Help! Hijacked by 5Eplorer.exe. Plz read my hijack log, thx!

lordwafer · 01-23-2005, 09:26 PM

Can someone please help me remove this 5Eplorer.exe. I have tried the latest version of adaware (1.05 se w. latest definitions), housecall.trendmicro.com, and spybot search and destroy (v.1.3). Still I cannot remove this 5Eplorer.exe. Sometimes it forces popups when I run IE.

Please help me if you can. Thanks, Jason

Logfile of HijackThis v1.99.0
Scan saved at 9:23:35 PM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Chatango\Chatango.exe
C:\Documents and Settings\jason\Desktop\hijackthis_199\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D208CE11-03A2-5B23-86E1-71A2DCD16ECB} - C:\WINNT\system32\dub.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\system32\qttask.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [lmu] C:\WINNT\LMU.exe
O4 - HKLM\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run
O4 - HKLM\..\Run: [lfpgijcl] C:\WINNT\system32\azgytazw.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\jason\Application Data\eore.exe
O4 - HKCU\..\Run: [Clock] C:\WINNT\ups.exe
O4 - HKCU\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run
O4 - HKCU\..\Run: [Knxyxa] C:\WINNT\system32\??plorer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

CTSNKY · 01-24-2005, 07:42 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SurfBuddy

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: (no name) - {D208CE11-03A2-5B23-86E1-71A2DCD16ECB} - C:\WINNT\system32\dub.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [lmu] C:\WINNT\LMU.exe
O4 - HKLM\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run
O4 - HKLM\..\Run: [lfpgijcl] C:\WINNT\system32\azgytazw.exe
O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\jason\Application Data\eore.exe
O4 - HKCU\..\Run: [Clock] C:\WINNT\ups.exe
O4 - HKCU\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run
O4 - HKCU\..\Run: [Knxyxa] C:\WINNT\system32\??plorer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\dub.dll
C:\WINNT\LMU.exe
C:\WINNT\system32\azgytazw.exe
C:\WINNT\system32\??plorer.exe
C:\Documents and Settings\jason\Application Data\eore.exe
C:\Program Files\SurfBuddy\
C:\install.cab

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

lordwafer · 01-24-2005, 10:59 AM

Allright! Thanks!!

Here is my new summary. I followed the steps the best I could. One small snag, I did *see* surf buddy in add/remove programs but it said when I tried to remove it missing sbuddy.dll . I think I might have manually deleted that when my norton or something came up with that. Anyway, PC seems to be running much better. Please let me know if all the threats are cleared off now.

One question, should I go around and change all my passwords for ebay, email, banking, etc. Do these programs have the ability to log my passwords and phone them in to some rogue hacker somewhere??

Thanks Again, Jason

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 10:50:37 AM, on 1/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\apps\Norton2005\navapsvc.exe
E:\apps\Norton2005\IWP\NPFMntor.exe
E:\apps\firefox\firefox.exe
E:\apps\Ad-Aware SE Personal\Ad-Aware.exe
E:\apps\Norton2005\OPScan.exe
C:\Documents and Settings\jason\Desktop\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\apps\Norton2005\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\apps\Norton2005\NavShExt.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\apps\Norton2005\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\apps\Norton2005\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - E:\apps\Norton2005\SAVScan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 01-24-2005, 11:17 AM

You might have a virus/trojan there, so I'll ask you to run a virus scan (see below). I don't think it's necessary to change the passwords to all those accounts, but if you want to, change them. I don't see any keyloggers in the programs here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\svchost.exe
C:\WINNT\system32\angelex.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

lordwafer · 01-24-2005, 12:30 PM

OK I followed your steps to the tee. One small problem. Couldn't delete "svchost.exe" said it was a critical windows device and in use. Couldn't end the program using CTL-ALT-DEL. (i'm running win2k). I did have 2 svchost.exe in the winnt folder and I was successful in deleting one of them.

This is great when you guys get done I will be running clean as a whistle!! Ad Aware is coming up empty now :-) so I think we have good progress. Thanks!

I ran NAV2005 w. latest definitions and housecall's and both come up blank.

Here is my updated log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 12:24:05 PM, on 1/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\apps\Norton2005\navapsvc.exe
E:\apps\Norton2005\IWP\NPFMntor.exe
C:\Program Files\Chatango\Chatango.exe
E:\apps\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\apps\Norton2005\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\apps\Norton2005\NavShExt.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\apps\Norton2005\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\apps\Norton2005\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - E:\apps\Norton2005\SAVScan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

CTSNKY · 01-24-2005, 12:35 PM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

01-23-2005, 09:26 PM	#1 (permalink)
lordwafer Registered User Join Date: Jan 2005 Posts: 3 OS: 2000	Help! Hijacked by 5Eplorer.exe. Plz read my hijack log, thx! Can someone please help me remove this 5Eplorer.exe. I have tried the latest version of adaware (1.05 se w. latest definitions), housecall.trendmicro.com, and spybot search and destroy (v.1.3). Still I cannot remove this 5Eplorer.exe. Sometimes it forces popups when I run IE. Please help me if you can. Thanks, Jason Logfile of HijackThis v1.99.0 Scan saved at 9:23:35 PM, on 1/23/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\qttask.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Chatango\Chatango.exe C:\Documents and Settings\jason\Desktop\hijackthis_199\HijackThis.exe R3 - Default URLSearchHook is missing O1 - Hosts: 127.0.0.0 localhost O1 - Hosts: 127.0.0.2 auditmypc.com O1 - Hosts: 127.0.0.3 boards.cexx.org O1 - Hosts: 127.0.0.4 bulletproofsoft.net O1 - Hosts: 127.0.0.5 camtech2000.net O1 - Hosts: 127.0.0.6 cexx.org O1 - Hosts: 127.0.0.7 computercops.us O1 - Hosts: 127.0.0.8 ct7support.com O1 - Hosts: 127.0.0.9 doxdesk.com O1 - Hosts: 127.0.0.20 kellys-korner-xp.com O1 - Hosts: 127.0.0.21 kephyr.com O1 - Hosts: 127.0.0.24 lurkhere.com O1 - Hosts: 127.0.0.25 majorgeeks.com O1 - Hosts: 127.0.0.26 merijn.org O1 - Hosts: 127.0.0.27 mjc1.com O1 - Hosts: 127.0.0.28 moosoft.com O1 - Hosts: 127.0.0.29 mvps.org O1 - Hosts: 127.0.0.30 net-integration.net O1 - Hosts: 127.0.0.31 noadware.net O1 - Hosts: 127.0.0.32 no-spybot.com O1 - Hosts: 127.0.0.33 onlinepcfix.com O1 - Hosts: 127.0.0.34 pchell.com O1 - Hosts: 127.0.0.35 pestpatrol.com O1 - Hosts: 127.0.0.36 safer-networking.org O1 - Hosts: 127.0.0.37 secure.spykiller.com O1 - Hosts: 127.0.0.38 secureie.com O1 - Hosts: 127.0.0.39 security.kolla.de O1 - Hosts: 127.0.0.40 spybot.info O1 - Hosts: 127.0.0.41 spychecker.com O1 - Hosts: 127.0.0.42 spychecker.com O1 - Hosts: 127.0.0.43 spycop.com O1 - Hosts: 127.0.0.44 spyguard.com O1 - Hosts: 127.0.0.45 spykiller.com O1 - Hosts: 127.0.0.46 spyware.co.uk O1 - Hosts: 127.0.0.47 spyware-cop.com O1 - Hosts: 127.0.0.48 spywareinfo.com O1 - Hosts: 127.0.0.49 spywarenuker.com O1 - Hosts: 127.0.0.50 spywareremove.com O1 - Hosts: 127.0.0.51 spywareremove.com O1 - Hosts: 127.0.0.52 stopzillapro.com O1 - Hosts: 127.0.0.53 sunbelt-software.com O1 - Hosts: 127.0.0.54 thiefware.com O1 - Hosts: 127.0.0.55 tomcoyote.org O1 - Hosts: 127.0.0.56 unwantedlinks.com O1 - Hosts: 127.0.0.57 webattack.com O1 - Hosts: 127.0.0.58 wilders.org O1 - Hosts: 127.0.0.59 www.auditmypc.com O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net O1 - Hosts: 127.0.0.61 www.cexx.org O1 - Hosts: 127.0.0.62 www.computercops.us O1 - Hosts: 127.0.0.63 www.ct7support.com O1 - Hosts: 127.0.0.64 www.doxdesk.com O1 - Hosts: 127.0.0.65 www.eblocs.com O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com O1 - Hosts: 127.0.0.68 www.free-web-browsers.com O1 - Hosts: 127.0.0.69 www.grc.com O1 - Hosts: 127.0.0.70 www.grisoft.com O1 - Hosts: 127.0.0.71 www.hackfaq.org O1 - Hosts: 127.0.0.72 www.hazeleger.net O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com O1 - Hosts: 127.0.0.75 www.kephyr.com O1 - Hosts: 127.0.0.78 www.lurkhere.com O1 - Hosts: 127.0.0.79 www.majorgeeks.com O1 - Hosts: 127.0.0.80 www.merijn.org O1 - Hosts: 127.0.0.81 www.mjc1.com O1 - Hosts: 127.0.0.82 www.moosoft.com O1 - Hosts: 127.0.0.83 www.mvps.org O1 - Hosts: 127.0.0.84 www.net-integration.net O1 - Hosts: 127.0.0.85 www.noadware.net O1 - Hosts: 127.0.0.86 www.no-spybot.com O1 - Hosts: 127.0.0.87 www.onlinepcfix.com O1 - Hosts: 127.0.0.88 www.pchell.com O1 - Hosts: 127.0.0.89 www.pestpatrol.com O1 - Hosts: 127.0.0.90 www.safer-networking.org O1 - Hosts: 127.0.0.91 www.secureie.com O1 - Hosts: 127.0.0.92 www.security.kolla.de O1 - Hosts: 127.0.0.93 www.spybot.info O1 - Hosts: 127.0.0.94 www.spychecker.com O1 - Hosts: 127.0.0.95 www.spychecker.com O1 - Hosts: 127.0.0.96 www.spycop.com O1 - Hosts: 127.0.0.97 www.spyguard.com O1 - Hosts: 127.0.0.98 www.spykiller.com O1 - Hosts: 127.0.0.99 www.spyware.co.uk O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {D208CE11-03A2-5B23-86E1-71A2DCD16ECB} - C:\WINNT\system32\dub.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\system32\qttask.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [lmu] C:\WINNT\LMU.exe O4 - HKLM\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run O4 - HKLM\..\Run: [lfpgijcl] C:\WINNT\system32\azgytazw.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\jason\Application Data\eore.exe O4 - HKCU\..\Run: [Clock] C:\WINNT\ups.exe O4 - HKCU\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run O4 - HKCU\..\Run: [Knxyxa] C:\WINNT\system32\??plorer.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing) O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Last edited by lordwafer : 01-23-2005 at 09:30 PM. Reason: Revised hijack this log.

01-24-2005, 07:42 AM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SurfBuddy Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - Default URLSearchHook is missing O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing) O2 - BHO: (no name) - {D208CE11-03A2-5B23-86E1-71A2DCD16ECB} - C:\WINNT\system32\dub.dll O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O4 - HKLM\..\Run: [lmu] C:\WINNT\LMU.exe O4 - HKLM\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run O4 - HKLM\..\Run: [lfpgijcl] C:\WINNT\system32\azgytazw.exe O4 - HKCU\..\Run: [Paro] C:\Documents and Settings\jason\Application Data\eore.exe O4 - HKCU\..\Run: [Clock] C:\WINNT\ups.exe O4 - HKCU\..\Run: [SurfBuddy] rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run O4 - HKCU\..\Run: [Knxyxa] C:\WINNT\system32\??plorer.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\system32\dub.dll C:\WINNT\LMU.exe C:\WINNT\system32\azgytazw.exe C:\WINNT\system32\??plorer.exe C:\Documents and Settings\jason\Application Data\eore.exe C:\Program Files\SurfBuddy\ C:\install.cab Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

01-24-2005, 10:59 AM	#3 (permalink)
lordwafer Registered User Join Date: Jan 2005 Posts: 3 OS: 2000	Thank You Sir. Looks much better. Allright! Thanks!! Here is my new summary. I followed the steps the best I could. One small snag, I did see surf buddy in add/remove programs but it said when I tried to remove it missing sbuddy.dll . I think I might have manually deleted that when my norton or something came up with that. Anyway, PC seems to be running much better. Please let me know if all the threats are cleared off now. One question, should I go around and change all my passwords for ebay, email, banking, etc. Do these programs have the ability to log my passwords and phone them in to some rogue hacker somewhere?? Thanks Again, Jason ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 10:50:37 AM, on 1/24/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\apps\Norton2005\navapsvc.exe E:\apps\Norton2005\IWP\NPFMntor.exe E:\apps\firefox\firefox.exe E:\apps\Ad-Aware SE Personal\Ad-Aware.exe E:\apps\Norton2005\OPScan.exe C:\Documents and Settings\jason\Desktop\hijackthis_199\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\apps\Norton2005\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\apps\Norton2005\NavShExt.dll O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing) O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\apps\Norton2005\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\apps\Norton2005\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\apps\Norton2005\SAVScan.exe End of KRC HijackThis Analyzer Log. ====================================================================

01-24-2005, 11:17 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	You might have a virus/trojan there, so I'll ask you to run a virus scan (see below). I don't think it's necessary to change the passwords to all those accounts, but if you want to, change them. I don't see any keyloggers in the programs here. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing) O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\svchost.exe C:\WINNT\system32\angelex.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-24-2005, 12:30 PM	#5 (permalink)
lordwafer Registered User Join Date: Jan 2005 Posts: 3 OS: 2000	OK I followed your steps to the tee. One small problem. Couldn't delete "svchost.exe" said it was a critical windows device and in use. Couldn't end the program using CTL-ALT-DEL. (i'm running win2k). I did have 2 svchost.exe in the winnt folder and I was successful in deleting one of them. This is great when you guys get done I will be running clean as a whistle!! Ad Aware is coming up empty now :-) so I think we have good progress. Thanks! I ran NAV2005 w. latest definitions and housecall's and both come up blank. Here is my updated log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 12:24:05 PM, on 1/24/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\apps\Norton2005\navapsvc.exe E:\apps\Norton2005\IWP\NPFMntor.exe C:\Program Files\Chatango\Chatango.exe E:\apps\hijackthis_199\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\apps\adobe 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\apps\Norton2005\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\apps\Norton2005\NavShExt.dll O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\apps\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/Visit.../TLIEFlash.CAB O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...10/mcfscan.cab O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\apps\Norton2005\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\apps\Norton2005\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\apps\Norton2005\SAVScan.exe End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by lordwafer : 01-24-2005 at 12:33 PM.

01-24-2005, 12:35 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ GO BIG BLUE!!