maybe cured

byodasa · 08-17-2005, 08:46 PM

Picked up a trojan horse - only known vulnerability was that I went to Side Step by overiding Spyware doctor warning. Most obvious symptom was random startup of Internet Explorer with various ad sites showing. I ran an antivirus (AVG) scan and allowed it to remove the trojan horses it found followed by a Spyware Doctor scan and let it also remove what it found. I then followed the directions on your info page and ran scans at Ad Aware and ran the Trend Micro spyware & virus scans and allowed clean up in all cases. Then ran Hijackthis and Hijjackthis Analyzer; following is Result.txt from Hijacthis analyzer. Am I cured?

Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:23:36 PM, on 8/17/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE

O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [aqcufwv] c:\windows\system\aqcufwv.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O15 - Trusted Zone: *.verisign.com
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

End of KRC HijackThis Analyzer Log.

Ried · 08-18-2005, 08:03 AM

Hello byodasa and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [aqcufwv] c:\windows\system\aqcufwv.exe

Delete the following file:

c:\windows\system\aqcufwv.exe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run another scan with HijackThis. Save the log and this time, post the un-analyzed log.

byodasa · 08-18-2005, 10:15 PM

Followed instructions - After Hijackthis run in safe mode, found and deleted registry entry as instructed - did not find listed file anywhere on my system.

After reboot out of safe mode, random IE windows still popping up. No doubt related to the icannnews activex item and the xosearchox registry entries (both names have shown up in the title bar of the IE windows) that are contained in the following Hijackthis log obtained after reboot as instructed.
What next ???

Logfile of HijackThis v1.99.1
Scan saved at 11:46:06 PM, on 8/18/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ONPB.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN PRO\HPLAMP.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xosearchox.com/sp2.php
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.verisign.com
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

MicroBell · 08-19-2005, 03:07 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Please download LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run LQfix.bat. Once it completes run hijackthis and fix the following entrys..

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.xosearchox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xosearchox.com/sp2.php
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O15 - Trusted Zone: *.verisign.com

C:\WINDOWS\ETB<--delete that folder

C:\WINDOWS\SYSTEM\ONPB.EXE<---delete that file

Run the Cleanup utility again and reboot/logoff when prompted.

Once back to normal windows....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.

byodasa · 08-20-2005, 02:58 PM

Followed instructions from MicroBell - Activescan took many, many hours to run - system was still popping Explorer windows randomly and eventually locked up - twice. I did manage to get a log after the third pass but then, out of frustration, I downloaded the Panda software Titanium 2005, scanned the system and disinfected 28 files. System seemed to be OK for awhile, but I did get another random Explorer window after running OK for a couple of hours so it would seem I'm not clean yet. I disabled startup of the AVG antivirus and Spyware Doctor after installing the Titanium Antivirus to prevent possible conflicts and resource issues.

I did manage to get an Activescan log however this was befoe I ran the new Titanium software scan. A new Hijackthis.log - just created - follows the Activescan log.
**************************
Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WWWIZDLL.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WLBPOST.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SLI_CI32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MYSLGN32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JHT.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wppdxm.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NZTAPI32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LSRTREND.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ALTXPRXY.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OZBC16GT.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Mqc40.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\myvcp60.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ifeapi12.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Mfcl14n.dll Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEHost30.exe Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM\Searchx.htm Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEDll300.dll Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\uninstal.exe Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\pinstaller.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\4tlg58gi.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\45k4h1p9.dll Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\0tn5kerl.exe Adware:Adware/Midaddle No disinfected C:\WINDOWS\SYSTEM\onpb.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8354.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9221.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9271.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9284.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B0.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA2A1.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA2F1.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB113.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4215.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA261.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA292.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB041.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB060.TMP Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pavB0B4.TMP Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe
Possible Virus. No disinfected C:\WINDOWS\mm15201518.a.Stub.exe Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\hcnjlsgb.exe Adware:Adware/E2Give No disinfected C:\pi1_51.exe Security Risk:Application/ProcessorNo disinfected C:\hjt\l2mfix.exe[Process.exe] Adware:Adware/BrilliantDigitalNo disinfected C:\program files_old\Kazaa\bdcore.dll Adware:Adware/BrilliantDigitalNo disinfected C:\program files_old\Kazaa\bdcore.dll.updpnd Adware:Adware/ISearch No disinfected C:\MTE2NzY6ODoxNg.exe Possible Virus. No disinfected C:\d140113.a.Stub.exe ****************************************

Hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 4:25:23 PM, on 8/20/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVPROT9.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\APVXDWIN.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\WEBPROXY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavprot9.exe"
O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

**********************************

Ried · 08-20-2005, 07:27 PM

Hi,

Please download l2m9xfix at http://www.geekstogo.com/downloads/l2m9xfix.exe

Save it to the desktop and run it. Extract the files. Then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then restart your computer, and post a new HijackThis log as well as the log.txt file which should be in the same folder as RunThis.bat.

Also run another scan with Panda and post it here as well.

byodasa · 08-20-2005, 09:21 PM

Loaded and executed 12m9xfix as directed; log.txt and new hijackthis.log follow. While running 12m9xfix 4 errors showed up in the dos window related to String.exe. c:\windows\system\dxdim.ddll, unrbisencx.dll, wsnmm.dll, www1zdll.dll all said "permission denied" next to the file name.

BTW - every time I reboot I get the "Pls wait while Setup reconfigures .... " message - don't know if that's relevant but it's unusal to get it every time.

Log of L2M9XFix v1

************

Running from directory:
C:\hjt\l2m9xfix

************

Files found:

************

Registry entries found:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{71356258-C9CA-0AFB-4FED-AC1B9427E67B}"=""

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!

Finished!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Logfile of HijackThis v1.99.1
Scan saved at 11:18:24 PM, on 8/20/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVPROT9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\APVXDWIN.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\WEBPROXY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE"
O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavprot9.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

greyknight17 · 08-21-2005, 06:30 AM

Looks clear here.

I want you to run another Panda scan and post that log here.

byodasa · 08-21-2005, 07:53 AM

Last panda scan clean. Log from last two scans follows.

BTW- when I start Windows in step-by-step mode it asks if I want to Override Standard CONFIGMG, NTKERN, UDF, VCOMM, VFAT, VMCPD, MOUSE, VPICD, & VMM. Are these cause for concern?

Panda Titanium Antivirus 2005 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 08/21/05 09:09:53 Scan: All hard disks
Update 08/21/05 07:36:46 OK New virus signatures: 18
Scan started 08/21/05 07:33:17 Scan: All hard disks
Scan completed 08/21/05 00:46:33 Scan: All hard disks
Spyware detected: Cookie/Atlas DMT 08/20/05 23:35:00 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@atdmt[2].txt
Spyware detected: Cookie/Tribalfusion 08/20/05 23:35:00 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@tribalfusion[2].txt
Spyware detected: Cookie/Apmebf 08/20/05 23:34:59 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@apmebf[1].txt
Spyware detected: Cookie/Doubleclick 08/20/05 23:34:57 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@doubleclick[1].txt
Adware detected: Adware/Look2Me 08/20/05 23:26:47 Eliminated Location: C:\WINDOWS\SYSTEM\VnrbisEncX.dll
Scan started 08/20/05 23:22:34 Scan: All hard disks
Adware detected: Adware/Look2Me 08/20/05 22:35:35 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL
Adware detected: Adware/Look2Me 08/20/05 22:34:55 Eliminated Location: C:\WINDOWS\SYSTEM\WSNMM.DLL
Adware detected: Adware/Look2Me 08/20/05 22:34:12 Eliminated Location: C:\WINDOWS\SYSTEM\VNRBISENCX.DLL
Adware detected: Adware/Look2Me 08/20/05 22:33:11 Eliminated Location: C:\WINDOWS\SYSTEM\DXDIM.DLL
Update 08/20/05 21:48:41 OK New version: 4.02.01
Adware detected: Adware/Look2Me 08/20/05 21:17:15 Eliminated Location: C:\WINDOWS\SYSTEM\WSNMM.DLL
Adware detected: Adware/Pacimedia 08/20/05 19:31:50 Eliminated Location: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ALRGLSBQ\PCS_0026[1].EXE
Scan completed 08/20/05 14:08:05 Scan: All hard disks
Spyware detected: Cookie/Yadro 08/20/05 14:04:26 Eliminated Location: D:\WINDOWS\Cookies\sm_drive@yadro[1].txt
Spyware detected: Cookie/BurstNet 08/20/05 14:04:25 Eliminated Location: D:\WINDOWS\Cookies\jerryd2@burstnet[2].txt
Spyware detected: Cookie/Com.com 08/20/05 14:04:25 Eliminated Location: D:\WINDOWS\Cookies\sm_drive@com[2].txt
Adware detected: Adware/ISearch 08/20/05 13:55:18 Eliminated Location: C:\MTE2NzY6ODoxNg.exe
Adware detected: Adware/BrilliantDigital 08/20/05 13:48:33 Eliminated Location: C:\program files_old\Kazaa\bdcore.dll.updpnd
Adware detected: Adware/BrilliantDigital 08/20/05 13:47:38 Eliminated Location: C:\program files_old\Kazaa\bdcore.dll
Security risk detected: Application/Processor 08/20/05 13:26:43 Eliminated Location: C:\hjt\l2mfix.exe[Process.exe]
Adware detected: Adware/E2Give 08/20/05 13:26:40 Eliminated Location: C:\pi1_51.exe
Adware detected: Adware/SAHAgent 08/20/05 12:49:35 Eliminated Location: C:\WINDOWS\hcnjlsgb.exe
Adware detected: Adware/Midaddle 08/20/05 12:48:48 Eliminated Location: C:\WINDOWS\ru.exe
Adware detected: Adware/SAHAgent 08/20/05 12:39:12 Eliminated Location: C:\WINDOWS\SYSTEM\0tn5kerl.exe
Adware detected: Adware/SAHAgent 08/20/05 12:38:30 Eliminated Location: C:\WINDOWS\SYSTEM\45k4h1p9.dll
Adware detected: Adware/SAHAgent 08/20/05 12:37:38 Eliminated Location: C:\WINDOWS\SYSTEM\4tlg58gi.exe
Spyware detected: Spyware/UrlSpy 08/20/05 12:36:14 Eliminated Location: C:\WINDOWS\SYSTEM\pinstaller.exe
Spyware detected: Spyware/UrlSpy 08/20/05 12:36:10 Eliminated Location: C:\WINDOWS\SYSTEM\uninstal.exe
Spyware detected: Spyware/UrlSpy 08/20/05 12:36:05 Eliminated Location: C:\WINDOWS\SYSTEM\IEDll300.dll
Spyware detected: Spyware/UrlSpy 08/20/05 12:36:04 Eliminated Location: C:\WINDOWS\SYSTEM\IEHost30.exe
Adware detected: Adware/Look2Me 08/20/05 12:35:59 Eliminated Location: C:\WINDOWS\SYSTEM\Mfcl14n.dll
Adware detected: Adware/Look2Me 08/20/05 12:34:49 Eliminated Location: C:\WINDOWS\SYSTEM\ifeapi12.dll
Adware detected: Adware/Look2Me 08/20/05 12:33:17 Eliminated Location: C:\WINDOWS\SYSTEM\myvcp60.dll
Adware detected: Adware/Look2Me 08/20/05 12:32:06 Eliminated Location: C:\WINDOWS\SYSTEM\Mqc40.dll
Adware detected: Adware/Look2Me 08/20/05 12:28:21 Eliminated Location: C:\WINDOWS\SYSTEM\SKNCENG.DLL
Adware detected: Adware/ExactSearch 08/20/05 12:27:18 Eliminated Location: Windows Registry
Adware detected: Adware/Look2Me 08/20/05 12:26:55 Eliminated Location: C:\WINDOWS\SYSTEM\ALTXPRXY.DLL
Adware detected: Adware/EliteBar 08/20/05 12:26:10 Eliminated Location: C:\WINDOWS\Favorites\Casino & Carrers
Adware detected: Adware/Look2Me 08/20/05 12:25:32 Eliminated Location: C:\WINDOWS\SYSTEM\LSRTREND.DLL
Adware detected: Adware/Look2Me 08/20/05 12:24:19 Eliminated Location: C:\WINDOWS\SYSTEM\NZTAPI32.DLL
Spyware detected: Spyware/Media-motor 08/20/05 12:24:12 Eliminated Location: Windows Registry
Adware detected: Adware/IEDriver 08/20/05 12:22:08 Eliminated Location: C:\WINDOWS\SYSTEM\Searchx.htm
Adware detected: Adware/Look2Me 08/20/05 12:22:05 Eliminated Location: C:\WINDOWS\SYSTEM\wppdxm.dll
Adware detected: Adware/Look2Me 08/20/05 12:20:54 Eliminated Location: C:\WINDOWS\SYSTEM\JHT.DLL
Adware detected: Adware/Look2Me 08/20/05 12:19:44 Eliminated Location: C:\WINDOWS\SYSTEM\MYSLGN32.DLL
Adware detected: Adware/SAHAgent 08/20/05 12:19:04 Eliminated Location: C:\WINDOWS\unstall.exe
Adware detected: Adware/Look2Me 08/20/05 12:18:34 Eliminated Location: C:\WINDOWS\SYSTEM\SLI_CI32.DLL
Spyware detected: Spyware/BetterInet 08/20/05 12:17:25 Eliminated Location: C:\WINDOWS\thin-143-1-x-x.exe
Adware detected: Adware/Look2Me 08/20/05 12:17:04 Eliminated Location: C:\WINDOWS\SYSTEM\WLBPOST.DLL
Adware detected: Adware/Look2Me 08/20/05 12:15:45 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL
Adware detected: Adware/SaveNow 08/20/05 12:14:31 Eliminated Location: Windows Registry
Adware detected: Adware/Midaddle 08/20/05 12:11:06 Eliminated Location: C:\WINDOWS\SYSTEM\ONPB.EXE
Scan started 08/20/05 12:10:57 Scan: All hard disks
Adware detected: Adware/Look2Me 08/20/05 12:10:07 Eliminated Location: C:\WINDOWS\SYSTEM\SKNCENG.DLL
Adware detected: Adware/Look2Me 08/20/05 12:09:12 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL
Update 08/20/05 12:05:11 OK New virus signatures: 9519

greyknight17 · 08-21-2005, 03:18 PM

Step by Step mode? Could you go to Safe Mode without using the step by step confirmation? I usually don't recommend using that mode unless you want to troubleshoot something.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

byodasa · 08-21-2005, 09:26 PM

Everything seems OK - Thanks for all your help. You guys are the best!

08-17-2005, 08:46 PM	#1 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	maybe cured Picked up a trojan horse - only known vulnerability was that I went to Side Step by overiding Spyware doctor warning. Most obvious symptom was random startup of Internet Explorer with various ad sites showing. I ran an antivirus (AVG) scan and allowed it to remove the trojan horses it found followed by a Spyware Doctor scan and let it also remove what it found. I then followed the directions on your info page and ran scans at Ad Aware and ran the Trend Micro spyware & virus scans and allowed clean up in all cases. Then ran Hijackthis and Hijjackthis Analyzer; following is Result.txt from Hijacthis analyzer. Am I cured? Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:23:36 PM, on 8/17/2005 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\WINDOWS\SYSTEM\HPSJVXD.EXE O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [aqcufwv] c:\windows\system\aqcufwv.exe O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O15 - Trusted Zone: *.verisign.com O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab End of KRC HijackThis Analyzer Log.

08-18-2005, 08:03 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Hello byodasa and welcome to TSF, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [aqcufwv] c:\windows\system\aqcufwv.exe Delete the following file: c:\windows\system\aqcufwv.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run another scan with HijackThis. Save the log and this time, post the un-analyzed log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-18-2005, 10:15 PM	#3 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	first pass at repair Followed instructions - After Hijackthis run in safe mode, found and deleted registry entry as instructed - did not find listed file anywhere on my system. After reboot out of safe mode, random IE windows still popping up. No doubt related to the icannnews activex item and the xosearchox registry entries (both names have shown up in the title bar of the IE windows) that are contained in the following Hijackthis log obtained after reboot as instructed. What next ??? Logfile of HijackThis v1.99.1 Scan saved at 11:46:06 PM, on 8/18/2005 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\ONPB.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN PRO\HPLAMP.EXE C:\WINDOWS\SYSTEM\HPSJVXD.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xosearchox.com/sp2.php O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe" O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O15 - Trusted Zone: *.verisign.com O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

08-19-2005, 03:07 AM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware® SE Personal Edition Spybot Search & Destroy CWShredder Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) Please download LQfix batch here: http://www.downloads.subratam.org/LQfix.zip Unzip it to the desktop but do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please run LQfix.bat. Once it completes run hijackthis and fix the following entrys.. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.xosearchox.com/sp2.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xosearchox.com/sp2.php O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE O15 - Trusted Zone: .verisign.com C:\WINDOWS\ETB<--delete that folder C:\WINDOWS\SYSTEM\ONPB.EXE<---delete that file Run the Cleanup* utility again and reboot/logoff when prompted. Once back to normal windows.... Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-20-2005, 02:58 PM	#5 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	2nd pass at repair Followed instructions from MicroBell - Activescan took many, many hours to run - system was still popping Explorer windows randomly and eventually locked up - twice. I did manage to get a log after the third pass but then, out of frustration, I downloaded the Panda software Titanium 2005, scanned the system and disinfected 28 files. System seemed to be OK for awhile, but I did get another random Explorer window after running OK for a couple of hours so it would seem I'm not clean yet. I disabled startup of the AVG antivirus and Spyware Doctor after installing the Titanium Antivirus to prevent possible conflicts and resource issues. I did manage to get an Activescan log however this was befoe I ran the new Titanium software scan. A new Hijackthis.log - just created - follows the Activescan log. ************************ Incident Status Location Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WWWIZDLL.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WLBPOST.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SLI_CI32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MYSLGN32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JHT.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wppdxm.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NZTAPI32.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LSRTREND.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ALTXPRXY.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OZBC16GT.DLL Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Mqc40.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\myvcp60.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ifeapi12.dll Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Mfcl14n.dll Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEHost30.exe Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM\Searchx.htm Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEDll300.dll Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\uninstal.exe Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\pinstaller.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\4tlg58gi.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\45k4h1p9.dll Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\0tn5kerl.exe Adware:Adware/Midaddle No disinfected C:\WINDOWS\SYSTEM\onpb.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8354.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9221.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9271.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9284.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B0.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA2A1.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA2F1.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB113.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4215.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA261.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavA292.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB041.TMP Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB060.TMP Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pavB0B4.TMP Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\thin-143-1-x-x.exe Possible Virus. No disinfected C:\WINDOWS\mm15201518.a.Stub.exe Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\hcnjlsgb.exe Adware:Adware/E2Give No disinfected C:\pi1_51.exe Security Risk:Application/ProcessorNo disinfected C:\hjt\l2mfix.exe[Process.exe] Adware:Adware/BrilliantDigitalNo disinfected C:\program files_old\Kazaa\bdcore.dll Adware:Adware/BrilliantDigitalNo disinfected C:\program files_old\Kazaa\bdcore.dll.updpnd Adware:Adware/ISearch No disinfected C:\MTE2NzY6ODoxNg.exe Possible Virus. No disinfected C:\d140113.a.Stub.exe ************************************ Hijackthis.log Logfile of HijackThis v1.99.1 Scan saved at 4:25:23 PM, on 8/20/2005 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVFNSVR.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PSIMSVC.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVPROT9.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\APVXDWIN.EXE C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\WEBPROXY.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\HJT\HIJACKTHIS.EXE O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe" O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe" O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe" O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PSIMSVC.exe" O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavprot9.exe" O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE" O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab ********************************

08-20-2005, 07:27 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,591 OS: WinXP and Vista	Hi, Please download l2m9xfix at http://www.geekstogo.com/downloads/l2m9xfix.exe Save it to the desktop and run it. Extract the files. Then open the l2m9xfix folder you just created and run RunThis.bat. A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed. Then restart your computer, and post a new HijackThis log as well as the log.txt file which should be in the same folder as RunThis.bat. Also run another scan with Panda and post it here as well. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-20-2005, 09:21 PM	#7 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	repair pass 3 Loaded and executed 12m9xfix as directed; log.txt and new hijackthis.log follow. While running 12m9xfix 4 errors showed up in the dos window related to String.exe. c:\windows\system\dxdim.ddll, unrbisencx.dll, wsnmm.dll, www1zdll.dll all said "permission denied" next to the file name. BTW - every time I reboot I get the "Pls wait while Setup reconfigures .... " message - don't know if that's relevant but it's unusal to get it every time. Log of L2M9XFix v1 ********** Running from directory: C:\hjt\l2m9xfix ******** Files found: ******** Registry entries found: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{71356258-C9CA-0AFB-4FED-AC1B9427E67B}"="" ********** Killing Explorer Done! Killing Rundll32 Done! Removing malicious CLSID(s) Done! Restarting Explorer Done! Deleting malicious files Done! Finished! XXXXXXXXXXXXXXXXXXXXXXXXXXXXX Logfile of HijackThis v1.99.1 Scan saved at 11:18:24 PM, on 8/20/2005 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVFNSVR.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PSIMSVC.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PAVPROT9.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\APVXDWIN.EXE C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\WEBPROXY.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\HJT\HIJACKTHIS.EXE O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe" O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe" O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe" O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PSIMSVC.exe" O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2005\PREVSRV.EXE" O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavprot9.exe" O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

08-21-2005, 06:30 AM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Looks clear here. I want you to run another Panda scan and post that log here. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

08-21-2005, 07:53 AM	#9 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	pass 4 Last panda scan clean. Log from last two scans follows. BTW- when I start Windows in step-by-step mode it asks if I want to Override Standard CONFIGMG, NTKERN, UDF, VCOMM, VFAT, VMCPD, MOUSE, VPICD, & VMM. Are these cause for concern? Panda Titanium Antivirus 2005 incident report EVENT DATE RESULTS ADDITIONAL INFORMATION -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Scan completed 08/21/05 09:09:53 Scan: All hard disks Update 08/21/05 07:36:46 OK New virus signatures: 18 Scan started 08/21/05 07:33:17 Scan: All hard disks Scan completed 08/21/05 00:46:33 Scan: All hard disks Spyware detected: Cookie/Atlas DMT 08/20/05 23:35:00 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@atdmt[2].txt Spyware detected: Cookie/Tribalfusion 08/20/05 23:35:00 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@tribalfusion[2].txt Spyware detected: Cookie/Apmebf 08/20/05 23:34:59 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@apmebf[1].txt Spyware detected: Cookie/Doubleclick 08/20/05 23:34:57 Eliminated Location: C:\WINDOWS\Profiles\Use This Profile\Cookies\use this profile@doubleclick[1].txt Adware detected: Adware/Look2Me 08/20/05 23:26:47 Eliminated Location: C:\WINDOWS\SYSTEM\VnrbisEncX.dll Scan started 08/20/05 23:22:34 Scan: All hard disks Adware detected: Adware/Look2Me 08/20/05 22:35:35 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL Adware detected: Adware/Look2Me 08/20/05 22:34:55 Eliminated Location: C:\WINDOWS\SYSTEM\WSNMM.DLL Adware detected: Adware/Look2Me 08/20/05 22:34:12 Eliminated Location: C:\WINDOWS\SYSTEM\VNRBISENCX.DLL Adware detected: Adware/Look2Me 08/20/05 22:33:11 Eliminated Location: C:\WINDOWS\SYSTEM\DXDIM.DLL Update 08/20/05 21:48:41 OK New version: 4.02.01 Adware detected: Adware/Look2Me 08/20/05 21:17:15 Eliminated Location: C:\WINDOWS\SYSTEM\WSNMM.DLL Adware detected: Adware/Pacimedia 08/20/05 19:31:50 Eliminated Location: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ALRGLSBQ\PCS_0026[1].EXE Scan completed 08/20/05 14:08:05 Scan: All hard disks Spyware detected: Cookie/Yadro 08/20/05 14:04:26 Eliminated Location: D:\WINDOWS\Cookies\sm_drive@yadro[1].txt Spyware detected: Cookie/BurstNet 08/20/05 14:04:25 Eliminated Location: D:\WINDOWS\Cookies\jerryd2@burstnet[2].txt Spyware detected: Cookie/Com.com 08/20/05 14:04:25 Eliminated Location: D:\WINDOWS\Cookies\sm_drive@com[2].txt Adware detected: Adware/ISearch 08/20/05 13:55:18 Eliminated Location: C:\MTE2NzY6ODoxNg.exe Adware detected: Adware/BrilliantDigital 08/20/05 13:48:33 Eliminated Location: C:\program files_old\Kazaa\bdcore.dll.updpnd Adware detected: Adware/BrilliantDigital 08/20/05 13:47:38 Eliminated Location: C:\program files_old\Kazaa\bdcore.dll Security risk detected: Application/Processor 08/20/05 13:26:43 Eliminated Location: C:\hjt\l2mfix.exe[Process.exe] Adware detected: Adware/E2Give 08/20/05 13:26:40 Eliminated Location: C:\pi1_51.exe Adware detected: Adware/SAHAgent 08/20/05 12:49:35 Eliminated Location: C:\WINDOWS\hcnjlsgb.exe Adware detected: Adware/Midaddle 08/20/05 12:48:48 Eliminated Location: C:\WINDOWS\ru.exe Adware detected: Adware/SAHAgent 08/20/05 12:39:12 Eliminated Location: C:\WINDOWS\SYSTEM\0tn5kerl.exe Adware detected: Adware/SAHAgent 08/20/05 12:38:30 Eliminated Location: C:\WINDOWS\SYSTEM\45k4h1p9.dll Adware detected: Adware/SAHAgent 08/20/05 12:37:38 Eliminated Location: C:\WINDOWS\SYSTEM\4tlg58gi.exe Spyware detected: Spyware/UrlSpy 08/20/05 12:36:14 Eliminated Location: C:\WINDOWS\SYSTEM\pinstaller.exe Spyware detected: Spyware/UrlSpy 08/20/05 12:36:10 Eliminated Location: C:\WINDOWS\SYSTEM\uninstal.exe Spyware detected: Spyware/UrlSpy 08/20/05 12:36:05 Eliminated Location: C:\WINDOWS\SYSTEM\IEDll300.dll Spyware detected: Spyware/UrlSpy 08/20/05 12:36:04 Eliminated Location: C:\WINDOWS\SYSTEM\IEHost30.exe Adware detected: Adware/Look2Me 08/20/05 12:35:59 Eliminated Location: C:\WINDOWS\SYSTEM\Mfcl14n.dll Adware detected: Adware/Look2Me 08/20/05 12:34:49 Eliminated Location: C:\WINDOWS\SYSTEM\ifeapi12.dll Adware detected: Adware/Look2Me 08/20/05 12:33:17 Eliminated Location: C:\WINDOWS\SYSTEM\myvcp60.dll Adware detected: Adware/Look2Me 08/20/05 12:32:06 Eliminated Location: C:\WINDOWS\SYSTEM\Mqc40.dll Adware detected: Adware/Look2Me 08/20/05 12:28:21 Eliminated Location: C:\WINDOWS\SYSTEM\SKNCENG.DLL Adware detected: Adware/ExactSearch 08/20/05 12:27:18 Eliminated Location: Windows Registry Adware detected: Adware/Look2Me 08/20/05 12:26:55 Eliminated Location: C:\WINDOWS\SYSTEM\ALTXPRXY.DLL Adware detected: Adware/EliteBar 08/20/05 12:26:10 Eliminated Location: C:\WINDOWS\Favorites\Casino & Carrers Adware detected: Adware/Look2Me 08/20/05 12:25:32 Eliminated Location: C:\WINDOWS\SYSTEM\LSRTREND.DLL Adware detected: Adware/Look2Me 08/20/05 12:24:19 Eliminated Location: C:\WINDOWS\SYSTEM\NZTAPI32.DLL Spyware detected: Spyware/Media-motor 08/20/05 12:24:12 Eliminated Location: Windows Registry Adware detected: Adware/IEDriver 08/20/05 12:22:08 Eliminated Location: C:\WINDOWS\SYSTEM\Searchx.htm Adware detected: Adware/Look2Me 08/20/05 12:22:05 Eliminated Location: C:\WINDOWS\SYSTEM\wppdxm.dll Adware detected: Adware/Look2Me 08/20/05 12:20:54 Eliminated Location: C:\WINDOWS\SYSTEM\JHT.DLL Adware detected: Adware/Look2Me 08/20/05 12:19:44 Eliminated Location: C:\WINDOWS\SYSTEM\MYSLGN32.DLL Adware detected: Adware/SAHAgent 08/20/05 12:19:04 Eliminated Location: C:\WINDOWS\unstall.exe Adware detected: Adware/Look2Me 08/20/05 12:18:34 Eliminated Location: C:\WINDOWS\SYSTEM\SLI_CI32.DLL Spyware detected: Spyware/BetterInet 08/20/05 12:17:25 Eliminated Location: C:\WINDOWS\thin-143-1-x-x.exe Adware detected: Adware/Look2Me 08/20/05 12:17:04 Eliminated Location: C:\WINDOWS\SYSTEM\WLBPOST.DLL Adware detected: Adware/Look2Me 08/20/05 12:15:45 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL Adware detected: Adware/SaveNow 08/20/05 12:14:31 Eliminated Location: Windows Registry Adware detected: Adware/Midaddle 08/20/05 12:11:06 Eliminated Location: C:\WINDOWS\SYSTEM\ONPB.EXE Scan started 08/20/05 12:10:57 Scan: All hard disks Adware detected: Adware/Look2Me 08/20/05 12:10:07 Eliminated Location: C:\WINDOWS\SYSTEM\SKNCENG.DLL Adware detected: Adware/Look2Me 08/20/05 12:09:12 Eliminated Location: C:\WINDOWS\SYSTEM\WWWIZDLL.DLL Update 08/20/05 12:05:11 OK New virus signatures: 9519

08-21-2005, 03:18 PM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Step by Step mode? Could you go to Safe Mode without using the step by step confirmation? I usually don't recommend using that mode unless you want to troubleshoot something. Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

08-21-2005, 09:26 PM	#11 (permalink)
byodasa Registered User Join Date: Aug 2005 Posts: 11 OS: Windows XP Home w/SP2	maybe cured is cured Everything seems OK - Thanks for all your help. You guys are the best!