Tech Support banner

Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
48 Posts
Discussion Starter #1
Here are the results of the Hihack Analyzer. The computer is beeping constantly and the hour glass is always on, like it is processing something constantly. Have run Adware twice and spybot S&D twice. Thanks for your help!
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:40:16 PM, on 11/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\TXkgQ29tcHV0ZXIA\command.exe
C:\WINDOWS\java\classes\odbcnet.exe
C:\WINDOWS\tlzxzxv.exe
C:\windows\temp\lAo70a.exe
C:\Program Files\Popup Guard\PG.exe
C:\WINDOWS\svrrun.exe
C:\WINDOWS\System32\avifil32.exe
C:\WINDOWS\AdNW.exe
C:\WINDOWS\System32\APD123.exe
C:\WINDOWS\tivkwsp.exe
C:\WINDOWS\etb\pokapoka76.exe
C:\WINDOWS\System32\l?***.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\YosuJCI.exe
C:\WINDOWS\System32\YosuJCI.exe
C:\Documents and Settings\My Computer\Desktop\Hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: pporthelp.com
O1 - Hosts: pporthelp.com
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 1.cc
O1 - Hosts: com
O1 - Hosts: 127.0.
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: 127.0.0.
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: 1 www.zesty
O1 - Hosts: 127.0.
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127www.xlime.offeroptimizer.com
O1 - Hosts: 127com
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127.m
O1 - Hosts: 127.izer.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: 127
O1 - Hosts: 127
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: olbar.com
O1 - Hosts: olbar.com
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: 127.0.0.m
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: 127.0.0com
O1 - Hosts: 127.0.0om.edgesuite.net
O1 - Hosts: 127.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: 127.0
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: nu.com
O1 - Hosts: 127ps108.org
O1 - Hosts: 127itedvending.net
O1 - Hosts: nu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: nu.com
O1 - Hosts: 12tps108.org
O1 - Hosts: 12nitedvending.net
O1 - Hosts: nu.com
O1 - Hosts: ook2me2.com
O1 - Hosts: ook2me2.com
O1 - Hosts: 127.0.0
O1 - Hosts: m
O1 - Hosts: pawnet.com
O1 - Hosts: pywarehelp.net
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: les.com
O1 - Hosts: derbait.com
O1 - Hosts: com
O1 - Hosts: u.com
O1 - Hosts: 127.0.0com
O1 - Hosts: u.com
O1 - Hosts: enu.com
O1 - Hosts: enu.com
O1 - Hosts: .whenu.com
O2 - BHO: (no name) - {0BD05D45-A5C2-B040-F78B-C027426BD8F8} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: (no name) - {4EFD6F45-88F2-8871-DAC9-F50A705DF5BD} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nst25.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [lAo70a] C:\windows\temp\lAo70a.exe
O4 - HKLM\..\Run: [O1GaU0u3] C:\documents and settings\my computer\local settings\temp\O1GaU0u3.exe
O4 - HKLM\..\Run: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKLM\..\Run: [vbdisk] C:\WINDOWS\system\vbdisk.exe
O4 - HKLM\..\Run: [*fonthard] C:\WINDOWS\msagent\chars\fonthard.exe
O4 - HKLM\..\Run: [svrrun] C:\WINDOWS\svrrun.exe
O4 - HKLM\..\Run: [*keybas] C:\WINDOWS\system32\Iosubsys\keybas.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Bxd0n.exe
O4 - HKLM\..\Run: [vsgih] C:\WINDOWS\irwuftj.exe
O4 - HKLM\..\Run: [Vjzqg] C:\WINDOWS\nvquvxm.exe
O4 - HKLM\..\Run: [kYQgjsZm6] C:\documents and settings\my computer\local settings\temp\kYQgjsZm6.exe
O4 - HKLM\..\Run: [d3ab45d4efdb] C:\WINDOWS\System32\avifil32.exe
O4 - HKLM\..\Run: [WindowsAds] C:\WINDOWS\AdNW.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [tivkwsp] C:\WINDOWS\tivkwsp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ldlsks.exe reg_run
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\RunOnce: [*odbcnet] C:\WINDOWS\java\classes\odbcnet.exe rerun
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [Roun] C:\WINDOWS\System32\l?***.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O20 - AppInit_DLLs: repairs302972949.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: odbcnet - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TXkgQ29tcHV0ZXIA\command.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tlzxzxv.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello BlueMoon and welcome to TSF,

You are so severely infected here. We're going to run a few tools and see what we can clear up with those first.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Please download and install the trial version of Webroot SpySweeper (8.3MB) http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02 When SpySweeper starts, please accept any prompts to update definitions. Do not Scan with it yet.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Open SpySweeper:
Configure it as follows:
*From the left pane, click Options
*Select the Sweep Options tab & ensure the following are ticked:
-Sweep Memory
-Sweep Registry
-Sweep Cookies
-Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
*After rebooting, launch SpySweeper & select Results from the left pane
*Click the 'Session Log' tab & choose Save to File to create a log.

IMPORTANT!:
Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2 (SP2). SP2 should only be installed on a fully disinfected system.) At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

Run another scan with HijackThis and post the log here along with the results of the Ewido Scan and the Session log from SpySweeper.
 

·
Registered
Joined
·
48 Posts
Discussion Starter #3
The webroot spysweeper has been running for nearly 3 hours. I appears to be stuck, but I'm letting it run overnight to see if it will do anything. It never asked to reboot. There was just a NEXT key so I pressed that and it has been running since then. The progress bar has not moved so far. Should I let it go? The hour glass is up and there is no option for pause or exit.

Also, I could not run this in Safe mode as it needs an internet connection to validate, so I ran it in regular boot up where the internet connection works.

Thanks!
 

·
Registered
Joined
·
48 Posts
Discussion Starter #4
2nd Hijack

It took 18 hours but it finally finished. Here are the hijack results after running Ewido, cleanup and spysweeper and downloading and installing the windows updates except SP2. The Ewido log is at the end of the hijack log. The Spysweeper was to large so I zipped it, but it won't let me paste a zipped file here. How can I send you that?
Awaiting your direction...
Thanks!
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:25:14 PM, on 11/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Popup Guard\PG.exe
C:\WINDOWS\AdNW.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\My Computer\Desktop\Hj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: pporthelp.com
O1 - Hosts: pporthelp.com
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 1.cc
O1 - Hosts: com
O1 - Hosts: 127.0.
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: 127.0.0.
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: 1 www.zesty
O1 - Hosts: 127.0.
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127www.xlime.offeroptimizer.com
O1 - Hosts: 127com
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127.m
O1 - Hosts: 127.izer.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: 127
O1 - Hosts: 127
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: olbar.com
O1 - Hosts: olbar.com
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: 127.0.0.m
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: 127.0.0com
O1 - Hosts: 127.0.0om.edgesuite.net
O1 - Hosts: 127.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: 127.0
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: nu.com
O1 - Hosts: 127ps108.org
O1 - Hosts: 127itedvending.net
O1 - Hosts: nu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: nu.com
O1 - Hosts: 12tps108.org
O1 - Hosts: 12nitedvending.net
O1 - Hosts: nu.com
O1 - Hosts: ook2me2.com
O1 - Hosts: ook2me2.com
O1 - Hosts: 127.0.0
O1 - Hosts: m
O1 - Hosts: pawnet.com
O1 - Hosts: pywarehelp.net
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: les.com
O1 - Hosts: derbait.com
O1 - Hosts: com
O1 - Hosts: u.com
O1 - Hosts: 127.0.0com
O1 - Hosts: u.com
O1 - Hosts: enu.com
O1 - Hosts: enu.com
O1 - Hosts: .whenu.com
O2 - BHO: (no name) - {0BD05D45-A5C2-B040-F78B-C027426BD8F8} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: (no name) - {4EFD6F45-88F2-8871-DAC9-F50A705DF5BD} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat (file missing)
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKLM\..\Run: [vbdisk] C:\WINDOWS\system\vbdisk.exe
O4 - HKLM\..\Run: [*fonthard] C:\WINDOWS\msagent\chars\fonthard.exe
O4 - HKLM\..\Run: [*keybas] C:\WINDOWS\system32\Iosubsys\keybas.exe
O4 - HKLM\..\Run: [vsgih] C:\WINDOWS\irwuftj.exe
O4 - HKLM\..\Run: [Vjzqg] C:\WINDOWS\nvquvxm.exe
O4 - HKLM\..\Run: [WindowsAds] C:\WINDOWS\AdNW.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [Roun] C:\WINDOWS\System32\l?***.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O20 - AppInit_DLLs: repairs302972949.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: odbcnet - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TXkgQ29tcHV0ZXIA\command.exe (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
==========================================================
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:58:32 PM, 11/4/2005
+ Report-Checksum: 61959C0F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar\UrlSearchHooks -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2801439982-1426590395-1296836545-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKU\S-1-5-21-2801439982-1426590395-1296836545-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2801439982-1426590395-1296836545-1006\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar\UrlSearchHooks -> Spyware.WebSearch : Cleaned with backup
[208] C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat -> Spyware.VirtuMonde : Cleaned with backup
[752] C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat -> Spyware.VirtuMonde : Cleaned with backup
[804] C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat -> Spyware.VirtuMonde : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntnr.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\My Computer\Local Settings\Temp\tencbdo.dat -> Spyware.VirtuMonde : Cleaned with backup
C:\EDow_AS2.exe -> TrojanDownloader.QDown.m : Cleaned with backup
C:\install_george.exe -> Spyware.PurityScan : Cleaned with backup
C:\Overpro-347.exe -> Spyware.AdSrve.b : Cleaned with backup
C:\Program Files\Cas\Client\casclient.exe -> Spyware.CASClient : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\CMSystem\CMSystem.exe -> Spyware.CASClient : Cleaned with backup
C:\Program Files\CMSystem\plugin.dll -> Spyware.CASClient : Cleaned with backup
C:\Program Files\Lycos\IEagent\CSBIINST.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\setup304.exe -> TrojanDownloader.Agent.ac : Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Driver Cache\diskhard.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\inf\cat.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\java\classes\odbcnet.exe -> Spyware.VirtuMonde : Cleaned with backup
C:\WINDOWS\msagent\vb.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\msvcwms.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\offun.exe -> TrojanDownloader.VB.hw : Cleaned with backup
C:\WINDOWS\olefont.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\Oqyt.exe -> Backdoor.Agent.bg : Cleaned with backup
C:\WINDOWS\Registration\asweb.exe -> Spyware.VirtuMonde : Cleaned with backup
C:\WINDOWS\Registration\msweb.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\security\Database\nutav.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\svrrun.exe -> Trojan.QuickBrowser.b : Cleaned with backup
C:\WINDOWS\system\olems.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\system32\1037\java.exe -> Spyware.VirtuMonde : Cleaned with backup
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\avifil32.exe -> Spyware.AdSrve : Cleaned with backup
C:\WINDOWS\system32\bobdcdo.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\Bxd0n.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\cabinet3.exe -> Spyware.AdSrve : Cleaned with backup
C:\WINDOWS\system32\certmgr0.exe -> Spyware.AdSrve : Cleaned with backup
C:\WINDOWS\system32\CjtK.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\dpvlt.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\WINDOWS\system32\FhiY.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\iezset.exe -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\jbjed.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\JiwpEW.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\JqvGne.exe -> Backdoor.VB.oq : Cleaned with backup
C:\WINDOWS\system32\ldlsks.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\msCMTsrvc.exe -> TrojanDownloader.Presario : Cleaned with backup
C:\WINDOWS\system32\mseggo.gif -> TrojanSpy.Delf.dx : Cleaned with backup
C:\WINDOWS\system32\msiaih.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\system32\msnimk.gif -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\Npw4o.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\OgxXgW8D.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\pvpwq.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\Sdo0.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\SearchBar.htm -> Spyware.TwainTech : Cleaned with backup
C:\WINDOWS\system32\Searchx.htm -> Spyware.TwainTech : Cleaned with backup
C:\WINDOWS\system32\sgsfdfg.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\Tovs.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\Wprx.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\system32\YosuJCI.exe -> TrojanDownloader.VB.em : Cleaned with backup
C:\WINDOWS\Web\fontsvc.exe -> Trojan.Vundo : Cleaned with backup
C:\WINDOWS\Web\whard.exe -> Trojan.Vundo : Cleaned with backup


::Report End
********
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Ok...time to tackle the "GUTS" of this infection.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following IF listed.

Popup Guard
Vantage Software


This program is consider suspect and is blocked by many hosts file lists as well as SpywareBlaster.


Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Command Service (cmdService)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\WINDOWS\AdNW.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Popup Guard\PG.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/r...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yesse...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: pporthelp.com
O1 - Hosts: pporthelp.com
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: nd.com
O1 - Hosts: m
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: find.com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 1.cc
O1 - Hosts: com
O1 - Hosts: 127.0.
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: com
O1 - Hosts: 127.0.0.
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: lbar.com
O1 - Hosts: me4.com
O1 - Hosts: 1 www.zesty
O1 - Hosts: 127.0.
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127www.xlime.offeroptimizer.com
O1 - Hosts: 127com
O1 - Hosts: archtoolbar.com
O1 - Hosts: 127.m
O1 - Hosts: 127.izer.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: ww.zsearchtoolbar.com
O1 - Hosts: 127
O1 - Hosts: 127
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: me2.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: com
O1 - Hosts: e4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: r.com
O1 - Hosts: k2me4.com
O1 - Hosts: olbar.com
O1 - Hosts: olbar.com
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: 127.0.0.m
O1 - Hosts: chtoolbar.com
O1 - Hosts: ww.look2me4.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: searchtoolbar.com
O1 - Hosts: 127.0.0com
O1 - Hosts: 127.0.0om.edgesuite.net
O1 - Hosts: 127.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: 127.0
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: nu.com
O1 - Hosts: 127ps108.org
O1 - Hosts: 127itedvending.net
O1 - Hosts: nu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: nc.whenu.com
O1 - Hosts: om
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 2.com
O1 - Hosts: nu.com
O1 - Hosts: 12tps108.org
O1 - Hosts: 12nitedvending.net
O1 - Hosts: nu.com
O1 - Hosts: ook2me2.com
O1 - Hosts: ook2me2.com
O1 - Hosts: 127.0.0
O1 - Hosts: m
O1 - Hosts: pawnet.com
O1 - Hosts: pywarehelp.net
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: les.com
O1 - Hosts: derbait.com
O1 - Hosts: com
O1 - Hosts: u.com
O1 - Hosts: 127.0.0com
O1 - Hosts: u.com
O1 - Hosts: enu.com
O1 - Hosts: enu.com
O1 - Hosts: .whenu.com
O2 - BHO: (no name) - {0BD05D45-A5C2-B040-F78B-C027426BD8F8} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: (no name) - {4EFD6F45-88F2-8871-DAC9-F50A705DF5BD} - C:\WINDOWS\System32\dvuwq.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat (file missing)
O4 - HKLM\..\Run: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKLM\..\Run: [vbdisk] C:\WINDOWS\system\vbdisk.exe
O4 - HKLM\..\Run: [*fonthard] C:\WINDOWS\msagent\chars\fonthard.exe
O4 - HKLM\..\Run: [*keybas] C:\WINDOWS\system32\Iosubsys\keybas.exe
O4 - HKLM\..\Run: [vsgih] C:\WINDOWS\irwuftj.exe
O4 - HKLM\..\Run: [Vjzqg] C:\WINDOWS\nvquvxm.exe
O4 - HKLM\..\Run: [WindowsAds] C:\WINDOWS\AdNW.exe
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [Roun] C:\WINDOWS\System32\l?***.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O20 - AppInit_DLLs: repairs302972949.dll
O20 - Winlogon Notify: odbcnet - C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp\tencbdo.dat (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TXkgQ29tcHV0ZXIA\command.exe (file missing)


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\AdNW.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Popup Guard\PG.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\WINDOWS\System32\dvuwq.dll
C:\WINDOWS\system\vbdisk.exe
C:\WINDOWS\msagent\chars\fonthard.exe
C:\WINDOWS\system32\Iosubsys\keybas.exe
C:\WINDOWS\irwuftj.exe
C:\WINDOWS\nvquvxm.exe
C:\WINDOWS\TXkgQ29tcHV0ZXIA\command.exe
repairs302972949.dll
<--locate and delete that file

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Now open the Hoster program and select "Restore Orginal Hosts File"

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows...

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.

After that reboot....

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
    [*] Click on see report. Then click Save report
Please post that log in your next reply along with the Ewido log and a new hijackthis log.



IMPORTANT!:


Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If your having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/download/5/4/f/54f8bcf8-bb4d-4613-8ee7-db69d01735ed/xpsp1a_en_x86.exe



Thank you for your cooperation.


*NOTE* Your log tells me that SP1 IS NOT installed. Until it is..we proceed no further!
 

·
Registered
Joined
·
48 Posts
Discussion Starter #6
Clean Yet?

Followed the instructions...Windows updates done.
Here is my last Hijack log:====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:26:39 PM, on 11/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\My Computer\Desktop\Hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Roun] C:\WINDOWS\System32\l?***.exe
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
====================================================================
Results of ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:17:54 PM, 11/7/2005
+ Report-Checksum: 5CBC642A

+ Scan result:

C:\RECYCLER\S-1-5-21-2801439982-1426590395-1296836545-1006\Dc5\__delete_on_reboot__asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\java\classes\__delete_on_reboot__odbcnet.exe -> Spyware.VirtuMonde : Cleaned with backup


::Report End
Results of Panda Active Scan:

Incident Status Location

Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/tvmedia No disinfected C:\Documents and Settings\My Computer\Application Data\tvmcwrd.dll
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/elitebar No disinfected C:\Documents and Settings\My Computer\Favorites\Casino & Adult
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPAN41UJ\silent_install[1].exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\csh4tb.exe
Spyware:Spyware/Abcsearch No disinfected C:\WINDOWS\system32\msehek.dll
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Thanks again!
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello BlueMoon,

We're almost there. :smile:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode.(tapping F8 or F5)

Next, copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\Documents and Settings\My Computer\Application Data\tvmcwrd.dll
C:\keys.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\blocklist.reg
C:\WINDOWS\system32\csh4tb.exe
C:\WINDOWS\system32\msehek.dll
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\System32\l?***.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

CasStub
Lycos
CAS


Delete the following folders:

C:\PROGRAM FILES\CasStub
C:\PROGRAM FILES\Lycos
C:\Documents and Settings\My Computer\Favorites\Casino & Adult
C:\Program Files\Cas

Run a scan in HijackThis. Check the following entry and hit 'Fix checked':

O4 - HKCU\..\Run: [Roun] C:\WINDOWS\System32\l?***.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Normal Mode. Run another scan with Panda and post the results here along with a new HijackThis log.
 

·
Registered
Joined
·
48 Posts
Discussion Starter #8
3rd Hijack report

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NavNT\rtvscan.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:11:35 PM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\My Computer\Desktop\Hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r21.mchsi.com:8000
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
====================================================================
Results of Panda Scan

Incident Status Location

Adware:adware/sidesearch No disinfected C:\Documents and Settings\My Computer\Application Data\Lycos
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPAN41UJ\silent_install[1].exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
You should be able to take care of these from Normal Mode:

Delete the following:

C:\Documents and Settings\My Computer\Application Data\Lycos
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPAN41UJ

You did a great job. :smile: Your system should be clean now. If there aren't any more problems, please continue with these final instructions:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from any previous restore points.

Now you can go ahead and update to XP SP2 and IE SP2:
**Note**
It is very important that you get all of the critical updates for your Operating System and Internet Explorer.Your browser and XP are not up to date and this makes you susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. Please update to XP SP2 and I.E. SP2

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE[/URL]? by Tony Klein http://castlecops.com/postlite7736-.html

THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent

MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad https://netfiles.uiuc.edu/ehowes/www/resource.htm to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top