Need Help removing spyware/virus!!

[gatorsmg]

I seem to have caught a nasty bug on my home machine

I am part of the network admin team at a private highschool and come across all kinds of goodies throughout the year as I'm sure you can imagine. Every once in a while we get a hold of something that really throws a wrench into the works and we can figure out how to fix it. This is one of those cases only it's at home this time instead of at work.

I am running XP Home

When starting my computer I immediately have a program called SpySheriff (which I did not download) launch and tell me I need to visit their website for an activation code to remove the "harmful spyware that has infected me computer", I find this hilarious since SpySheriff itself seems to be adware.

My background has been changed to the following:
"CRITICAL WARNING -- System has been stopped due to a seerious malfunction. Spyware activity has been detected...."
I cannot change my background.

I have run the following removal programs: Ad-Aware, Spy-Bot S&D, CWS Shredder, Microsoft Antispyware, and Hijack This.

Ofcourse the results of my scans change from time to time but basically I keep coming up with: TIB, VX2, SpywareNo, prefetch, aurora

My hijackthis log is pasted below

I went into my registry to delete the malicious values I could find but it has been useless.

I am able to use the internet although it has been hijacked with page redirects and pop ups galore.

I keep trying to use HouseCall (virus scan) on Trendmicro.com but everytime it starts to scan I get an error and explorer shuts down...I think this is more than just a coinincedence. The only time I have trouble with explorer is when I try to run a virus scan. Is it possible that my infection blocks this action?

I am also unable to install Norton 2005 although I have been able to download and run CWS Shredder and Hijack This. Again is this the infection blocking antivirus use?

I tried going to Symantec.com but I cannot access their site. Once again is this possibly a function of my infection...to stop the use of antivirus programs?

The following is my most recent HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:22:49 PM, on 6/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\ms1.exe
C:\WINDOWS\nmstt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dx32cxlp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\windows\system32\brifdg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Scott\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [win32servv] C:\WINDOWS\ms1.exe
O4 - HKLM\..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bbgyxsi] c:\windows\system32\brifdg.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dx32cxlp.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpGDC - C:\WINDOWS\SYSTEM32\tcpGDC.dll
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

I am definitely stuck on this one and would greatly appreciate some help if anyone knows what to do.

Thanks

Scott

[BMR777]

It seems that is going around a lot lately, at least by posts here at TSF. I found This Article which goes step by step telling you how to remove this nasty app. Give it a try and see if you get this resolved.

Best of luck,
BMR777

[gatorsmg]

Quote:

Originally Posted by BMR777

It seems that is going around a lot lately, at least by posts here at TSF. I found This Article which goes step by step telling you how to remove this nasty app. Give it a try and see if you get this resolved.

Best of luck,
BMR777

Oops should have checked if there was a thread about this before I made a new one

Thanks for the link. I'll check it out and post the results.

[ReeKorl]

If you have those on your system, it's likely there will be other things. Just to be sure, you could get a check-up from one of our security analysts (it's always best to get a custom made solution to your problem). Follow these instructions, taking special note to get the VX2 remover tool for AdAware:

1. On-line Scanners
   Scan your pc with 2 of these free online scanners:
   Panda ActiveScan
   RAV AntiVirus
   Housecall. Be sure to put a check the box beside AutoClean.
   
   --------------------------------------------------------------------------------
   
2. Download / Install / Update / and Run:
   Adaware SE check for any updates before running it.
   Get the plug-in for fixing VX2 variants. You can download it at this SITE
   To run this tool, install to the hard drive, then open Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.
   
   --------------------------------------------------------------------------------
   
3. Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.
   
   --------------------------------------------------------------------------------
   
4. Download and install: HiJackThis.
   
   (Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.)
   
   Then doubleclick HijackThis.exe, and hit "Do A System Scan And Save Log". Make sure all Windows and Browsers are closed.
   When the scan is finished, best to save your text file in the same folder as where you put HiJackthis.
   
   
   Create a New Topic and include a fresh HJT log in HiJackThisLog Help Forum and Copy/Paste the info from your saved Hijackthis log file into your new topic.
   
   A Moderator/ Security Team Analyst will give you instructions.
   
   
   ***DO NOT TRY TO FIX ANYTHING, MAJOR DAMAGE CAN BE DONE TO YOUR SYSTEM IF THIS TOOL IS USED INCORRECTLY, PLEASE WAIT FOR AN ANALYST/MODERATOR TO GIVE YOU INSTRUCTIONS***
   
   Always describe your problem and any programs you have used to try to resolve your issue. Your description can go a long way to solving/repairing your particular issue.

Finally, Windows Updates!

It is essential to keep your computer's operating system and programs in top condition. That means keeping up with applying patches, hotfixes and service packs. Make sure that your Operating System and Internet Explorer are up-to-date by visiting the Windows Update Site and downloading all of the Critical Updates and Service Packs.

[gatorsmg]

Thanks guys for the help Unfortunately the VX2 bug still won't go away.

Everything else (the spysheriff and SpywareNo bugs) seems to be gone but when I run Ad-Aware I keep getting lots of VX2 registry values. I'm also getting one windows RegData in the winlogon under windows nt, something called "nail.exe".

** My current Ad-Aware and HijackThis logs are below **

I can't get Norton to install either. When my virus problem started a few days ago I tried to install the newest version of Norton Internet Security. Part way through the installation my computer froze and now nothing happens when I click "install Norton now".

Any ideas?

Ad-Aware Log
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, July 04, 2005 11:01:28 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R52 30.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):18 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-4-2005 11:01:28 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2990501737-1074398133-2583448567-1006\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 560
ThreadCreationTime : 7-5-2005 2:46:29 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 616
ThreadCreationTime : 7-5-2005 2:46:32 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 7-5-2005 2:46:34 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 7-5-2005 2:46:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 7-5-2005 2:46:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 856
ThreadCreationTime : 7-5-2005 2:46:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 900
ThreadCreationTime : 7-5-2005 2:46:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1056
ThreadCreationTime : 7-5-2005 2:46:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1080
ThreadCreationTime : 7-5-2005 2:46:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1212
ThreadCreationTime : 7-5-2005 2:46:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1328
ThreadCreationTime : 7-5-2005 2:46:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1432
ThreadCreationTime : 7-5-2005 2:46:49 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 1512
ThreadCreationTime : 7-5-2005 2:46:50 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1588
ThreadCreationTime : 7-5-2005 2:46:52 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [neeijqd.exe]
FilePath : c:\windows\system32\
ProcessID : 1876
ThreadCreationTime : 7-5-2005 2:47:01 AM
BasePriority : Normal
FileVersion : 1, 1, 0, 3
ProductVersion : 0, 0, 7, 0

#:16 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 188
ThreadCreationTime : 7-5-2005 2:47:05 AM
BasePriority : Normal
FileVersion : 3.5.25 08/27/2003 20:04:35
ProductVersion : 3.5.25 08/27/2003 20:04:35
ProductName : BCM Modem Messaging Applet
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Broadcom Corporation 1998-2000
OriginalFilename : smdmstat.exe

#:17 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 388
ThreadCreationTime : 7-5-2005 2:47:07 AM
BasePriority : Normal
FileVersion : 5.2.0.91
ProductVersion : 5.2.0.91
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001-2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:18 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 428
ThreadCreationTime : 7-5-2005 2:47:08 AM
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:19 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ProcessID : 444
ThreadCreationTime : 7-5-2005 2:47:08 AM
BasePriority : Normal


#:20 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 504
ThreadCreationTime : 7-5-2005 2:47:09 AM
BasePriority : Idle
FileVersion : 1.00.0614
ProductVersion : 1.00.0614
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:21 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ProcessID : 584
ThreadCreationTime : 7-5-2005 2:47:14 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BVRP Software TestLine
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
LegalCopyright : Copyright © 2001
OriginalFilename : TestLine.exe

#:22 [hpohmr08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 612
ThreadCreationTime : 7-5-2005 2:47:14 AM
BasePriority : Normal
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:23 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 608
ThreadCreationTime : 7-5-2005 2:47:15 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:24 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 844
ThreadCreationTime : 7-5-2005 2:47:16 AM
BasePriority : Normal
FileVersion : 1.00.0614
ProductVersion : 1.00.0614
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet(tm) is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:25 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 1156
ThreadCreationTime : 7-5-2005 2:47:23 AM
BasePriority : Normal
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:26 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1396
ThreadCreationTime : 7-5-2005 2:47:28 AM
BasePriority : Normal
FileVersion : 5, 0, 5, 3
ProductVersion : 5, 0, 5, 3
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:27 [tgcmd.exe]
FilePath : C:\Program Files\Support.com\bin\
ProcessID : 1460
ThreadCreationTime : 7-5-2005 2:47:34 AM
BasePriority : Normal
FileVersion : 5,5,726,0
ProductVersion : 5,5,726,0
ProductName : BellSouth Bulletin and Job processor
CompanyName : BellSouth
FileDescription : BellSouth Bulletin and Job processor
InternalName : TGCMD
LegalCopyright : Copyright 1997-2069 Support.com
OriginalFilename : TGCMD.EXE

#:28 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 1816
ThreadCreationTime : 7-5-2005 2:47:50 AM
BasePriority : Normal
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:29 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1392
ThreadCreationTime : 7-5-2005 2:54:45 AM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:30 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 1944
ThreadCreationTime : 7-5-2005 3:00:05 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:31 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 228
ThreadCreationTime : 7-5-2005 3:01:18 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2990501737-1074398133-2583448567-1006\software\aurora
Value : AUC3n5tFyl

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 19
Objects found so far: 25


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>
11:01:48 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:00:19.78
Objects scanned:49209
Objects identified:19
Objects ignored:0
New critical objects:19

HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:07:29 PM, on 7/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\windows\system32\bfvhswe.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Scott\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [win32servv] C:\WINDOWS\ms1.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mkehrzb] c:\windows\system32\bfvhswe.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

[Midnight Tech]

gatorsmg, I sent this thread over to the HJT section of the board. Please be patient and allow one of our Analysts to peruse your logs.

[sUBs]

Hi and Welcome to TSF!

As I do not see any signs of SpySheriff in your log, I would not prescribe any fixes for it. If it's still there, it would re-appear in subsequent logs.

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

I see no anti-virus application installed on this machine. An anti-virus application is your first line of defense against infections. Without one you leave your computer completely vulnerable to every virus, spyware program, trojan and piece of malware that is floating around out there today. I urge you to install an anti-virus program as quickly as possible. Here are 3 free programs that are available for home use:

• AVG Anti-Virus
• Avast Home Edition
• BitDefender Free Edition v7

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.

WARNING
You are running HiJackThis from an inappropriate location. It should be run from a permanent folder. This program creates backup files which we may need to use later. If the program is in a temporary folder, important backups may be accidentally deleted.

1. Please go into Windows Explorer
2. Click on C:\
3. Click on File > New > Folder
4. Call it HJT, or another name of your choice.
5. Move all files to the newly created folder.

Enable the viewing of Hidden files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~

We require some additional files/programs for this fix. Please download the following files :-
Do not run any of the files unless instructed to do so

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

Nailfix - Unzip to the desktop

Download FindIt's.zip - Unzip to a new folder on Desktop

Download Process Explorer - Save to Desktop

Disconnect your computer from the Internet when you have finished downloading.


~~~~~~~~~~~~~~~

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

• Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

• Click on Options>Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
• Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
• After you've done these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

• Go to the Options>Program Options.
• Deselect Load at Windows Startup.
• Click Shields and Deselect all items there.
• Deselect Home page shield.
• Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

• Right-click on the Ad-Watch icon in the system tray
  At the bottom of the screen you will see 2 options Active and Automatic.
• Deselect Active
• Deselect Automatic
• Go to "Tools & Preferences">Options
• Deselectt "Load Ad-Watch at Windows startup"

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & locate an O4 entry that looks similar to this...

O4 - HKLM\..\Run: [mkehrzb] c:\windows\system32\bfvhswe.exe r

The name might be different but it resides in the system32 folder & has the alphabet "r" at the end. Close HiJackThis after you have identified this file. This is the file we need to use Process Explorer with.

Run Process Explorer and find name & location of the file you've just identified in the list of Processes.
Select the process and click Process > Suspend.
Leave Process Explorer running with the process suspended..


~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• name & location of the file you've just identified
  c:\windows\system32\bfvhswe.exe
  C:\WINDOWS\Nail.exe
  C:\WINDOWS\System32\richedtr.dll
  C:\WINDOWS\ms1.exe
  c:\windows\system32\bfvhswe.exe r
  C:\WINDOWS\System32\win32.exe
  C:\WINDOWS\System32\msdcom32.dll
  C:\WINDOWS\System32\zlbw.dll
  C:\WINDOWS\svcproc.exe

Start KillBox.

1. Go to the File menu, and choose "Paste from Clipboard".
   Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


~~~~~~~~~~~~~~~

Reboot to Safe Mode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~~

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Run Ewido, and run a full scan. Post the log from the scan in your next reply.


~~~~~~~~~~~~~~~

Remove a malware service.

1. Click Start>Run, type services.msc into the Open editbox and click the Ok button.
2. Locate the System Startup Service (SvcProc) service and double-click on it to open the Properties dialog.
3. Click the Stop button.
4. In the Startup type dropdown select Disabled.
5. Click the Apply button and then the Ok button.
6. Close the Services window
7. Then start HiJackThis & go to Config>Misc.Tools>Delete an NT service....
   In the popup box that appears, type in SvcProc & click the "OK" button.

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O4 - HKLM\..\Run: [win32servv] C:\WINDOWS\ms1.exe
O4 - HKLM\..\Run: [mkehrzb] c:\windows\system32\bfvhswe.exe r
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O21 - SSODL: DCOM Server - {2c1cd3d7-86ac-4068-93bc-a02304bb8c34} - C:\WINDOWS\System32\msdcom32.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click "Options..."
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click "OK"
5. Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders


~~~~~~~~~~~~~~~

Reboot to Normal Mode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


~~~~~~~~~~~~~~~

Reboot computer Normal Mode again.


Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply.

Run a new scan with HiJackThis. Save the log file and post it in your next reply.

In your next post, please include:

• Copy of HiJackThis log
• List of files that online scans failed to disinfect
• Ewido's logs
• FindIt's logs

Please provide details of any problems you encountered whilst performing the above steps.

Please provide a brief description of your computer's current behavior.

[gatorsmg]

Thanks for the help

I think it's all clearded up but the logs you asked for are below just in case.

I'm still having a problem getting my new Norton Internet Security software installed as I mentioned before, I tried installing it when this virus problem started last week and it froze part way through. Now everytime I try to install it nothing happens. I've tried uninstalling any Symantec software that was actually installed during the first attempt (I don't think anything really was). There is an icon for symantec when I go to add/remove programs but nothing happens when I try to remove it.

Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:42 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Scott\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:04 AM, 7/5/2005
+ Report-Checksum: EE177B28

+ Date of database: 7/4/2005
+ Version of scan engine: v3.0

+ Duration: 44 min
+ Scanned Files: 45682
+ Speed: 17.27 Files/Second
+ Infected files: 27
+ Removed files: 27
+ Files put in quarantine: 27
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Scott\Cookies\scott@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@linksynergy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Scott\Cookies\scott@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148040.exe -> TrojanSpy.Goldun.be -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148041.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148042.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148043.sys -> Backdoor.Surila.q -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148044.exe -> TrojanProxy.Lager.j -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148046.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148048.dll -> TrojanSpy.Goldun.be -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148053.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148073.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148085.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148096.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148108.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148121.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148130.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148136.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148146.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148152.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148167.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0148172.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0149187.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\xbwcmhbvx.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

FindIt Log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 07/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 848D-114F

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 848D-114F

Directory of C:\WINDOWS\system32

12/07/2001 03:40 PM 22,486 LRNXP.ICO
1 File(s) 22,486 bytes
0 Dir(s) 33,514,024,960 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUL3a5stMotsSDay
HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst

[sUBs]

Good work. We're almost home.


1. Go to [Start] > [Run] - type regedit and hit [OK].
2. Go to [File] > [Export] and save the registry somewhere as a backup.
3. Close the Registry Editor.
4. Go to [Start] > [Run] - type notepad and hit [OK].
5. Then copy and paste the following into Notepad:

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\aurora]

6. Save the file as "delete.reg". Make sure to save it with the quotes.
7. Double click on it and choose "Yes" to merge it.
8. You may delete the file afterwards.

~~~~~~~~~~~~~~~

Uninstall the following programs, if present, using [Control Panel]>[Add/Remove Programs] :

• Rich Editor

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - Default URLSearchHook is missing
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe


~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\system32\LRNXP.ICO
  C:\WINDOWS\System32\win32.exe

Start KillBox.

1. Go to the [File] menu, and choose [Paste from Clipboard].
   Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

~~~~~~~~~~~~~~~

Reboot & post a fresh HJT log

[gatorsmg]

Woo Hoo I see the finish line!

New HJT Log below

Any ideas on the Norton problem? I want to get that squared away so this won't happen again.

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:55:24 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scott\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[sUBs]

Well done How does it feel to be clean again?

Still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start > Settings > Control Panel > System > Automatic Updates
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Have a safe & happy computing day. - STAY CLEAN :)

Please respond to this thread one more time so we can mark this thread as resolved.

[gatorsmg]

Thank you very much for all of your help

No ideas on how I can get Norton to install? As of right now I still don't have Norton installed because it froze part way through the initial installation and won't let me re-install it. There doesn't seem to be anything to remove from the first attempt either except for an icon in the add/remove programs, but I can't remove it

I'll definitelt be dowloading the IESpy-Ad to add to my regular use fof Ad-Aware and Microsoft Anitspyware.

Thanks Again

Scott

[sUBs]

You have to uninstall the failed installation first. Try using the steps outlined here.. http://service1.symantec.com/SUPPORT...&osv=&osv_lvl=

[gatorsmg]

I'm all good to go now. Thanks again for all of your help!