Tech Support banner

Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
33 Posts
Discussion Starter #1
I've been having a problem with a certain pop under lately. I don't use IE, but other people use it in this PC and everytime it's opened there's this annoying window which shows up automatically. It hasn't happened with Firefox, but yesterday I noticed it saved the page on my desktop with the Firefox icon (which is my default browser). The link directs to a casino page, www.888.com.

I posted about it here, and already made the greyknight procedure. No biggies, just found some spyware that hadn't been detected before.

I couldn't save the result.txt file (it said the hijackthis.log file wasn't on the same folder, even though it was), so here goes my logfile.

Logfile of HijackThis v1.99.1
Scan saved at 18:00:20, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobyte.cjb.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Arquivos de programas\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Baixar por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Baixar todos por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104255282390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16547BA8-1998-4B88-8F6C-641A5B044362}: NameServer = 201.10.1.2 201.10.120.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B738B5-BFDF-4063-A854-CC7F6D174F3E}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{16547BA8-1998-4B88-8F6C-641A5B044362}: NameServer = 201.10.1.2 201.10.120.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj3500 - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe (file missing)
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Do you know if the "sponsor program" was installed along with Messenger Plus! 3? Do the other people using this system have their own accounts on it? If so, we may need logs from those accounts as well.

Let's do this to begin:

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here along with a fresh HijackThis log


Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
33 Posts
Discussion Starter #3 (Edited)
No, the sponsor program from Plus! wasn't installed (I accidentally installed it once so now I'm always careful when I install it anywhere). And no, there are no other accounts. I'll be posting the logs needed soon.
 

·
Registered
Joined
·
33 Posts
Discussion Starter #4
Antispyware.log

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning



HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 23:50:39, on 4/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Arquivos de programas\SpywareGuard\sgmain.exe
C:\Arquivos de programas\SpywareGuard\sgbhp.exe
C:\Arquivos de programas\HJT\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobyte.cjb.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Arquivos de programas\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Baixar por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Baixar todos por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddList.html
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104255282390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B738B5-BFDF-4063-A854-CC7F6D174F3E}: Domain = @
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj3500 - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe (file missing)


Panda scan didn't find anything.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
2 questions, and a task:

Do you have an HP printer attached to this system?

Are you still getting those pop-unders?

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
 

·
Registered
Joined
·
33 Posts
Discussion Starter #6
As I mentioned above, I don't really use IE so I hadn't checked yet. Last night I used it for 1 hour and it looks like it's gone. :)

Yes, I do have an HP printer. Would you mind telling me how it could interfere in something like this? Also, what is StarDreck for?
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Well, first, I'm not sure the HP printer question is interfering in this....there are, however, a couple of unusual services running on your system, with exe files running from temp, which have possibly been attributed to HP printers, but are generally unknown.

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj3500 - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe (file missing)


Please tell me all you can find about these files on your system. Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe
C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe


StartDreck is an analysis tool which digs deep into the areas HJT and others do not venture into, or just don't see due to camouflage.

Hidden startups, hosts file hijackings, rewrites of wininit.ini files, redirects of startpage, things of that nature. It will aid us in getting to the bottom of the mystery. Something on your system is causing the redirect to the casino page. Even if you don't use IE, it appears that you've said others do.
 

·
Registered
Joined
·
33 Posts
Cool. I'm not very informed but I like to try to understand what I'm doing. =)

I've tried opening the files but they can't be located.

Follows the StarDreck log below.

::::edit::::: ok, not working. That log is ****** enormous, I opened it on Word and it's 300 pages long :S I think I did something wrong so I'll save a new one and try to post it later.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi BlackEyed -

I can see that you're getting frustrated, but please keep in mind this is a family forum, open to all. Please refrain from the use of off-color language.

I've tried opening the files but they can't be located.
You can't find them, or you can't open them? I only need to know their properties, there is no need to open them.

Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.
Go to My Computer->Tools>Folder Options->View tab and make sure that 'Show hidden files and folders' is enabled. Also make sure that 'Display the contents of system folders' is checked, and that there is no check in 'Hide file extensions for known file types' or 'Hide protected operating system files'.

Run a search using Start>Search for each of these files:

hpdj.exe
hpdj3500.exe


In Windows XP, the search engine feature is a little different. When you click on 'All files and folders' on the left pane of the Search Window, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

The StartDreck log should not be that big if you have it set up the way I've asked you to. Mine opens in Notepad, and I have a HUGE hosts file which adds a lot of lines to the log. Be sure to review the instructions again:

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
You could also post a SilentRunners log:

Right click on http://www.silentrunners.org/Silent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Is the issue still occurring?
 

·
Registered
Joined
·
33 Posts
Discussion Starter #15 (Edited)
Really sorry for the language. I'm not frustrated or anything, I just didn't pay attention to what I wrote. Won't happen again. =)

I checked the folder and the search options, but I still can't find the 2 files.

My StartDreck log is still enormous. I must have checked if I was doing it right a million times, so I've uploaded it here in case you can take a look at it this way.



Silent Runner log

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiS Windows KeyHook" = "C:\WINDOWS\System32\keyhook.exe" ["Silicon Integrated Systems Corporation"]
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"PCTVOICE" = "pctspk.exe" [empty string]
"AVG7_CC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"MessengerPlus3" = ""C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AVG7_EMC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIV~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Xi\NetTransport 2\NTIEHelper.dll" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\dBpowerAMP\dMCShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\My Received Files\Eu\claidinha.bmp"


Startup items in "Marilia" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Marilia\Menu Iniciar\Programas\Inicializar
"SpywareGuard" -> shortcut to: "C:\Arquivos de programas\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"HP DArC Task #Hewlett-Packard#deskjet3500#TH453171TN76" -> launches: "C:\Arquivos de programas\HP\hpcoretech\comp\hpdarc.exe /#Hewlett-Packard#deskjet3500#TH453171TN76" ["Hewlett-Packard Company"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"
[Strings]: SAFESITE_VALUE="search.msn.com.br"

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 50 seconds, including 18 seconds for message boxes)
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
OK, Black Eyed.....that is one GIANT hosts file you have. Good job. I'm still not seeing anything in those logs related to www 888 com which is what I've been hunting for. I'm going to throw some tools at it. :grin: I see you said you ran the procedures at greyknight's site, but to be sure I'd like you to do this:

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobyte.cjb.net/

Reboot and post a new HJT log. Any issues still? If so, I'll have another Expert pop in and take a look, cuz I'm running out of ideas. :sayyes:

I have one last idea...add the url to your hosts file, coz it's not there. Your hosts file is located at C:\Windows\System32\Drivers\Etc. You would likely need to change the attributes of the hosts file from Read Only, right click and uncheck Read only, open the file with Notepad, add these lines in:

127.0.0.1 www.888.com
127.0.0.1 images.888.com

Save the file, and then change the attributes back to read only

This should at least prevent the page from opening
 

·
Registered
Joined
·
33 Posts
Discussion Starter #17
Well, the window hasn't popped lately, maybe it was killed by one of these things?

I'll be posting the results as soon as possible.
 

·
Registered
Joined
·
33 Posts
Discussion Starter #18
No issues anymore.



Logfile of HijackThis v1.99.1
Scan saved at 19:31:32, on 20/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\keyhook.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Arquivos de programas\SpywareGuard\sgmain.exe
C:\Arquivos de programas\SpywareGuard\sgbhp.exe
C:\Arquivos de programas\HJT\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Arquivos de programas\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Arquivos de programas\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Baixar por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Baixar todos por Net Transport - C:\Arquivos de programas\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Arquivos de programas\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Arquivos de programas\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Arquivos de programas\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Arquivos de programas\Yahoo!\Common\yiesrvc.dll (file missing)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104255282390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B738B5-BFDF-4063-A854-CC7F6D174F3E}: Domain = @
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj3500 - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe (file missing)
 

·
Premium Member
Joined
·
14,311 Posts
Check and fix these two entries in HijackThis:

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj.exe (file missing)
O23 - Service: hpdj3500 - Unknown owner - C:\DOCUME~1\Marilia\CONFIG~1\Temp\hpdj3500.exe (file missing)


They shouldn't be running in your temp folder. It's probably for your HP printer or scanner.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top