Hijack this help!!!!!!!!!!!!!!!!

djbutzen · 02-26-2005, 12:54 PM

Can someone help with my scan. Is there any site that can help me desipher?

Whatever I got makes it very difficult for me to get on-line.

Thanks in advance.

Dave B...

Logfile of HijackThis v1.99.1
Scan saved at 8:30:03 AM, on 2/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\prutqct.exe
C:\Documents and Settings\Windows User\My Documents\Comp fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = wi.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll
O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/game...s/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdriver...ve/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af655...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101250022443
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

palguy · 02-26-2005, 03:59 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.
__________________

...A Reflection On Spyware...

Mr. Incredible: No matter how many times you save the world, it always manages to get back in jeopardy again. Sometimes I just want it to stay saved! You know, for a little bit? I feel like the maid; "I just cleaned up this mess! Can we keep it clean for... for ten minutes!"

...greyknight17 DOT com...

palguy · 02-27-2005, 10:56 AM

Hello djbutzen and welcome to TSF,

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\prutqct.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

2osx21u6
E2G

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = wi.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll
O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrive...ave/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af65...ip/RdxIE601.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\rsyncmon.dll
C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
C:\WINDOWS\System32\AUNBHO.dll
C:\WINDOWS\System32\ic2_win.dll
C:\WINDOWS\System32\mspdnx.dll
C:\WINDOWS\isrvs
C:\Program Files\2osx21u6
C:\Program Files\E2G

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

djbutzen · 03-01-2005, 05:31 PM

That was amazing. Your remedy worked like a charm.

Thank You so much,

Dave B.....

CTSNKY · 03-01-2005, 06:48 PM

You really should post afresh HJT log, to be sure you're clean. These buggers are hard to kill off in one swipe, sometimes.

djbutzen · 03-09-2005, 08:48 PM

you were so right. My celebration was a bit premature.

Please review if you have the chance.

Thanks...

Logfile of HijackThis v1.99.1
Scan saved at 9:41:59 PM, on 3/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\WINDOWS\Xhrmy.exe
C:\Program Files\PaintingRoom\paintingroom.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\zkrr\zkrra.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Windows User\My Documents\Comp fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {B4D0FD75-2934-C1CF-1B77-86DEBAD078EC} - C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\KEEPDUMB.exe
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [PaintingRoom smile monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -traysmile
O4 - HKLM\..\Run: [PaintingRoom evidence monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -trayevidence
O4 - HKLM\..\Run: [Beep Size Scr Blue] C:\Documents and Settings\All Users\Application Data\Send2BeepSize\dentbrowse.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [zkrr] C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe
O4 - HKCU\..\Run: [Glue bits] C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\PopUserWma.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/game...s/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101250022443
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2702.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

CTSNKY · 03-10-2005, 01:27 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe
C:\PROGRA~1\COMMON~1\zkrr\zkrra.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyWay
AltnetPointsManager
P2P Networking

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O2 - BHO: (no name) - {B4D0FD75-2934-C1CF-1B77-86DEBAD078EC} - C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\KEEPDUM B.exe
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [Beep Size Scr Blue] C:\Documents and Settings\All Users\Application Data\Send2BeepSize\dentbrowse.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [zkrr] C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe
O4 - HKCU\..\Run: [Glue bits] C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\PopUser Wma.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\DOWNLO~1\search3.dll
C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\
C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\
C:\Documents and Settings\All Users\Application Data\msw\
C:\Documents and Settings\All Users\Application Data\Send2BeepSize\
c:\program files\altnet\
C:\PROGRAM FILES\COMMON FILES\zkrr\
C:\Program Files\MyWay\
C:\WINDOWS\isrvs\
C:\WINDOWS\System32\P2P Networking\
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\Xhrmy.exe
D0CE0C16B1
D9EBC318C
E6F1873B.DLL

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

02-26-2005, 12:54 PM	#1 (permalink)
djbutzen Registered User Join Date: Feb 2005 Posts: 10 OS: win xp	Hijack this help!!!!!!!!!!!!!!!! Can someone help with my scan. Is there any site that can help me desipher? Whatever I got makes it very difficult for me to get on-line. Thanks in advance. Dave B... Logfile of HijackThis v1.99.1 Scan saved at 8:30:03 AM, on 2/26/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\WINDOWS\System32\prutqct.exe C:\WINDOWS\System32\prutqct.exe C:\Documents and Settings\Windows User\My Documents\Comp fix\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = wi.rr.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe O4 - Global Startup: Microsoft Office.lnk.disabled O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/game...s/y/gst1_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdriver...ve/Install.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af655...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101250022443 O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

03-01-2005, 05:31 PM	#4 (permalink)
djbutzen Registered User Join Date: Feb 2005 Posts: 10 OS: win xp	Many Thanks That was amazing. Your remedy worked like a charm. Thank You so much, Dave B.....

03-01-2005, 06:48 PM	#5 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	You really should post afresh HJT log, to be sure you're clean. These buggers are hard to kill off in one swipe, sometimes. __________________ GO BIG BLUE!!

03-09-2005, 08:48 PM	#6 (permalink)
djbutzen Registered User Join Date: Feb 2005 Posts: 10 OS: win xp	New Problems....New HJT scan....HELP!!! you were so right. My celebration was a bit premature. Please review if you have the chance. Thanks... Logfile of HijackThis v1.99.1 Scan saved at 9:41:59 PM, on 3/9/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\tcpsvcs.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\isrvs\desktop.exe C:\Program Files\Media Pass\MediaPassK.exe C:\WINDOWS\System32\rundll32.exe C:\Documents and Settings\All Users\Application Data\msw\MSW.exe C:\WINDOWS\Xhrmy.exe C:\Program Files\PaintingRoom\paintingroom.exe C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\sysmonnt.exe C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\COMMON~1\zkrr\zkrra.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE C:\Program Files\WinZip\WZQKPICK.EXE c:\progra~1\intern~1\iexplore.exe C:\Program Files\LimeWire\LimeWire.exe C:\Documents and Settings\Windows User\My Documents\Comp fix\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll O2 - BHO: (no name) - {B4D0FD75-2934-C1CF-1B77-86DEBAD078EC} - C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\KEEPDUMB.exe O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe O4 - HKLM\..\Run: [PaintingRoom smile monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -traysmile O4 - HKLM\..\Run: [PaintingRoom evidence monitor] "C:\Program Files\PaintingRoom\paintingroom.exe" -trayevidence O4 - HKLM\..\Run: [Beep Size Scr Blue] C:\Documents and Settings\All Users\Application Data\Send2BeepSize\dentbrowse.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt O4 - HKCU\..\Run: [zkrr] C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe O4 - HKCU\..\Run: [Glue bits] C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\PopUserWma.exe O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Microsoft Office.lnk.disabled O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/game...s/y/gst1_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101250022443 O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...ploader_v5.cab O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2702.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

03-10-2005, 01:27 PM	#7 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\isrvs\desktop.exe C:\Documents and Settings\All Users\Application Data\msw\MSW.exe C:\WINDOWS\Xhrmy.exe C:\WINDOWS\System32\sysmonnt.exe C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe C:\PROGRA~1\COMMON~1\zkrr\zkrra.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: MyWay AltnetPointsManager P2P Networking Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll O2 - BHO: (no name) - {B4D0FD75-2934-C1CF-1B77-86DEBAD078EC} - C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\KEEPDUM B.exe O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe O4 - HKLM\..\Run: [Beep Size Scr Blue] C:\Documents and Settings\All Users\Application Data\Send2BeepSize\dentbrowse.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt O4 - HKCU\..\Run: [zkrr] C:\PROGRA~1\COMMON~1\zkrr\zkrrm.exe O4 - HKCU\..\Run: [Glue bits] C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\PopUser Wma.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\DOWNLO~1\search3.dll C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\DRAWSU~1\ C:\DOCUME~1\WINDOW~1.FAM\APPLIC~1\HoldBase\ C:\Documents and Settings\All Users\Application Data\msw\ C:\Documents and Settings\All Users\Application Data\Send2BeepSize\ c:\program files\altnet\ C:\PROGRAM FILES\COMMON FILES\zkrr\ C:\Program Files\MyWay\ C:\WINDOWS\isrvs\ C:\WINDOWS\System32\P2P Networking\ C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\sysmonnt.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\Xhrmy.exe D0CE0C16B1 D9EBC318C E6F1873B.DLL Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

02-26-2005, 03:59 PM	#2 (permalink)
palguy Registered User Join Date: Nov 2004 Posts: 369 OS: xp	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ ...A Reflection On Spyware... Mr. Incredible: No matter how many times you save the world, it always manages to get back in jeopardy again. Sometimes I just want it to stay saved! You know, for a little bit? I feel like the maid; "I just cleaned up this mess! Can we keep it clean for... for ten minutes!" ...greyknight17 DOT com...

02-27-2005, 10:56 AM	#3 (permalink)
palguy Registered User Join Date: Nov 2004 Posts: 369 OS: xp	Hello djbutzen and welcome to TSF, Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\WINDOWS\System32\prutqct.exe C:\WINDOWS\System32\prutqct.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: 2osx21u6 E2G Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = wi.rr.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {05460EBA-C366-402A-A504-6426836E6FD5} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {0CAE85DF-F444-4071-90EC-4E8AB67F8AD0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll O2 - BHO: (no name) - {2A16EDF2-AE29-45C7-B581-3FF0CF6D3EF4} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: (no name) - {38FFAFE9-52F2-445E-97FB-B273062A93D0} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll O2 - BHO: (no name) - {59C7D99E-D7D1-400C-9A80-75CDE57BF46D} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll O2 - BHO: (no name) - {68E29065-DC6A-4EE0-8F5D-695211B11F89} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {6923C5E5-BA91-4563-B93C-E48228386996} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {93172F4F-D1EC-473E-8DBE-8A4AA22DCF8F} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll O2 - BHO: (no name) - {9DEB7E5B-7B04-498B-90E6-9C3035215D5B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {C4E17322-D63E-4A28-8B85-9447B9662686} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {E8B56F4A-05ED-4D76-90D1-EE45A52C8A9B} - C:\Program Files\2osx21u6\2osx21u6.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrive...ave/Install.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/036af65...ip/RdxIE601.cab O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll O21 - SSODL: eplrr9 - {75598E8B-7776-4E4C-90A9-F3AFAA9C1C1F} - C:\WINDOWS\System32\mspdnx.dll *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\prutqct.exe C:\WINDOWS\System32\rsyncmon.dll C:\Documents and Settings\All Users\Application Data\msw\MSW.dll C:\WINDOWS\System32\AUNBHO.dll C:\WINDOWS\System32\ic2_win.dll C:\WINDOWS\System32\mspdnx.dll C:\WINDOWS\isrvs C:\Program Files\2osx21u6 C:\Program Files\E2G Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.