Possible virus [Resolved]

marss525 · 04-09-2005, 05:06 PM

Hi guys,

I have followed all of the instructions before posting this thread. I am having problems with pop ups and after running virus scan from trend micro it seems I have 2 items which cannot be removed. I also ran a hijackthis log using hijackthis analyzer and the results are as follows. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 6:55:10 PM, on 4/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\dsumebuf.exe
C:\WINDOWS\System32\dspnpmgr.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.sr...33&langid=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3srf38W] dsumebuf.exe
O4 - HKCU\..\Run: [IB0pRUasV] dspnpmgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

End of KRC HijackThis Analyzer Log.
====================================================================

Herk · 04-09-2005, 05:45 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

You may wish to Subscribe to this thread so that you are notified when a reply has been made.
Click Thread Tools then Subscribe to Thread.

Please be patient with me during this time.

Herk · 04-09-2005, 09:51 PM

Hello marss525 and welcome to TSF

Thank you for your patience

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJK , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\WINDOWS\System32\dsumebuf.exe
C:\WINDOWS\System32\dspnpmgr.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: if they exist.

CxtPls
POP!

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3srf38W] dsumebuf.exe
O4 - HKCU\..\Run: [IB0pRUasV] dspnpmgr.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\CxtPls
C:\Program Files\AutoUpdate
C:\WINDOWS\System32\dsumebuf.exe
C:\WINDOWS\System32\dspnpmgr.exe

Reboot your System in normal mode.

FYI WorkFlow is BroadJump related
If D drive is your CD, remove the CD and see if HJT still shows this.

BroadJump - Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have Support.com installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself.

Please post a fresh Hijack This log so that we can check if your system is clean.

marss525 · 04-10-2005, 01:21 AM

Thank you so much for all of your help. I followed your directions and have hopefully solved the problem. I have run a new HiJackThis log through the analyzer:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\AVPersonal\AVWUPSRV.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:17:02 AM, on 4/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.sr...33&langid=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

End of KRC HijackThis Analyzer Log.
====================================================================

Please let me know if there is anything I need to do. Also, should I reset my settings for anything (i.e. system restore)? Thanks again!

Herk · 04-10-2005, 04:05 PM

Hi marss525

Other than WorkFlow, your system is clean.

WorkFlow.exe description:
Related to BroadJump's broadband trouble-shooting software.
Check Add / Remove Programs for WorkFlow or WorkFlo Don't uninstall it yourself. Try to find out how to remove it from your ISP. It may be required for your internet connection.

And yes, you may turn System Restore back on now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com.

Please feel free to contact us again if you have any remaining problems.

04-09-2005, 05:06 PM	#1 (permalink)
marss525 Registered User Join Date: Apr 2005 Posts: 4 OS: WinXP	Possible virus Hi guys, I have followed all of the instructions before posting this thread. I am having problems with pop ups and after running virus scan from trend micro it seems I have 2 items which cannot be removed. I also ran a hijackthis log using hijackthis analyzer and the results are as follows. Thank you for your help. Logfile of HijackThis v1.99.1 Scan saved at 6:55:10 PM, on 4/9/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\dsumebuf.exe C:\WINDOWS\System32\dspnpmgr.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.sr...33&langid=1033 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file) O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [3srf38W] dsumebuf.exe O4 - HKCU\..\Run: [IB0pRUasV] dspnpmgr.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE End of KRC HijackThis Analyzer Log. ====================================================================

04-10-2005, 01:21 AM	#4 (permalink)
marss525 Registered User Join Date: Apr 2005 Posts: 4 OS: WinXP	Possible Virus Thank you so much for all of your help. I followed your directions and have hopefully solved the problem. I have run a new HiJackThis log through the analyzer: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\AVPersonal\AVWUPSRV.EXE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:17:02 AM, on 4/10/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.passport.net/reg.sr...33&langid=1033 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE End of KRC HijackThis Analyzer Log. ==================================================================== Please let me know if there is anything I need to do. Also, should I reset my settings for anything (i.e. system restore)? Thanks again!

04-09-2005, 05:45 PM	#2 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p You may wish to Subscribe to this thread so that you are notified when a reply has been made. Click Thread Tools then Subscribe to Thread. Please be patient with me during this time.

04-09-2005, 09:51 PM	#3 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hello marss525 and welcome to TSF Thank you for your patience Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJK , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files. To turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time). C:\WINDOWS\System32\dsumebuf.exe C:\WINDOWS\System32\dspnpmgr.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: if they exist. CxtPls POP! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file) O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [3srf38W] dsumebuf.exe O4 - HKCU\..\Run: [IB0pRUasV] dspnpmgr.exe O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\CxtPls C:\Program Files\AutoUpdate C:\WINDOWS\System32\dsumebuf.exe C:\WINDOWS\System32\dspnpmgr.exe Reboot your System in normal mode. FYI WorkFlow is BroadJump related If D drive is your CD, remove the CD and see if HJT still shows this. BroadJump - Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have Support.com installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself. Please post a fresh Hijack This log so that we can check if your system is clean.

04-10-2005, 04:05 PM	#5 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	Hi marss525 Other than WorkFlow, your system is clean. WorkFlow.exe description: Related to BroadJump's broadband trouble-shooting software. Check Add / Remove Programs for WorkFlow or WorkFlo Don't uninstall it yourself. Try to find out how to remove it from your ISP. It may be required for your internet connection. And yes, you may turn System Restore back on now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. Please feel free to contact us again if you have any remaining problems.