Thread: DANGER: SPYWARE...Smart Security 59.95$
View Single Post
Old 03-31-2005, 01:24 PM   #4 (permalink)
Mixtli
Registered User
 
Join Date: Mar 2005
Posts: 4
OS: Win XP Pro


Thanks a mil dude,

I followed your instructions, but the infections are all still there... here's my log after doing the cleanup:

Logfile of HijackThis v1.99.1
Scan saved at 17:18:34, on 31/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS2\System32\smss.exe
F:\WINDOWS2\system32\csrss.exe
F:\WINDOWS2\system32\winlogon.exe
F:\WINDOWS2\system32\services.exe
F:\WINDOWS2\system32\lsass.exe
F:\WINDOWS2\system32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS2\Explorer.EXE
F:\WINDOWS2\system32\spoolsv.exe
F:\WINDOWS2\System32\alg.exe
F:\Program Files\Common Files\PFWShared\cfgintpr.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\WINDOWS2\System32\PGPserv.exe
F:\WINDOWS2\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\TPF4\umxagent.exe
F:\WINDOWS2\AGRSMMSG.exe
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\WINDOWS2\System32\Dbk.exe
F:\Program Files\Motherboard Monitor 5\MBM5.EXE
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS2\System32\Jun.exe
F:\WINDOWS2\System32\Pic.exe
F:\WINDOWS2\System32\Klg.exe
F:\WINDOWS2\System32\Cre.exe
F:\WINDOWS2\System32\Jvh.exe
F:\WINDOWS2\System32\Uoq.exe
F:\WINDOWS2\System32\Lvv.exe
F:\WINDOWS2\Dhf.exe
F:\WINDOWS2\Lts.exe
F:\WINDOWS2\Idt.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\CD\PGP\Dave3@terra\PGPtray.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\_Dave\Progs\HJThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...2&gwCountry=BR
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: DSE WE Addon Class - {BF55256A-3B3B-11D2-B05B-000001145917} - F:\Program Files\Common Files\PFWShared\weaddon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS2\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [winpos] F:\WINDOWS2\winpos.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKLM\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKLM\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKLM\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKLM\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKLM\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKLM\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKLM\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKLM\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKLM\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKLM\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKLM\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKLM\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKLM\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKLM\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKLM\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKLM\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKLM\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKLM\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKLM\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKLM\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKLM\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKLM\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKLM\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [AMonitor] F:\Program Files\TPF4\amon.exe
O4 - HKLM\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKLM\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKLM\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKLM\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKLM\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKLM\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKLM\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKLM\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKLM\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKLM\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKLM\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKLM\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS2\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] F:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Registry Repair Pro] F:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Psu] F:\WINDOWS2\System32\Ehr.exe
O4 - HKCU\..\Run: [Itc] F:\WINDOWS2\System32\Hoi.exe
O4 - HKCU\..\Run: [Jkq] F:\WINDOWS2\System32\Loe.exe
O4 - HKCU\..\Run: [Pvn] F:\WINDOWS2\Ssq.exe
O4 - HKCU\..\Run: [Scn] F:\WINDOWS2\Ihi.exe
O4 - HKCU\..\Run: [Igj] F:\WINDOWS2\System32\Ibt.exe
O4 - HKCU\..\Run: [Efp] F:\WINDOWS2\Dtk.exe
O4 - HKCU\..\Run: [Rhu] F:\WINDOWS2\Gne.exe
O4 - HKCU\..\Run: [Jgn] F:\WINDOWS2\System32\Dsf.exe
O4 - HKCU\..\Run: [Tnu] F:\WINDOWS2\Odv.exe
O4 - HKCU\..\Run: [Gdc] F:\WINDOWS2\Bvv.exe
O4 - HKCU\..\Run: [Knc] F:\WINDOWS2\System32\Fjd.exe
O4 - HKCU\..\Run: [Dae] F:\WINDOWS2\Ggq.exe
O4 - HKCU\..\Run: [Utt] F:\WINDOWS2\Rrg.exe
O4 - HKCU\..\Run: [Klv] F:\WINDOWS2\Hef.exe
O4 - HKCU\..\Run: [Tvv] F:\WINDOWS2\System32\Oke.exe
O4 - HKCU\..\Run: [Nhh] F:\WINDOWS2\System32\Ncr.exe
O4 - HKCU\..\Run: [Lms] F:\WINDOWS2\System32\Tpk.exe
O4 - HKCU\..\Run: [Pjm] F:\WINDOWS2\Blv.exe
O4 - HKCU\..\Run: [Ern] F:\WINDOWS2\Ftl.exe
O4 - HKCU\..\Run: [Icj] F:\WINDOWS2\System32\Dbk.exe
O4 - HKCU\..\Run: [Sge] F:\WINDOWS2\System32\Dnp.exe
O4 - HKCU\..\Run: [Llm] F:\WINDOWS2\Asf.exe
O4 - HKCU\..\Run: [Goi] F:\WINDOWS2\System32\Cap.exe
O4 - HKCU\..\Run: [Mcp] F:\WINDOWS2\Ros.exe
O4 - HKCU\..\Run: [Ucu] F:\WINDOWS2\System32\Jun.exe
O4 - HKCU\..\Run: [Oao] F:\WINDOWS2\Feq.exe
O4 - HKCU\..\Run: [Oeh] F:\WINDOWS2\System32\Pic.exe
O4 - HKCU\..\Run: [Kol] F:\WINDOWS2\System32\Klg.exe
O4 - HKCU\..\Run: [Ktc] F:\WINDOWS2\System32\Cre.exe
O4 - HKCU\..\Run: [Tbj] F:\WINDOWS2\Duo.exe
O4 - HKCU\..\Run: [Gqu] F:\WINDOWS2\System32\Jvh.exe
O4 - HKCU\..\Run: [Uvc] F:\WINDOWS2\System32\Uoq.exe
O4 - HKCU\..\Run: [Qot] F:\WINDOWS2\System32\Lvv.exe
O4 - HKCU\..\Run: [Hml] F:\WINDOWS2\Dhf.exe
O4 - HKCU\..\Run: [Egh] F:\WINDOWS2\Lts.exe
O4 - HKCU\..\Run: [Hve] F:\WINDOWS2\Idt.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - F:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3BB699-E52E-4F06-A378-30135350AB52}: NameServer = 200.149.55.142 200.165.132.155
O20 - AppInit_DLLs: umxexw.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - F:\WINDOWS2\System32\vbsys2.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSE Config Interpreter (ConfigInterpreter) - Securitae Corp. - F:\Program Files\Common Files\PFWShared\cfgintpr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PGPserv - PGP Corporation - F:\WINDOWS2\System32\PGPserv.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: DSE Agent (UmxAgent) - Securitae Corp. - F:\Program Files\TPF4\umxagent.exe






And here's the "SpSeHjfix" log:




(3/31/05 16:36:11) SPSeHjFix started v1.1.1
(3/31/05 16:36:11) OS: WinXP Service Pack 1 (5.1.2600)
(3/31/05 16:36:11) Language: português
(3/31/05 16:36:14) Disinfection started
(3/31/05 16:36:14) Bad-Dll(IEP): f:\docume~1\lirio\locals~1\temp\sp.dll
(3/31/05 16:36:14) Searchassistant Uninstaller found: regsvr32 /s /u F:\WINDOWS2\System32\nocdhea.dll
(3/31/05 16:36:14) Searchassistant Uninstaller - Keys Deleted
(3/31/05 16:36:14) FilterKey: HKCR\text/html (deleted)
(3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (deleted)
(3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(3/31/05 16:36:14) FilterKey: HKCR\text/plain (deleted)
(3/31/05 16:36:14) FilterKey: HKCR\CLSID\{68D65528-80BE-4350-8711-6C026BCAF7A6} (error while deleting)
(3/31/05 16:36:14) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(3/31/05 16:36:14) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted)
(3/31/05 16:36:14) BHO-Key: HKCR\CLSID\{94087010-979B-4559-A796-BA70D89C82E4} (file missing: deleted)
(3/31/05 16:36:14) UBF: 9
(3/31/05 16:36:14) UBB: 5
(3/31/05 16:36:14) UBR: 80
(3/31/05 16:36:14) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\docume~1\lirio\locals~1\temp\sp.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(3/31/05 16:36:14) Stealth-String not found
(3/31/05 16:36:15) Temp-Files delete on Reboot
(3/31/05 16:36:15) File added to delete: f:\windows2\system32\nocdhea.dll
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df7f12.tmp
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\~df90cb.tmp
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\adobe
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\history
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\msohtml1
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files
(3/31/05 16:36:15) File added to delete: f:\docume~1\lirio\locals~1\temp\temporary internet files\content.ie5
(3/31/05 16:36:15) Reboot


(3/31/05 16:37:40) SPSeHjFix started v1.1.1
(3/31/05 16:37:40) OS: WinXP Service Pack 1 (5.1.2600)
(3/31/05 16:37:40) Language: português


1ce again, TX for ur help.
Mixtli is offline