Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HiJacked Browser/Desktop


  • This topic is locked This topic is locked
8 replies to this topic

#1 blaskow

blaskow

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 February 2006 - 04:52 AM

I've been HiJacked. Help would be appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 4:49:01 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\system32\hphmon04.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\AOL\1135192648\ee\AOLSoftware.exe
D:\Program Files\Ahead(Nero)\InCD\InCD.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\system32\HPHipm11.exe
D:\Program Files\BitTorrent\bittorrent.exe
D:\WINDOWS\system32\svchost.exe
d:\program files\common files\aol\1135192648\ee\aim6.exe
D:\Program Files\LimeWire\LimeWire.exe
D:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iastate.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1135192648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead(Nero)\InCD\InCD.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [desktop] D:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [UnSpyPC] "D:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137885040491
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F14371-3346-4121-9C30-30296C3FB4FF}: NameServer = 85.255.116.27,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE88041-737F-4B76-B695-96773061FE6D}: NameServer = 85.255.116.27,85.255.112.226
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe

    Advertisements

Register to Remove


#2 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 13 February 2006 - 03:41 PM

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic . We do need to see a current logfile.

To post, please use the Add Reply feature, so I will be notified.

Please provide a description of the problem.

Please do not edit your Hijack This log. We need to see the entire logfile, with no revisions.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 blaskow

blaskow

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 15 February 2006 - 07:45 PM

quick rundown of my problem....
-google searches go to random websites to buy fake stuff
-clicking some certain links goes to google searches of adult words
-I have a thing on my desktop to click for "adult, insurance, loans, etc."
-theres a file running that when i close it in my ctrl+alt+del list of programs it reopens itself (D:\WINDOWS\system32\wscntfy.exe)
-my entire computer is running drastically slower
Thanks.....

in my Logfile of HijackThis v1.99.1
Scan saved at 7:40:26 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\system32\hphmon04.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Common Files\AOL\1135192648\ee\AOLSoftware.exe
D:\Program Files\Ahead(Nero)\InCD\InCD.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
D:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINDOWS\system32\HPHipm11.exe
d:\program files\common files\aol\1135192648\ee\aim6.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iastate.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1135192648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead(Nero)\InCD\InCD.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "D:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [desktop] D:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [UnSpyPC] "D:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137885040491
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F14371-3346-4121-9C30-30296C3FB4FF}: NameServer = 85.255.116.27,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE88041-737F-4B76-B695-96773061FE6D}: NameServer = 85.255.116.27,85.255.112.226
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe

#4 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 16 February 2006 - 12:25 PM

Hi blaskow;

If you are not running any antivirus software, it is essential that you do so, as quickly as possible.Here is a link for a free AVG ANTI-VIRUS:http://free.grisoft....1/lng/us/tpl/v5

If you are not using a software firewall, it is essential that you do so.

Below you will find a link to Zone Alarm, which has a good free firewall for personal use, another for kerio and a link to sygate. Note that it is not recommended to run two firewalls simultaneously, not even along with the new Microsoft firewall, as conflicts between them would likely result.
http://www.zonelabs....sku_list_za.jsp
http://www.kerio.com/us/kpf_home.html
http://smb.sygate.co...cts/spf_pro.htm

Next:
Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be updated with the link above and be used to scan and remove undesirables.

Next:
Please set your system to show all files; please see here if you're unsure how to do this.

Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.:


O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKCU\..\Run: [desktop] D:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [UnSpyPC] "D:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F14371-3346-4121-9C30-30296C3FB4FF}: NameServer = 85.255.116.27,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE88041-737F-4B76-B695-96773061FE6D}: NameServer = 85.255.116.27,85.255.112.226

Click on Fix Checked when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

D:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile
D:\WINDOWS\system32\idemlog.exe
D:\Program Files\UnSpyPC\UnSpyPC.exe

Please note: The following is a Program, so must also be Uninstalled/Removed in Control Panel-->Add/Remove Programs.

D:\Program Files\BitTorrent\bittorrent.exe
If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.


Reboot , enable hidden files and post a fresh Hijack This log in this topic, along with the Ewido report.

Please use the Add Reply feature to reply, so I will be notified.

Note: Please do not edit the new HJT log. We need to see the entire log, without revisions.

Edited by Piatan, 16 February 2006 - 12:27 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#5 blaskow

blaskow

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 16 February 2006 - 03:23 PM

Most Recent HJT log.....
Logfile of HijackThis v1.99.1
Scan saved at 3:18:11 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\system32\hphmon04.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Ahead(Nero)\InCD\InCD.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\AOL\1140095039\ee\AOLSoftware.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\HPHipm11.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iastate.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead(Nero)\InCD\InCD.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1140095039\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137885040491
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


Ewido Log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:53:25 PM, 2/16/2006
+ Report-Checksum: D80A7D72

+ Scan result:

[712] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[736] VM_00B20000 -> Downloader.Agent.uj : Error during cleaning
[1748] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[1744] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[672] VM_008C0000 -> Downloader.Agent.uj : Error during cleaning
[708] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning
[756] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[904] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
[1012] VM_008A0000 -> Downloader.Agent.uj : Error during cleaning
[1072] VM_00390000 -> Downloader.Agent.uj : Error during cleaning
[1108] VM_00990000 -> Downloader.Agent.uj : Error during cleaning
[1124] VM_008B0000 -> Downloader.Agent.uj : Error during cleaning
[1156] VM_008A0000 -> Downloader.Agent.uj : Error during cleaning
[1396] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[1432] D:\WINDOWS\system32\idemlog.exe -> Hijacker.Small : Error during cleaning
[1680] VM_00950000 -> Downloader.Agent.uj : Error during cleaning
[1984] VM_003B0000 -> Downloader.Agent.uj : Error during cleaning
[2008] VM_00840000 -> Downloader.Agent.uj : Error during cleaning
[2120] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[2364] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning
[2200] VM_00960000 -> Downloader.Agent.uj : Error during cleaning
[2740] VM_01250000 -> Downloader.Agent.uj : Error during cleaning
D:\Documents and Settings\Me\Cookies\me@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@adtech[1].txt -> TrackingCookie.Adtech : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@c4.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@com[2].txt -> TrackingCookie.Com : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz11.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@cz9.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@e-2dj6wjlyegd5wgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@sel.as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
D:\Documents and Settings\Me\Cookies\me@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
D:\Documents and Settings\Me\Local Settings\Temp\dk.dial -> Trojan.Dialer.ay : Cleaned with backup
D:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\9WIYA2LZ\xxx[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP23\A0006647.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP24\A0007647.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP26\A0008647.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP27\A0008672.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP36\A0009003.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP42\A0009979.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP42\A0010023.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP45\A0011023.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP45\A0012023.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP49\A0012125.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP51\A0013122.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP53\A0013238.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP54\A0013261.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP55\A0014261.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP58\A0014342.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP59\A0015338.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP62\A0015433.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP63\A0016432.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP64\A0017433.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP65\A0018432.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP68\A0018521.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP68\A0020518.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP68\A0020552.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP68\A0020756.exe -> Trojan.Pakes : Cleaned with backup
D:\System Volume Information\_restore{7F6803A5-412A-4D88-9789-BB0C42A392F0}\RP68\A0020811.exe -> Trojan.Pakes : Cleaned with backup
D:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
D:\WINDOWS\system32\whtgv.dll -> Adware.SBSoft : Cleaned with backup


::Report End

--Side Note: The Desktop links are gone and things APPEAR to be running more smoothly. I could not find files "D:\windows\system32\popcorn72" or "D:\Program Files\UnSpyPC", but used Killbox on them. Thanks for the help so far.

#6 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 16 February 2006 - 06:19 PM

Hi blaskow;

Good job with that cleanup and with Killbox. Lets see what is left.

Looks like Ewido found something that needs fixing.

You may want to print out these instructions, or copy and paste this text into a Notepad file and place it on your desktop, to review as you work.
You will not be able to access the Internet, during most of this fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items (if they appear):

The following are OPTIONAL fixes:

Optional - VIEWPOINT MANAGER Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...61546Additional info: http://vil.nai.com/v...t/v_137262.htmI suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Fix the items identified in the HijackThis log below. Your call.

Close all Windows leaving only HijackThis running. Place a check against each of the following.:
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe


If you see a new item that wasn't in your last log in the O4 section of HijackThis, five-letters long, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If you're not sure, leave it and only check the ones I asked you to check.


Then click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Next:

Using Windows Explorer, locate the following files/folders shown DARK and delete them:
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Next:

(Since you already have Killbox, there is no need to download it.)

Then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Please enter the entire line, just below.

D:\WINDOWS\system32\idemlog.exe

Then, please run Ewido again and save the report.


Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log and the Ewido report.

Please use theAdd Reply feature to post, so I will be notified.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#7 blaskow

blaskow

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 February 2006 - 04:18 AM

Cleared these hurdles.... Since I've begun following these steps my AOL Instant Messanger has stopped functioning. Curious if there's a way of seeing if there's a connection. Here are the new logs....

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 4:14:39 AM, on 2/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
D:\WINDOWS\system32\hphmon04.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Ahead(Nero)\InCD\InCD.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\AOL\1140095039\ee\AOLSoftware.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
D:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\HPHipm11.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iastate.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead(Nero)\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] D:\Program Files\Common Files\AOL\1140095039\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\AHEAD(~1\Ahead\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137885040491
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead(Nero)\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:14:00 AM, 2/17/2006
+ Report-Checksum: 7E6E1AFD

+ Scan result:

D:\Documents and Settings\Me\Cookies\me@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\RECYCLER\S-1-5-21-1993962763-2111687655-1060284298-1003\Dd158.exe -> Hijacker.Small : Cleaned with backup
D:\RECYCLER\S-1-5-21-1993962763-2111687655-1060284298-1003\Dd160.exe -> Adware.Msnagent : Cleaned with backup
D:\WINDOWS\system32\dmaxe.exe -> Trojan.Pakes : Cleaned with backup


::Report End

Fixware:

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\examd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmaxe.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
D:\WINDOWS\SYSTEM32\DMAXE.EXE
D:\WINDOWS\SYSTEM32\IPSEC6.EXE
D:\WINDOWS\SYSTEM32\CSZSD.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

again, thanks for the help

#8 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 17 February 2006 - 05:08 PM

Hi blaskow, you're welcome.

I looked back through all the logs and couldn't find anything had been done that should have any effect on AOL Instant Messenger, but you never know for sure. However, I see only one entry for AOL and no mention of AOL IM in your Hijack This logfile, so it may need to be downloaded.

Your Hijack This log looks to be clean.

However, there is the matter of some questionable files found by Ewido.

D:\WINDOWS\SYSTEM32\DMAXE.EXE
D:\WINDOWS\SYSTEM32\CSZSD.EXE

This file looks to be legitimate.
D:\WINDOWS\SYSTEM32\IPSEC6.EXE

Please go into SAFE MODE and show hidden files. If you aren't sure how:

Be sure to first close all open Windows and browsers.
Next, make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode.

Then, do an ALL FILES search for the following.
We want to check the files properties, to verify they are good, or not.

To check a files properties, Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker.
From this you can often determine if it is good. If it doesn't tell you who made it and you can't find it in Google, it is probably bad.

If a file is Microsoft, then leave it alone and go on to the next file.

Delete any of the following files shown DARK you find that are unresolved.

D:\WINDOWS\SYSTEM32\DMAXE.EXE
D:\WINDOWS\SYSTEM32\CSZSD.EXE

This file looks to be legitimate (Microsoft), but check to be positive.
D:\WINDOWS\SYSTEM32\IPSEC6.EXE

Then, please reboot into NORMAL MODE.

If there are no further issues, I recommend the following.

One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.

    Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
    -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing. :wavey:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#9 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 08 March 2006 - 09:20 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users