.DO
I select and clicked on “delete” and they appeared to be deleted
4) I also ran:
http://www.pandasoftware.com/active...n_principal.htm
It reported 29 infected files
I clicked to get more info and it said “adware/Lop”
It had no “delete” button to click on so I don’t know if they were deleted or not???
5) I just should say that here, an old version of Norton Internet Security was uninstalled and a new updated version was installed.
6) Then got a new HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 17:49:47, on 23-04-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Norton Internet Security\ISSVC.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Mixer.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Programas\SETI@home\SETI@home.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Documents and Settings\Alves da Costa\Ambiente de trabalho\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programas\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programas\Ficheiros comuns\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programas\Ficheiros comuns\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programas\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [seticlient] C:\Programas\SETI@home\SETI@home.exe -min
O4 - Startup: Webshots.lnk = C:\Programas\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programas\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programas\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks!!!!!!!
Hi again Buckeye Sam
I didn't notice anything wrong after these last actions... but that PC (remember, it's not this PC but my brother's) has been shut down and I have been the only one using it and just to follow your orders. But those pop ups and strange search windows did not show up anymore... I am almost (almost...) sure that we can close this thread now.
I want to THANK YOU a thousand times for all your help!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
I'm now posting this message from my brother's computer. I was here for a while and it all seems clean!
I'm sure you can close this thread now.
I'm not so sure that I won't be knocking on Short Media's door again with problems
Thanks for the good advise you enclosed in your last post