WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

hijackthis log help request

Started by bh35 , Jun 04 2006 09:11 PM

This topic is locked

20 replies to this topic

#1 bh35

New Member

Authentic Member
11 posts

Posted 04 June 2006 - 09:11 PM

My internet service provider shuts off my service because of a hijacked computer that sends out spam. Please provide help. I appreciate it. Below is the hijack log.

Logfile of HijackThis v1.99.0
Scan saved at 8:08:25 PM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nvctrl.exe
C:\iexplorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\system32\newexe.exe
C:\WINNT\system32\lup.exe
C:\WINNT\system32\jimbo.exe
C:\WINNT\system32\spread.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\cfg32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\cfg32a.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.locators.com/sidebar/
O1 - Hosts: 216.255.180.50 www.halifax-online.co.uk
O1 - Hosts: 216.255.180.50 ibank.barclays.co.uk
O1 - Hosts: 216.255.180.50 online.lloydstsb.co.uk
O1 - Hosts: 216.255.180.50 online-business.lloydstsb.co.uk
O1 - Hosts: 216.255.180.50 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 216.255.180.50 banesnet.banesto.es
O1 - Hosts: 216.255.180.50 extranet.banesto.es
O1 - Hosts: 216.255.180.50 ebanking.bccbrescia.it
O1 - Hosts: 216.255.180.50 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 216.255.180.50 oi.cajamadrid.es
O1 - Hosts: 216.255.180.50 bancae.caixapenedes.com
O1 - Hosts: 216.255.180.50 banking.postbank.de
O1 - Hosts: 216.255.180.50 meine.deutsche-bank.de
O1 - Hosts: 216.255.180.50 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 216.255.180.50 ibank.cahoot.com
O1 - Hosts: 216.255.180.50 webbank.openplan.co.uk
O1 - Hosts: 216.255.180.50 bancopostaonline.poste.it
O1 - Hosts: 216.255.180.50 mybank.bybank.it
O1 - Hosts: 216.255.180.50 ibank.internationalbanking.barclays.com
O1 - Hosts: 216.255.180.50 welcome7.co-operativebank.co.uk
O1 - Hosts: 216.255.180.50 welcome11.co-operativebankonline.co.uk
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hpE0BC.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll (file missing)
O3 - Toolbar: Locators.com Search Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3E} - C:\WINNT\system32\Locators.dll
O3 - Toolbar: Locators.com Links Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3F} - shdocvw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Services] C:\iexplorer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\system32\PPCRunOnce.exe
O4 - HKLM\..\Run: [msconfig38] newexe.exe
O4 - HKLM\..\Run: [secures23] lup.exe
O4 - HKLM\..\Run: [jssvc23] jimbo.exe
O4 - HKLM\..\Run: [winsystems25] spread.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe
O4 - HKLM\..\Run: [w0334de2.dll] RUNDLL32.EXE w0334de2.dll,I2 000dccf700334de2
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [newname] C:\\newname19.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe"
O4 - HKLM\..\RunServices: [msconfig38] newexe.exe
O4 - HKLM\..\RunServices: [secures23] lup.exe
O4 - HKLM\..\RunServices: [jssvc23] jimbo.exe
O4 - HKLM\..\RunServices: [winsystems25] spread.exe
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - Startup: Epson Other Registration.lnk = C:\EPSONREG\EPSONREG.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

Advertisements

Register to Remove

#2 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 05 June 2006 - 03:21 PM

Hi,

Your hijackthis log is showing that you have a password stealer, which can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

Would advise for you to disconnect this PC from the Internet, and then go to a known clean computer and change any passwords or security information held on the infected computer. In particular, check whatever relates to online banking financial transactions, shopping, credit cards, or sensitive personal information. It is also wise to contact your financial institutions to apprise them of your situation.

Will do our best to clean the computer of any infections seen on the log. However, because of the nature of this Trojan, cannot offer a total guarantee that there are no remnants left in the system, or that the computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the Operating System. Making this decision is based on what the computer is used for, and what information can be accessed from it.

Knowing the above, let us know if you wish to proceed.

Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#3 bh35

New Member

Authentic Member
11 posts

Posted 06 June 2006 - 12:04 PM

Yes, I would like to proceed. If we determine that ulitmately a reformat and reinstall of the operating system is necessary, do you think I would be able to salvage my existing data files to CD and reloading them after the reinstall? Thanks for your help.

#4 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 06 June 2006 - 02:38 PM

Hi,

I recommend that you change your passwords at all of your banks, and online forums, so you don't be a victim of identity theft.

We can get this resolved, but we won't be 100% sure.

--------------------------------------------------------------------------

Download the Hoster Here: http://www.funkytoad...load/hoster.zip

Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

* Make sure that the "make hosts writable?" button in the upper right corner is enabled.
* Click back up Host files
* then click Restore orginal host files
* close program

Next, download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Posted Image

______________________________

Please download the trial version of Ewido anti-malware 3.5 from here:
http://www.ewido.net/en/download/

Install Ewido anti-malware.
When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
The program will prompt you to update. Click the Ok button.
The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.
Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#5 bh35

New Member

Authentic Member
11 posts

Posted 06 June 2006 - 11:01 PM

Here is the rapport text report. SmitFraudFix v2.55 Scan done at 23:37:51.55, Tue 06/06/2006 Run from C:\Documents and Settings\Culp\Desktop\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\drsmartload1.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 C:\WINNT\system32\hp????.tmp FOUND ! C:\WINNT\system32\ld????.tmp FOUND ! C:\WINNT\system32\ncompat.tlb FOUND ! C:\WINNT\system32\nvctrl.exe FOUND ! C:\WINNT\system32\ot.ico FOUND ! C:\WINNT\system32\ts.ico FOUND ! C:\WINNT\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Culp\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Culp\FAVORI~1 C:\DOCUME~1\Culp\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\SpywareQuake\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware" [HKEY_CLASSES_ROOT\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32] @="C:\WINNT\system32\stickrep.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32] @="C:\WINNT\system32\stickrep.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#6 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 07 June 2006 - 03:17 PM

Hi,

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

Posted Image

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.

______________________________

Please post:

c:\rapport.txt
Ewido log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#7 bh35

New Member

Authentic Member
11 posts

Posted 08 June 2006 - 09:51 AM

Danny

#8 bh35

New Member

Authentic Member
11 posts

Posted 08 June 2006 - 10:01 AM

Danny,

There was no Desktop tab with corresponding web tab, web pages, security info, etc. under the Display in Control Panel, so I was unable to complete that step. Also, when rebooting in normal mode, the following RunDLL error message pops up: "error loading w0334de2.dll specified module could not be found".
Following are the reports requested:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:55:21 PM, 6/7/2006
+ Report-Checksum: 5869BF23

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorBar -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorBar\CLSID -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorBar\CurVer -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorBar.1 -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorLinks -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorLinks\CLSID -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorLinks\CurVer -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Classes\LocatorS.LocatorLinks.1 -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Locators Toolbar -> Adware.Locators : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup
HKU\S-1-5-21-823518204-1563985344-839522115-1000\Software\Microsoft\Internet Explorer\Locators Toolbar -> Adware.Locators : Cleaned with backup
HKU\S-1-5-21-823518204-1563985344-839522115-1000\Software\Microsoft\Internet Explorer\Locators Toolbar\Update -> Adware.Locators : Cleaned with backup
C:\503_617.exe -> Trojan.Small : Cleaned with backup
C:\aimer.exe -> Downloader.Small : Cleaned with backup
C:\aimer.exe7680.exe -> Proxy.Agent.eu : Cleaned with backup
C:\biza.exe -> Downloader.Small : Cleaned with backup
C:\cusp.exe -> Proxy.Slaper.a : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\system@ehg-peoplepc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[1].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[2].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[3].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\lat[1].exe -> Backdoor.Rbot.ari : Cleaned with backup
C:\Documents and Settings\Culp\Local Settings\Temp\Cookies\culp@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Culp\Local Settings\Temp\Cookies\culp@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Culp\Local Settings\Temp\Cookies\culp@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@ehg-peoplepc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[1].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[2].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[3].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\lat[1].exe -> Backdoor.Rbot.ari : Cleaned with backup
C:\Documents and Settings\Nathan\Cookies\system@ehg-peoplepc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Nathan\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[1].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Nathan\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[2].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Nathan\Local Settings\Temporary Internet Files\Content.IE5\01234567\iexplorer-update[3].exe -> Proxy.Ranky.cq : Cleaned with backup
C:\Documents and Settings\Nathan\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\lat[1].exe -> Backdoor.Rbot.ari : Cleaned with backup
C:\iexplorer.exe -> Proxy.Ranky.cq : Cleaned with backup
C:\lat.exe -> Backdoor.Agobot.agw : Cleaned with backup
C:\loader.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
C:\loader2.exe2560.exe -> Downloader.Small.coz : Cleaned with backup
C:\loader2.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\eMedia Codec -> Trojan.Small : Cleaned with backup
C:\Program Files\eMedia Codec\uninst.exe -> Trojan.Small : Cleaned with backup
C:\righty.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\windows\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINNT\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINNT\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINNT\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINNT\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINNT\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINNT\system32\btest4.scr -> Downloader.Agent.a : Cleaned with backup
C:\WINNT\system32\jimbo.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\WINNT\system32\Locators.dll -> Adware.Locator : Cleaned with backup
C:\WINNT\system32\lup.exe -> Backdoor.Rbot.ari : Cleaned with backup
C:\WINNT\system32\newexe.exe -> Backdoor.Rbot.aqv : Cleaned with backup
C:\WINNT\system32\spread.exe -> Backdoor.Agobot.agw : Cleaned with backup
C:\WINNT\system32\winocx.exe -> Trojan.Crypt.d : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.0
Scan saved at 12:08:11 AM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Locators.com Search Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3E} - C:\WINNT\system32\Locators.dll (file missing)
O3 - Toolbar: Locators.com Links Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3F} - shdocvw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\system32\PPCRunOnce.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [w0334de2.dll] RUNDLL32.EXE w0334de2.dll,I2 000dccf700334de2
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe"
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - Startup: Epson Other Registration.lnk = C:\EPSONREG\EPSONREG.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

SmitFraudFix v2.55

Scan done at 21:45:49.61, Wed 06/07/2006
Run from C:\Documents and Settings\Culp\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_CLASSES_ROOT\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINNT\system32\stickrep.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINNT\system32\stickrep.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\drsmartload1.exe Deleted
C:\WINNT\system32\hp????.tmp Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ncompat.tlb Deleted
C:\WINNT\system32\nvctrl.exe Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\ts.ico Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\Culp\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\SpywareQuake\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINNT\system32\stickrep.dll -> Missing File

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

#9 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 08 June 2006 - 02:51 PM

Hi, Can you post a HijackThis log from normal mode? Thanks, Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#10 bh35

New Member

Authentic Member
11 posts

Posted 08 June 2006 - 05:38 PM

Danny,

Here is the updated hijacklog based on normal bootup. Thanks

Logfile of HijackThis v1.99.0
Scan saved at 6:21:01 PM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Locators.com Search Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3E} - C:\WINNT\system32\Locators.dll (file missing)
O3 - Toolbar: Locators.com Links Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3F} - shdocvw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\system32\PPCRunOnce.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [w0334de2.dll] RUNDLL32.EXE w0334de2.dll,I2 000dccf700334de2
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe"
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - Startup: Epson Other Registration.lnk = C:\EPSONREG\EPSONREG.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

Advertisements

Register to Remove

#11 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 08 June 2006 - 08:01 PM

Hi,

You are using an outdated version of HijackThis.

Please download HijackThis version 1.99.1 from here:
http://www.hijackthi.../click.php?id=2 make sure to place it in a permanent folder.

Next, open HijackThis, click the 'Scan' button, and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: Locators.com Search Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3E} - C:\WINNT\system32\Locators.dll (file missing)
O3 - Toolbar: Locators.com Links Bar - {E720B458-B65A-438C-9FF3-B1DF65D7DB3F} - shdocvw.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [w0334de2.dll] RUNDLL32.EXE w0334de2.dll,I2 000dccf700334de2
O4 - HKCU\..\Run: [Microsoft Configure1 32] msoftconf1.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\system32\Locators.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close all windows except HijackThis, and click the "Fix Checked" button.

Locate and delete the following files (If Present):

C:\windows\system32\blank.htm
C:\WINNT\system32\Locators.dll
C:\WINNT\cfg32s.dll

Click "Start --> Search". Search for and delete the following files:

msoftconf1.exe
w0334de2.dll

Next, please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post as well as a new HijackThis log.

Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#12 bh35

New Member

Authentic Member
11 posts

Posted 09 June 2006 - 04:07 PM

Hi,

The 5 files that you had me locate/search for were not present. There was a "blank.htm" located in a different directory...program files/common files/microsoft shared/stationary..., but I did not delete it. Should I?
Attached are the two reports:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, June 09, 2006 4:41:07 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/06/2006
Kaspersky Anti-Virus database records: 199573
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 17911
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:26:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Culp\Desktop\Computer Maintenance - BH\XoftSpy422_183.exe/stream/data0012 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Culp\Desktop\Computer Maintenance - BH\XoftSpy422_183.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Culp\Desktop\Computer Maintenance - BH\XoftSpy422_183.exe NSIS: infected - 2 skipped
C:\Program Files\XoftSpy\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe NSIS: infected - 2 skipped
C:\stp.exe/data0006 Infected: Trojan-Downloader.Win32.PurityScan.cf skipped
C:\stp.exe NSIS: infected - 1 skipped
C:\stub_venthh.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\WINNT\cfg32p.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\WINNT\system32\TFTP2512 Infected: Backdoor.Win32.Agent.ri skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 4:49:39 PM, on 6/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\Documents and Settings\Culp\Desktop\Computer Maintenance - BH\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\system32\PPCRunOnce.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe"
O4 - Startup: Epson Other Registration.lnk = C:\EPSONREG\EPSONREG.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VetMsgNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

#13 Danny_

Emeritus-The Malware Remover

Authentic Member
1,323 posts

Posted 13 June 2006 - 05:29 PM

Hi,

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\stp.exe
Click on the submit button
Tell me the results in your next reply.

Now, Open HijackThis, click the "Scan" button, and check the following items:

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)

Close all windows except HijackThis, and click the "Fix Checked" button.

Next, delete the following files/folders (if they exist):

C:\stp.exe
C:\WINNT\system32\TFTP2512

Reboot, and post a new HijackThis log as well as the Jotti results.

Danny

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how!

Proud member of ASAP since 2005

#14 bh35

New Member

Authentic Member
11 posts

Posted 14 June 2006 - 09:48 AM

Danny,

Here are the two logs.
Thanks

File: stp.exe
Status: INFECTED/MALWARE
MD5 f237973c736ca22885b81a6c2e6dda81
Packers detected: -
Scanner results
AntiVir Found Dropper/Dldr.PurityScan.CF.1 dropper
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.MediaTicket
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.PurityScan.cf
NOD32 Found probably a variant of Win32/Adware.MediaTickets application (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.PurityScan.cf

Logfile of HijackThis v1.99.1
Scan saved at 9:58:20 AM, on 6/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\Documents and Settings\Culp\Desktop\Computer Maintenance - BH\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\system32\PPCRunOnce.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\CAVRID.exe"
O4 - Startup: Epson Other Registration.lnk = C:\EPSONREG\EPSONREG.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VetMsgNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe

#15 bh35

New Member

Authentic Member
11 posts

Posted 20 June 2006 - 09:27 PM

Danny, I haven't received a response in a while, and was wondering if my problems were resolved or required more work. Please let me know the status. Thanks, Bryan

Body Background

skin color theme