Tech Support banner

Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter #1
here is my hijackthis log file, I have norton antivirus, it identifies "trojan.elitebar" virus I have used numerous virus and spyware scan software like ad aware, norton, one from microsoft,all identify the problem some say they deleted it, others say access to the file is denied, I searched and found the files, it would not let me delete them manually because "access denied program may be in use with another application" I also get numerous different spyware programs regenerating I have the names if needed
your help will be greatly appreciated
andrew baxter
Logfile of HijackThis v1.99.1
Scan saved at 6:47:29 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\d3ui.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\d3wt32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yecfc.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0286A0B7-10A5-ED81-DAA1-D347AC3BBBC8} - C:\WINDOWS\msgr32.dll
O2 - BHO: Class - {1BA6BE38-0B92-7349-0153-401D02C17347} - C:\WINDOWS\mfcqn32.dll (file missing)
O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)
O2 - BHO: Class - {59651396-0625-EB6F-C7FA-344D74D7AF44} - C:\WINDOWS\winpb.dll (file missing)
O2 - BHO: Class - {6D791183-0FD4-50B4-E2B5-5933BB059404} - C:\WINDOWS\apiqu32.dll (file missing)
O2 - BHO: Class - {8010E625-1DE0-49D3-B80B-55DBD56529E6} - C:\WINDOWS\system32\ipvt32.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C517274B-EAF0-9359-4983-966F788D172B} - C:\WINDOWS\ipwh32.dll (file missing)
O2 - BHO: Class - {D3DFD4E6-1C5E-99E5-CD97-BC92535FF528} - C:\WINDOWS\javawn.dll (file missing)
O2 - BHO: Class - {D8F3C22A-6CEB-61D4-7123-9B293A2D57FF} - C:\WINDOWS\system32\javats32.dll (file missing)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [atlgu32.exe] C:\WINDOWS\atlgu32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [javaky.exe] C:\WINDOWS\javaky.exe
O4 - HKLM\..\Run: [d3wt32.exe] C:\WINDOWS\d3wt32.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\QicSetup.exe" /AfterReboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129138788453
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3ui.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

·
Registered
Joined
·
6,574 Posts
Download LQFix http://users.telenet.be/bluepatchy/miekiemoes/tools/LQfix.exe and click on Install. Go to your Desktop and open up the LQfix folder. Double click on ClickThis.bat to run it.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Once Ewido has completed, reboot back to Normal Mode and provide a new HJT log and the Ewido results.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #3
I would like to thank you again for you time and effort,, I did as you told and here are the results....
Logfile of HijackThis v1.99.1
Scan saved at 5:53:46 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Insight\BBClient\Programs\QicSetup.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0286A0B7-10A5-ED81-DAA1-D347AC3BBBC8} - C:\WINDOWS\msgr32.dll
O2 - BHO: Class - {1BA6BE38-0B92-7349-0153-401D02C17347} - C:\WINDOWS\mfcqn32.dll (file missing)
O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)
O2 - BHO: Class - {59651396-0625-EB6F-C7FA-344D74D7AF44} - C:\WINDOWS\winpb.dll (file missing)
O2 - BHO: Class - {5F25A197-5C64-2844-84AC-BE08CBD78A39} - C:\WINDOWS\system32\winuo32.dll
O2 - BHO: Class - {6D791183-0FD4-50B4-E2B5-5933BB059404} - C:\WINDOWS\apiqu32.dll (file missing)
O2 - BHO: Class - {8010E625-1DE0-49D3-B80B-55DBD56529E6} - C:\WINDOWS\system32\ipvt32.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C517274B-EAF0-9359-4983-966F788D172B} - C:\WINDOWS\ipwh32.dll (file missing)
O2 - BHO: Class - {D3DFD4E6-1C5E-99E5-CD97-BC92535FF528} - C:\WINDOWS\javawn.dll (file missing)
O2 - BHO: Class - {D8F3C22A-6CEB-61D4-7123-9B293A2D57FF} - C:\WINDOWS\system32\javats32.dll (file missing)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [atlgu32.exe] C:\WINDOWS\atlgu32.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [javaky.exe] C:\WINDOWS\javaky.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\QicSetup.exe" /AfterReboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129138788453
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3ui.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

here is the ewido report.......
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:47:48 PM, 10/18/2005
+ Report-Checksum: F0B95D0

+ Scan result:

HKLM\SOFTWARE\backup\EliteSideBar -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B5A2313-AE67-454E-9A8B-F74070E57F1B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A678B034-1492-1AC1-FF9B-636BC85F5643} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\addff.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addna32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addqs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\AdvpackExt.log:xxncus -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apigm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apims.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiyq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlfi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlno.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\control.ini:bmeynb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\control.ini:tbtzli -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ui.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3wt32.exe -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\desktop.ini:sqczrx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iedj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iis6.log:ynnir -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\ipjf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipxl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javabo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javamc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB810243.log:yuqkmp -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\KB835732.log:uhplw -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB893803v2.log:skdat -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB896423.log:lxprdo -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\kswam.log:dyixxz -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\netiy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netkb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntaf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntgk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q322011.log:lhsdud -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q814995.log:dtgggz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Q828026.log:hmauih -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\REGLOCS.OLD:vuzlib -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\sdktb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkvc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysmv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apikr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apper.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appmv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appqj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appya.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crcd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\croy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crzk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3ov32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3xv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipme.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javalw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfciw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntso32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkdd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkiy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\syslf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\syswm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\uhnkj.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\winne32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\updspapi.log:vkbsrb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wiadebug.log:nkmyld -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\winfz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\yecfc.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_delis32.ini:wwxfez -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:bsryrj -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:diclcb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:jshlxz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:sgcszo -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:srdtyz -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:vjvrel -> TrojanDownloader.Agent.td : Cleaned with backup
C:\WINDOWS\{CFAD2A27-EB9E-4E98-BCCF-187112645DD7}.dat:znsikr -> TrojanDownloader.Agent.td : Cleaned with backup


::Report End
thanks again!!!!!
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download About Buster 5 and unzip it to a folder on your the Desktop. Do not run it yet!

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uhnkj.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0286A0B7-10A5-ED81-DAA1-D347AC3BBBC8} - C:\WINDOWS\msgr32.dll
O2 - BHO: Class - {1BA6BE38-0B92-7349-0153-401D02C17347} - C:\WINDOWS\mfcqn32.dll (file missing)
O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)
O2 - BHO: Class - {59651396-0625-EB6F-C7FA-344D74D7AF44} - C:\WINDOWS\winpb.dll (file missing)
O2 - BHO: Class - {5F25A197-5C64-2844-84AC-BE08CBD78A39} - C:\WINDOWS\system32\winuo32.dll
O2 - BHO: Class - {6D791183-0FD4-50B4-E2B5-5933BB059404} - C:\WINDOWS\apiqu32.dll (file missing)
O2 - BHO: Class - {8010E625-1DE0-49D3-B80B-55DBD56529E6} - C:\WINDOWS\system32\ipvt32.dll (file missing)
O2 - BHO: Class - {C517274B-EAF0-9359-4983-966F788D172B} - C:\WINDOWS\ipwh32.dll (file missing)
O2 - BHO: Class - {D3DFD4E6-1C5E-99E5-CD97-BC92535FF528} - C:\WINDOWS\javawn.dll (file missing)
O2 - BHO: Class - {D8F3C22A-6CEB-61D4-7123-9B293A2D57FF} - C:\WINDOWS\system32\javats32.dll (file missing)
O4 - HKLM\..\Run: [atlgu32.exe] C:\WINDOWS\atlgu32.exe
O4 - HKLM\..\Run: [javaky.exe] C:\WINDOWS\javaky.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3ui.exe (file missing)



Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

*note* Some of these files may have already been deleted but check.

C:\WINDOWS\system32\uhnkj.dll
C:\WINDOWS\msgr32.dll
C:\WINDOWS\mfcqn32.dll
C:\WINDOWS\sysah32.dll
C:\WINDOWS\winpb.dll
C:\WINDOWS\system32\winuo32.dll
C:\WINDOWS\apiqu32.dll
C:\WINDOWS\system32\ipvt32.dll
C:\WINDOWS\ipwh32.dll
C:\WINDOWS\javawn.dll
C:\WINDOWS\system32\javats32.dll
C:\WINDOWS\atlgu32.exe
C:\WINDOWS\javaky.exe
C:\WINDOWS\d3ui.exe


Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows open hijackthis again. Click Config>>>Misc tools>> Delete an NT Service button. Once that box opens put in the following path....

11Fßä#·ºÄÖ`I <--Notice there is an empty space in front of the 11 so make sure it's the same in the box. Then hit OK. Close Hijackthis.

Then post another set of the following logs...

Ewido log
AboutBuster log
Hijackthis log
 

·
Registered
Joined
·
7 Posts
Discussion Starter #5
I did as you told, when I did the services.msc function in safe mode I couldnot find remote procedure call helper, I did find remote call procedure and RMC locator, RMC would not allow me to stop or disable but the RMC locator would,,, so I did.when I tried to delete the nt service in hijack this I copied the name 11Fßä#·ºÄÖ`I and pasted it into the box I then got a message that it could not find the program also cool search housefinder appeares on spybot but not on cwshredder, here are the log files you requested
hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 2:15:11 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Insight\BBClient\Programs\QicSetup.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\QicSetup.exe" /AfterReboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129138788453
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

here is the ewido,,,,,,
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:10:34 PM, 10/19/2005
+ Report-Checksum: 4120C8D4

+ Scan result:

C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End
and here is the aboutbuster
AboutBuster 5.1, reference file 32
Scan started on [10/19/2005] at [1:24:55 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\hoyhe.dat
Removed File! : C:\WINDOWS\qtffv.dat
Removed File! : C:\WINDOWS\system32\gcyja.dat
Removed File! : C:\WINDOWS\system32\nrjhw.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:26:03 PM


AboutBuster 5.1, reference file 32
Scan started on [10/19/2005] at [1:27:58 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:28:47 PM
thank you again for your time and guidance
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Download my attachment to this thread. Unzip the file. Open the folder it created and double click on the cwserviceremover.reg file and allow it to merge into the registry.

Reboot the PC.

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post and let me know how things are running.
 

Attachments

·
Registered
Joined
·
7 Posts
Discussion Starter #7
here is the scan results,,,,
Incident Status Location

Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:Adware/EliteBar No disinfected C:\EliteToolBar version 61.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appro.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3sx32.exe
over all my computer is running much better, no more search pop ups or any popups for that matter, I am no longer getting virus warnings from norton
what should I do to prevent this from happening again? once again I would like to thank everyone who helped out you guys are great!!!!
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi baxtera,

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download EliteToolbar Remover.

Reboot into Safe Mode. (tapping F8 or F5)

Run ETRemover.exe now. When it's done, follow the prompts, but don't restart yet. Do the below fixes first.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\appro.exe
C:\WINDOWS\system32\d3sx32.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.

Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following folder:

C:\PROGRAM FILES\COMMON FILES\Oem Common
EliteToolBar --Do a search and delete any files or folders if found

Reboot into Normal Mode. Run another scan with Panda and post the results here once again.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #9
here is the panda scan results....
Incident Status Location

Adware:adware/oemji Reported C:\PROGRAM FILES\COMMON FILES\Oem Common
Spyware:Cookie/Ask Reported C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
Adware:Adware/SearchAid Reported C:\!Submit\appro.exe
Adware:Adware/SearchAid Reported C:\!Submit\d3sx32.exe
Spyware:Cookie/Ask Reported C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Andrew\Cookies\[email protected][1].txt
 

·
Registered
Joined
·
6,574 Posts
Delete this folder:

C:\PROGRAM FILES\COMMON FILES\Oem Common

Then run Cleanup with the same settings as before, or manually clear the cookies when logged in as Andrew.

You should now be clean:

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear Java Cache
  1. Click Start >Settings>Control Panel
  2. Click the Java Plugin Icon
  3. Click the Cache tab
  4. Click the Clear button and click OK to confirm
Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.


Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.


ps - you can delete C:\!Submit - it's the backup folder for what Killbox deletes.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #11
I appologize for the delay, I have done everything you have told me and my computer is running fine now, however when I run spybot I still get this

--- Search result list ---
CoolWWWSearch.HomeSearch: Data (File, nothing done)
C:\WINDOWS\kswam.log

but when I run cwshredder nothing is found, do you think there is anything left to be done? if not then please mark this thread resolved
thank you again everyone for your time and effort!!!!
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi baxtera,

Please download and install the trial version of Webroot SpySweeper (8.3MB) http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02

When SpySweeper starts, please accept any prompts to update definitions.
Configure it as follows:
*From the left pane, click Options
*Select the Sweep Options tab & ensure the following are ticked:
-Sweep Memory
-Sweep Registry
-Sweep Cookies
-Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
*After rebooting, launch SpySweeper & select Results from the left pane
*Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #13
here are the log files you requested, as you can see I had trouble with updating the signatures with webroot, I even tried disabling my firewall so it must be a problem with their server, i dont know,,,,, thank you again for all your help
********
6:06 PM: | Start of Session, Monday, October 31, 2005 |
6:06 PM: Spy Sweeper started
6:06 PM: Sweep initiated using definitions version 556
6:06 PM: Starting Memory Sweep
6:09 PM: Memory Sweep Complete, Elapsed Time: 00:03:08
6:09 PM: Starting Registry Sweep
6:10 PM: Found Trojan Horse: rbot
6:10 PM: HKU\WRSS_Profile_S-1-5-21-1192923827-3401290172-2224708248-1006\software\microsoft\windows\currentversion\run\ || microsoft update machine (ID = 139242)
6:10 PM: Registry Sweep Complete, Elapsed Time:00:00:36
6:10 PM: Starting Cookie Sweep
6:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:10 PM: Starting File Sweep
6:12 PM: Found Adware: subsearch
6:12 PM: 5861dd4d-ab91-4ce4-93cd-bbfec0 (ID = 77428)
6:24 PM: File Sweep Complete, Elapsed Time: 00:14:12
6:24 PM: Full Sweep has completed. Elapsed time 00:18:06
6:24 PM: Traces Found: 2
6:25 PM: Removal process initiated
6:25 PM: Quarantining All Traces: rbot
6:25 PM: Quarantining All Traces: subsearch
6:25 PM: Removal process completed. Elapsed time 00:00:18
********
5:57 PM: | Start of Session, Monday, October 31, 2005 |
5:57 PM: Spy Sweeper started
5:59 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:01 PM: Updating spyware definitions
6:02 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:02 PM: Updating spyware definitions
6:03 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:03 PM: Updating spyware definitions
6:03 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:04 PM: Updating spyware definitions
6:04 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
6:06 PM: | End of Session, Monday, October 31, 2005 |

here is the HJT log......
Logfile of HijackThis v1.99.1
Scan saved at 6:34:39 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129138788453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Try again to update the Webroot definitions and run the Sweep again. If Spybot is still detecting 'CoolWWWSearch.HomeSearch: Data (File, nothing done)', please do the following:

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe. Do not run it yet.

Download HSfix.zip


1. Unzip the contents of HSfix.zip (HSfix.reg) to your desktop.
2. Please do not do anything with it yet.

Reboot into Safe Mode.

Double-click on HSfix.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

Run CWShredder. Click "Fix".

Run AboutBuster again and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it along with a new HijackThis log and the results of the Webroot SpySweeper if you were able to update and run it.
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top