Anymore malware left?

debelt · 12-18-2004, 11:46 PM

Was having problems with zillions of popups. Have PCcillin Internet Security 2004 w/spyware turned on. Couldn't clean/quaranteen/delete results. Ran PCcillin, CW Shredder, Adaware all currently updated. Got rid of 26 families/1335 files with Adaware. Next day adware/spyware started to multiply again. Used CW Shredder (nothing found by it), Adaware (found some items, cleaned them out), then ran PCcillin and it still was finding adware/spyware. Then I did exactly what was suggested here: Followed directions on http://www.greyknight17.com/spyware.htm by running CW Shredder again (nothing found), Adaware again (quaranteened results), downloaded Spybot & ran it(fixed problems in red entries, but had to do it twice to complete the job), did the HijackThis log & Analyzer (results below from result.txt).

Also, after everything is clean and OK'd by you, I am supposed to turn on system restore and recreate a new restore point. I haven't a clue what a restore point is, but assume when I go to System Tools to create one, the instructions will be clear enough?

Plus, it appears Windows auto update wants to install SP2. I didn't do this yet since I came across pros/cons about it, and wanted to follow the directions first from the URL as noted above. What do you recommend regarding SP2?

No popups or PCcillin security attack alerts continuing at this time. Here's the end result from HijactThis Analyzer program:

x===========================================================================================

================================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet

Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet

Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet

Security\TMOAgent.exe" /run

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 5:04:25 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\npptcplc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://www.popupsearches.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKCU\..\Run: [Lwp7RgbsV] npptcplc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no

file)
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

End of HijackThis Analyzer Log.
============================================================================================

===============================

**Pancake** · 12-19-2004, 01:02 AM

Hi

Make sure you have already run Adaware, Spybot S & D(check for updates) as these will do a preliminary clean first.Some files below may not be present after running the above programs.

Then....
Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".
Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program. Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES [/url] When done Download Cleanup and run it ..Then please reboot and post a new log in normal mode when finished...

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKCU\..\Run: [Lwp7RgbsV] npptcplc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
C:\WINDOWS\System32\npptcplc.exe

debelt · 12-21-2004, 03:51 AM

Thank you for your quick response. Had trouble with DSL yesterday. Have now installed Windows Service Pack2.

Today I ran PCcillin. It showed 9 adware/spyware with action taken as "pass". Ran CW Shredder, Adaware SE,Spybot S & D, HJT. Followed your directions, deleted the files you listed. RO & C:\Windows files didn't appear this time, but deleted the rest.

URL you had for Cleanup doesn't work. Should be: http://downloads.stevengould.org/cleanup/CleanUp312.exe

Downloaded/ran Cleanup. Ran HJT/Analyzer again.

After running all these programs and coming up with nothing, I ran PCcillin again. Still listed 9 adware/spyware & 2 items w/o names. It took no action other than "pass" for any of them. Couldn't manually quarantine/delete through PCcillin. Following are the items from Trend Micro PCcillin:

ADW_SURFSIDE.A C:\WINDOWS\bundles\banematt.exe
SPYW_BISPY.A C:\WINDOWS\bundles\thin-8-1-x-x-exe
ADW_BINET.B C:\WINDOWS\multimpp.dll
ADW_SURFSIDE.A C:\WINDOWS\SSK_B5.EXE
ADW_NAVISEARCH.B C:\WINDOWS\system32\javexulm.vxd

ADW_BARGBUDDY.C C:\Program Files\BullsEye Network\bin\bargins.exe
{C:\WINDOWS\system32\mac80ex.idf}

ADW_BARGBUDDY.C C:\Program Files\BullsEye Network\bin\adv.exe
{C:\WINDOWS\system32\mac80ex.idf}

--- C:\WINDOWS\system32j\mac80ex.idf

ADW_NAVISEARCH.B C:\WINDOWS\System32\exul.exe
{C:\WINDOWS\system32\netut80ex.vxd}

ADW_NAVISEARCH.B C:\WINDOWS\System32\javexulm.vxd
{C:\WINDOWS\system32\netut80ex.vxd}

--- C:\WINDOWS\system32\netut80ex.vxd

Here's the new HJT result.txt:

============================================================================================

===============================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet

Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet

Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet

Security\TMOAgent.exe" /run

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 1:32:15 AM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program

Files\Trend Micro\Internet Security\tmproxy.exe

End of HijackThis Analyzer Log.
============================================================================================

===============================

**Horse** · 12-21-2004, 04:34 AM

Hi there

Your log is clean. Remember to turn on your System Restore. Is your system running better now?

debelt · 12-22-2004, 12:36 AM

Thanks mucho for the help.

Even though the log looks clean, I ran a manual PCcillin scan and it found several spyware/adware items some quarantined, some it couldn't.

Then I ran Adaware, and during the process, the real time scan on PCcillin quarantined: adw_navisearc.b
adw_binet.b
spyw_bisby.a
adw_surfside.a
adw_bargbuddy.c

Adaware seemed to trigger malware activity. Nothing showed up in Adaware except a couple cookies.

I went to Windows Explore and found about 3 dozen .exe files in C:\WINDOWS\Bundles. Some are in \System 32\cache folder and several other places. Here's a sample:

cxtpls_loader.exe
bruzmoh.exe
CSV7P070.exe
WebRebates_Auto_installSilent.exe

Also, in the registry under \HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick2, has a folder for SurfSide with another folder inside for Internet Explorer. Need I be concerned?

Do I need to do anything with all these .exe programs all over the computer system, or since the HJT log is clean, just leave them alone?

**Pancake** · 12-22-2004, 01:23 AM

Yes take out the exe's and the SurfSideKick2 folder reg key.All these are just corpses and bones of the dear departed virus

cxtpls_loader.exe
bruzmoh.exe
CSV7P070.exe
WebRebates_Auto_installSilent.exe

debelt · 12-22-2004, 06:04 PM

Thank you for responding. Everything's better today, except firewall under constant attack from DSL.

Deleted couple .exe files out of 3 dozen as noted above, but then wanted to check recycle bin to make sure they were there and truly deleted. Can't view any files in the recycle bin. Is this a fluke from all the adware/spyware cleanup these past couple days?

Hadn't touched any properties of the bin. Made couple dummy files & dragged to recycle bin to see if they'd show up. They don't.

If I go to delete what's in the bin, even though there appears to be nothing in it, it asks if I want to delete the 16 files in it. So files are in the recycle bin, but I can't see them to know what's there.

Would downloading the service pack 2 have anything to do with it? Or what about Spybot? It had 5 HKey_Users items under DSO exploit (which was in red) that had to do with Internet settings, and said they were a Microsoft security hole. Their description didn't seem to have anything to do with the recycle bin. Besides, I don't think they really get deleted by Spybot since they show up everytime I run it, even though they're in Spybot's recovery
folder.

Also, since most of those leftover .exe are in the WINDOWS\bundles folder, can I just delete the folder & all its contents? All .exe in the folder were created on 12-8-04 except a setup shortcut to MS dos program which was dated yesterday (12-21-04) and is nothing that I created.

Do I need to delete these before I can put system restore back on and create a new restore point? Also, I have the hidden files unchecked, should I hide the files once I do a system restore?

**Pancake** · 12-22-2004, 07:03 PM

This will fix the DSO Exploit as it a fault in Spybot.

http://www.majorgeeks.com/download4392.html

debelt · 12-23-2004, 02:50 PM

Spybot DSO fix link worked. Thank you!

I have gone ahead and hid my system files again and created a new restore point.Still need advice regarding my last post:

1. Recycle bin:

Had deleted a couple dead virus .exe's in C:\WINDOWS\bundles folder. Went to recycle bin to make sure they were there. Bin won't display its contents.

Under Properties, bin has right setting to NOT automatically delete files, so recycle bin should be displaying the contents. If I delete the contents, then it asks to confirm if I want to delete the 16 files it contains, so the recycle bin has files in it, but it won't display them, it just has a blank screen.

It's useless the way it is now if I can't see what's in it. What's up? Can it be fixed?

2. C:\Windows\bundles folder:

Have not deleted any more of the 3 dozen dead virus leftover .exe's contained in it since recycle bin won't display its contents. All .exe's in bundles folder are dated 12-8-04 except one dated 12-21-04 that says its a setup shortcut to MS dos program, which I didn't create.

Can I delete the bundles folder itself, along with all its contents, once my recycle bin is working properly?

**Pancake** · 12-23-2004, 06:24 PM

I cant comment on the bundled files as I dont know what they are.It best to move the all to another blank folder for a while just in case they are needed.As for the recycle bin,maybe the crew in XP forum can help.

debelt · 12-24-2004, 12:07 AM

I'll check with xp forum about the recycle bin and take your advice on the bundles folder. Will make a donation soon to keep this site going. All adware/spyware has been quiet. Thank you, thank you, thank you...You guys are too cool!!!

**Pancake** · 12-24-2004, 12:27 AM

Your welcome...

12-18-2004, 11:46 PM	#1 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	Anymore malware left? Was having problems with zillions of popups. Have PCcillin Internet Security 2004 w/spyware turned on. Couldn't clean/quaranteen/delete results. Ran PCcillin, CW Shredder, Adaware all currently updated. Got rid of 26 families/1335 files with Adaware. Next day adware/spyware started to multiply again. Used CW Shredder (nothing found by it), Adaware (found some items, cleaned them out), then ran PCcillin and it still was finding adware/spyware. Then I did exactly what was suggested here: Followed directions on http://www.greyknight17.com/spyware.htm by running CW Shredder again (nothing found), Adaware again (quaranteened results), downloaded Spybot & ran it(fixed problems in red entries, but had to do it twice to complete the job), did the HijackThis log & Analyzer (results below from result.txt). Also, after everything is clean and OK'd by you, I am supposed to turn on system restore and recreate a new restore point. I haven't a clue what a restore point is, but assume when I go to System Tools to create one, the instructions will be clear enough? Plus, it appears Windows auto update wants to install SP2. I didn't do this yet since I came across pros/cons about it, and wanted to follow the directions first from the URL as noted above. What do you recommend regarding SP2? No popups or PCcillin security attack alerts continuing at this time. Here's the end result from HijactThis Analyzer program: x=========================================================================================== ================================ Log was analyzed using HijackThis Analyzer - Updated on 12/17/04 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Trend Micro\Internet Security\PccPfw.exe C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE C:\Program Files\Trend Micro\Internet Security\PCClient.exe C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 5:04:25 PM, on 12/18/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe C:\Program Files\Trend Micro\Internet Security\tmproxy.exe C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\WINDOWS\System32\npptcplc.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing) O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O4 - HKCU\..\Run: [Lwp7RgbsV] npptcplc.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) End of HijackThis Analyzer Log. ============================================================================================ ===============================

12-19-2004, 01:02 AM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	Hi Make sure you have already run Adaware, Spybot S & D(check for updates) as these will do a preliminary clean first.Some files below may not be present after running the above programs. Then.... Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked". Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program. Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES [/url] When done Download Cleanup and run it ..Then please reboot and post a new log in normal mode when finished... R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing) O4 - HKCU\..\Run: [Lwp7RgbsV] npptcplc.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) C:\WINDOWS\System32\npptcplc.exe __________________ An Australian Member of Eddy

12-21-2004, 03:51 AM	#3 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	2nd round Thank you for your quick response. Had trouble with DSL yesterday. Have now installed Windows Service Pack2. Today I ran PCcillin. It showed 9 adware/spyware with action taken as "pass". Ran CW Shredder, Adaware SE,Spybot S & D, HJT. Followed your directions, deleted the files you listed. RO & C:\Windows files didn't appear this time, but deleted the rest. URL you had for Cleanup doesn't work. Should be: http://downloads.stevengould.org/cleanup/CleanUp312.exe Downloaded/ran Cleanup. Ran HJT/Analyzer again. After running all these programs and coming up with nothing, I ran PCcillin again. Still listed 9 adware/spyware & 2 items w/o names. It took no action other than "pass" for any of them. Couldn't manually quarantine/delete through PCcillin. Following are the items from Trend Micro PCcillin: ADW_SURFSIDE.A C:\WINDOWS\bundles\banematt.exe SPYW_BISPY.A C:\WINDOWS\bundles\thin-8-1-x-x-exe ADW_BINET.B C:\WINDOWS\multimpp.dll ADW_SURFSIDE.A C:\WINDOWS\SSK_B5.EXE ADW_NAVISEARCH.B C:\WINDOWS\system32\javexulm.vxd ADW_BARGBUDDY.C C:\Program Files\BullsEye Network\bin\bargins.exe {C:\WINDOWS\system32\mac80ex.idf} ADW_BARGBUDDY.C C:\Program Files\BullsEye Network\bin\adv.exe {C:\WINDOWS\system32\mac80ex.idf} --- C:\WINDOWS\system32j\mac80ex.idf ADW_NAVISEARCH.B C:\WINDOWS\System32\exul.exe {C:\WINDOWS\system32\netut80ex.vxd} ADW_NAVISEARCH.B C:\WINDOWS\System32\javexulm.vxd {C:\WINDOWS\system32\netut80ex.vxd} --- C:\WINDOWS\system32\netut80ex.vxd Here's the new HJT result.txt: ============================================================================================ =============================== Log was analyzed using HijackThis Analyzer - Updated on 12/17/04 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Trend Micro\Internet Security\pccguide.exe C:\Program Files\Trend Micro\Internet Security\PCClient.exe C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe C:\Program Files\Trend Micro\Internet Security\PccPfw.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 1:32:15 AM, on 12/21/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\eMachines Bay Reader\shwiconem.exe C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe C:\Program Files\Trend Micro\Internet Security\tmproxy.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe O23 - Service: InCD Helper - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe End of HijackThis Analyzer Log. ============================================================================================ ===============================

12-21-2004, 04:34 AM	#4 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,135 OS: WIN XP PRO My System Blog Entries: 1	Hi there Your log is clean. Remember to turn on your System Restore. Is your system running better now? __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

12-22-2004, 12:36 AM	#5 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	3rd round Thanks mucho for the help. Even though the log looks clean, I ran a manual PCcillin scan and it found several spyware/adware items some quarantined, some it couldn't. Then I ran Adaware, and during the process, the real time scan on PCcillin quarantined: adw_navisearc.b adw_binet.b spyw_bisby.a adw_surfside.a adw_bargbuddy.c Adaware seemed to trigger malware activity. Nothing showed up in Adaware except a couple cookies. I went to Windows Explore and found about 3 dozen .exe files in C:\WINDOWS\Bundles. Some are in \System 32\cache folder and several other places. Here's a sample: cxtpls_loader.exe bruzmoh.exe CSV7P070.exe WebRebates_Auto_installSilent.exe Also, in the registry under \HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick2, has a folder for SurfSide with another folder inside for Internet Explorer. Need I be concerned? Do I need to do anything with all these .exe programs all over the computer system, or since the HJT log is clean, just leave them alone? Last edited by debelt : 12-22-2004 at 12:38 AM.

12-22-2004, 01:23 AM	#6 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	Yes take out the exe's and the SurfSideKick2 folder reg key.All these are just corpses and bones of the dear departed virus cxtpls_loader.exe bruzmoh.exe CSV7P070.exe WebRebates_Auto_installSilent.exe

12-22-2004, 06:04 PM	#7 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	round 4 Thank you for responding. Everything's better today, except firewall under constant attack from DSL. Deleted couple .exe files out of 3 dozen as noted above, but then wanted to check recycle bin to make sure they were there and truly deleted. Can't view any files in the recycle bin. Is this a fluke from all the adware/spyware cleanup these past couple days? Hadn't touched any properties of the bin. Made couple dummy files & dragged to recycle bin to see if they'd show up. They don't. If I go to delete what's in the bin, even though there appears to be nothing in it, it asks if I want to delete the 16 files in it. So files are in the recycle bin, but I can't see them to know what's there. Would downloading the service pack 2 have anything to do with it? Or what about Spybot? It had 5 HKey_Users items under DSO exploit (which was in red) that had to do with Internet settings, and said they were a Microsoft security hole. Their description didn't seem to have anything to do with the recycle bin. Besides, I don't think they really get deleted by Spybot since they show up everytime I run it, even though they're in Spybot's recovery folder. Also, since most of those leftover .exe are in the WINDOWS\bundles folder, can I just delete the folder & all its contents? All .exe in the folder were created on 12-8-04 except a setup shortcut to MS dos program which was dated yesterday (12-21-04) and is nothing that I created. Do I need to delete these before I can put system restore back on and create a new restore point? Also, I have the hidden files unchecked, should I hide the files once I do a system restore? Last edited by debelt : 12-22-2004 at 06:10 PM.

12-22-2004, 07:03 PM	#8 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	This will fix the DSO Exploit as it a fault in Spybot. http://www.majorgeeks.com/download4392.html

12-23-2004, 02:50 PM	#9 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	Recycle bin, bundles folder Spybot DSO fix link worked. Thank you! I have gone ahead and hid my system files again and created a new restore point.Still need advice regarding my last post: 1. Recycle bin: Had deleted a couple dead virus .exe's in C:\WINDOWS\bundles folder. Went to recycle bin to make sure they were there. Bin won't display its contents. Under Properties, bin has right setting to NOT automatically delete files, so recycle bin should be displaying the contents. If I delete the contents, then it asks to confirm if I want to delete the 16 files it contains, so the recycle bin has files in it, but it won't display them, it just has a blank screen. It's useless the way it is now if I can't see what's in it. What's up? Can it be fixed? 2. C:\Windows\bundles folder: Have not deleted any more of the 3 dozen dead virus leftover .exe's contained in it since recycle bin won't display its contents. All .exe's in bundles folder are dated 12-8-04 except one dated 12-21-04 that says its a setup shortcut to MS dos program, which I didn't create. Can I delete the bundles folder itself, along with all its contents, once my recycle bin is working properly?

12-23-2004, 06:24 PM	#10 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	I cant comment on the bundled files as I dont know what they are.It best to move the all to another blank folder for a while just in case they are needed.As for the recycle bin,maybe the crew in XP forum can help.

12-24-2004, 12:07 AM	#11 (permalink)
debelt Registered User Join Date: Dec 2004 Posts: 10 OS: xp	Will check with xp I'll check with xp forum about the recycle bin and take your advice on the bundles folder. Will make a donation soon to keep this site going. All adware/spyware has been quiet. Thank you, thank you, thank you...You guys are too cool!!!

12-24-2004, 12:27 AM	#12 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	Your welcome...