16 replies to this topic

[DBR]

When I do a search on google (Mozilla works fine) then I click on a link it takes me to several different types of sites, but not the one listed.

Here is my file. I have tried every (I think every) scanner etc will no success.

I have trendmicro enterprise edition antivirus and have scanned with that and their spyware program (comes up with nothing)
I have ad-aware and spybot (these both freeze up at c:\documents and settings\user\local...\temp\temporay internet files) it tends to stop on a file 0000cb0b.js not sure what that is.

I ran the ewido anti 3.5 which locks up at the same folder.

I have run CWshredder it doesn't come with anything, but does not freeze up either.

After the above programs freeze I usually get 2 error windows
1 read something like this "SecuritySuite.exe has encountered a problem and needs to close. We are sorry for the inconvenience." with
2 then a "Windows explorer has encountered a problem and needs to close" with Debug, send error, or don't send as options

After I choose any of them all windows close.

ANY Help is GREATLY appreciated!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 4:17:46 PM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$CRM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\KH5AA9.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...shp?hl=en&gl=us
R3 - URLSearchHook: (no name) - {4F2528BF-82D6-80A3-395C-4E8EB5427E23} - stuffmon.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [xxtoolbar] new32.exe
O4 - HKLM\..\Run: [WinInitDll] scanSYS.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [uio] br0ken.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [Shaitan1678] msag.exe
O4 - HKCU\..\Run: [control64] sound64.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://melissa.dbr.local:4343/officescan/c...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://melissa.dbr.local:4343/officescan/c...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://melissa.dbr.local:4343/officescan/c...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://melissa/Viewe...tiveXViewer.Cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://melissa.dbr.local:4343/SMB/console/...root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://melissa.dbr.local:4343/officescan/c.../RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141271764515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {93472245-8025-40BF-884F-FAC053BB64DD} (Microsoft CRM Import for Outlook Client) - http://localhost:252.../BulkImport.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://melissa.dbr.local:4343/SMB/console/.../AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DBR.local
O17 - HKLM\Software\..\Telephony: DomainName = DBR.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D63770-D34B-4741-9818-06A03BAA2365}: NameServer = 85.255.116.123,85.255.112.89
O17 - HKLM\System\CCS\Services\Tcpip\..\{B233EEAC-03F7-493A-966B-A5DCB8572B3A}: Domain = dbr.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B233EEAC-03F7-493A-966B-A5DCB8572B3A}: NameServer = 10.0.1.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE65EDA-4267-4F5E-9B9E-0EDC96C8F4FA}: NameServer = 85.255.116.123,85.255.112.89
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DBR.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dbr.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{A0D63770-D34B-4741-9818-06A03BAA2365}: NameServer = 85.255.116.123,85.255.112.89
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dbr.local
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Thanks in advance for any help!!!!

DBR

[AndyManchesta]

Hi DBR & Welcome To The Forum,

Your I.E searches are being Hijacked by some nice people in the Ukraine ,

Here's some details provided by dnsstuff.com about where your search requests are re-directing to.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout by LonnyRJones from one of these sites:

FixWareout-Link1

FixWareout-Link2

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text will open (report.txt) , Please post the full contents of that report back.

Next goto Add/Remove Programs (Start Menu > Control Panel > Add or Remove Programs) and remove this if it still exists

UnSpyPC

Once that's done Run Hijack This and choose 'Do A System Scan Only' then place checks next to these entries if they are still in the list :

R3 - URLSearchHook: (no name) - {4F2528BF-82D6-80A3-395C-4E8EB5427E23} - stuffmon.dll (file missing)

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [xxtoolbar] new32.exe

O4 - HKLM\..\Run: [WinInitDll] scanSYS.exe

O4 - HKCU\..\Run: [uio] br0ken.exe

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

O4 - HKCU\..\Run: [Shaitan1678] msag.exe

O4 - HKCU\..\Run: [control64] sound64.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D63770-D34B-4741-9818-06A03BAA2365}: NameServer = 85.255.116.123,85.255.112.89

O17 - HKLM\System\CCS\Services\Tcpip\..\{ECE65EDA-4267-4F5E-9B9E-0EDC96C8F4FA}: NameServer = 85.255.116.123,85.255.112.89

O17 - HKLM\System\CS1\Services\Tcpip\..\{A0D63770-D34B-4741-9818-06A03BAA2365}: NameServer = 85.255.116.123,85.255.112.89

Close all open Browser and other windows except for Hijack This then press the Fix Checked button.

FixWareout should remove the files so we will leave them for now untill I see the Report.txt file.

Run Hijack This again and this time choose 'Do a system scan and save the logfile' , Post that back with the Wareout Report and we can continue with the clean up

All The Best

Andy

[DBR]

Andy THANK YOU so very much (in advance) for your help. I REALLY appreciate it.

Here is the first item you wanted posted

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6F2E1D78EF2C-7AF8-2FD4-6B5B-75CC4ABA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tvfbj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\diimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmiid.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMIID.EXE
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
C:\WINDOWS\SYSTEM32\CSVOA.EXE
* csr.exe C:\WINDOWS\System32\CSVOA.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

[DBR]

Here you go! THANKS!!!!!!!!!


Logfile of HijackThis v1.99.1
Scan saved at 10:06:53 PM, on 3/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$CRM\Binn\sqlservr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\CB719C.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...shp?hl=en&gl=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jbbzg.exe] C:\WINDOWS\system32\jbbzg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://melissa.dbr.local:4343/officescan/c...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://melissa.dbr.local:4343/officescan/c...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://melissa.dbr.local:4343/officescan/c...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://melissa/Viewe...tiveXViewer.Cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://melissa.dbr.local:4343/SMB/console/...root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://melissa.dbr.local:4343/officescan/c.../RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141271764515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {93472245-8025-40BF-884F-FAC053BB64DD} (Microsoft CRM Import for Outlook Client) - http://localhost:252.../BulkImport.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E78DE03F-DC83-40DB-B590-8FD80BE5F7C8} (Security Server Management Console) - https://melissa.dbr.local:4343/SMB/console/.../AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DBR.local
O17 - HKLM\Software\..\Telephony: DomainName = DBR.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DBR.local
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



Thanks again Andy, I really appreciate your help! If you ever make it state side to Georgia, give me a ring and I will take you lunch or dinner.

FYI and don't hold this against, my family is from a small town just west Glasgow.

Cheers!

[AndyManchesta]

Hi DBR,

I'm more than happy to help remove this sort of junk from people's systems so it's not a problem, Funny enough My Mother's family are from Govan which isnt that far from Glasgow (It's a Small World ),

Regarding Wareout, It uses some Rootkit features which usually makes it difficult to detect, sometimes the only signs are the 'O1 - Hosts: localhost 127.0.0.1' appearing in HJT and the redirections that you mention but it didnt try to hide itself on your system so it made it easier to help. There's still some traces of it showing in your log but I'm sure we can easily get rid of them.

You also have a random named .exe file running from the Windows\Temp folder but Ive got a feeling that it's connected to Trend Micro so best to leave it for now untill we run some other scanners.

Can you download the attached zip file (DBRFix.zip) and save it to your desktop, Extract the file but no need to run it yet. The batch script inside (DBRFix.bat) will search for the malware files from the first log and also the Wareout files that appear in the report.txt and your latest Hijack Log, If it finds them they will be removed with the exception of IPSEC6.EXE as that's genuine.

The file thats causing your Anti-Spy tools to crash maybe unrelated and could be a different infection so we need to run some scanners to be sure the system is clean.

Download Ccleaner if you do not already have it installed, next update the definitions in Ewido but do not run it yet as it will be more effective in Safe Mode assuming there is still malware problems.

Once thats done Reboot into Safe Mode, you can do this by restarting your computer, then keep tapping the F8 key until the Windows Advanced Menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

In Safe Mode run Ccleaner and press the 'Run Cleaner' button to remove the Temp files.

Next Run Hijack This and choose 'Do A System Scan' then place a check next to this entry and press the 'Fix Checked' Button:

O4 - HKLM\..\Run: [jbbzg.exe] C:\WINDOWS\system32\jbbzg.exe

Then open the DBRFix folder and double click DBRFix.bat to start the script, It will only take a few seconds to run and then open the results in notepad and also save the results to c:\drive named 'files.txt' . This will show if any of the files are found in the original scan then will show if any remain after cleanup.

Next run Ewido and choose 'scanner' then click 'Complete System Scan' , If ewido finds something, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" then click on ok.When the scan finishes, click on "Save Report" and save it to your desktop or c:\drive then post back the results in your next reply.

If it still crashes when it reaches the Temp file then run it again but choose 'Ignore' and 'Perform action with all infections' on the first pop up so it doesnt remove anything (This way it should finish the scan and then you can save the report to show where its having problems). If its still crashing then with the report we can use a different program to take out all the files detected.

Reboot the system so it returns back to Normal mode.

Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Cheers

Andy

[DBR]

Hey Andy


I attached the txt from panda.

Thanks!!!

 Activescan.txt   1.8K   44 downloads

[AndyManchesta]

Hi Again

Delete these Files :

C:\WINDOWS\system32\jbfrd.exe

C:\WINDOWS\system32\MYDLL.dll

This ones an optional fix as FunBuddyIcons isnt a threat and uninstalls without any issues, If you do not use it then remove it from the pc

C:\Documents and Settings\davidr\My Documents\MDR\Melissas documents from desktop computer\FunBuddyIconsSetup2.0.3.7.exe

Im suprised it didnt remove Trj/PWSteal.AE (jbfrd.exe) as thats a serious problem, It allows an attacker access to your pc and lets them steal personal information and capture screenshots etc..

You really need to consider changing all passwords for any confidential sites you use (banking, ebay, paypal) , email , messenger programs etc.. , If you have done any banking online recently or payed for services using credit card info you also should consider contacting the bank and explain that you have just noticed a Trojan Password stealer on the pc, this way they can monitor your account for any changes without your consent.

Apart from that hows things running , Did Ewido finish the scan and was any malware detected & did the batch file results show any remaining files (files.txt) ?

Andy

[DBR]

THANKS!!!!!!!!!

I deleted those files. I have installed the MS Defender program and it has been giving me a message about a file "MpCmdRun.exe" what kind of file is this.

You are up late (I am VERY glad!!!!)

Thanks!

I forgot, the scanners are getting past the temp folder now. I

I just got another auto start change message from defender about a"advpack.dll"

I am going to run ewido again.

[AndyManchesta]

Yeah I was just reading my emails and about to go off then got the notification of your reply so thought Id see how it was going, After seeing a Password stealer in the log it woke me up abit

Windows Defender is good but does let quite alot past its real time protection on the default setting unless you use the General Tab and set it to notify you of any changes or use the Spynet tab and set it to Advanced so it gives alerts when something it detected. I recently uninstalled it on mine so cannot give you exact locations for enabling the extra options but you should find it easy enough, The fact you had Adware, Trojan Wareout and a Password stealer running along side Defender shows its clearly still in the testing stage, You have Ewido, Spybot and Ad-Aware so you have plenty of Anti-Spy protection, Spyware Blaster from Here would be a good addition to your tools as it works in a different way and adds malicious sites to the restricted zone so they cannot infect you if you visit them and also blocks malicious ActiveX based malware.

MpCmdRun.exe is a part of the real time protection monitoring for Windows Defender and its required for signature updating so its fine to let it do its own thing

EDIT: Just noticed the advpack.dll part - Again that's genuine and used during installations to check for other needed files and read/ verify .inf files so it's fine to let it run

[DBR]

Before I found this site (and you) I had tried some other things. One thing I did was turn off system restore. I just (about 10 minutes ago) turned system restore back on. That may not mean anything, I just thought I should let you know. Have a great night!

[AndyManchesta]

Hi, I'll make this one my last for the night as Im in work in about 5 hours Your right about System Restore, its a good idea to reset the restore points if you have been infected, Its always best to do that once the system is clean so you always have a restore to return to incase something goes wrong, even if its infected its a backup if its needed, Most Anti-Virus vendors will state you need to turn off system restore before scanning but its really not required, They only say that because they cannot clean any infected files in the restore area, Any infected files in there cannot cause you any problems unless you use the system restore so it can be left untill the system is clean.

Here's a good way of clearing the restore points which doesnt require you to turn it off.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created.

Hope you have a great night aswell, If you have any problems or questions anytime just let us know and I'm always happy to help if I can

[DBR]

I hope you are having a good day a work on such a short night of sleep. I ran ewido again and attached the report. I believe everything is working okay now. I really can not thank you enough!!

Have a great weekend!

 Scan_report_20060310.txt.txt   1.19K   32 downloads

[DBR]

Hello Andy,

One more question, I am running Microsoft CRM, and now I am getting an IE script error. Any suggestions and/or thoughts. Thanks again in advance!

David

[AndyManchesta]

Hey David

I'm great thanks, I always enjoy Friday's even after a short night of sleep because it means I have the weekend to myself

Ewido's scan looks fine, just afew cookies which are not a problem, Regarding Microsoft's CRM Its not something I've ever used or know much about. Do you get to see what the IE Script Errors contain ?

There is some references to script error's in Microsoft's Customer Relationship Management on the Microsoft support site but they may not relate to the issue you are seeing and maybe for a different version than what you have installed. If these do not apply let me know what version you have if possible and what the errors contain and I will try find some info on them.

1.An Internet Explorer script error occurs when you try to refresh the Filter Criteria page in Microsoft Business Solutions CRM 1.2

2.Update Rollup 2 is available for Microsoft CRM 1.2 <-- This page contains alot of references to different support pages for various issues.

3.An update is available to enable Microsoft CRM to work on Microsoft Windows XP Service Pack 2 and on Microsoft Windows Server 2003 Service Pack 1

Andy

[AndyManchesta]

I just thought of something else that maybe worth checking incase Wareout has changed some settings.

Goto Start Menu > Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection, and left click on properties. Double-click on Internet Protocol (TCP/IP) and make sure there is a check next to Obtain DNS server address automatically. Click OK twice, and restart your computer if you make any changes.

[DBR]

Thanks again! I checked the lan and it seems to be fine.

Weird question, I used to be able to type in the name of a web address and hit ctrl-enter which would then put the www. and the .com on the name. IE doesn't do that anymore. Did I change a setting?

Hopefully a pretty easy question compared to the earlier problem.

Have a great weekend!

[AndyManchesta]

Try this David,

Open a I.E Browser window and goto Tools on the top bar, Then choose Internet Options, click the Content tab, then click the AutoComplete button. Under the heading 'Use Auto Complete for' place a check next to Web Addresses then press OK to close out the Auto Complete screen and OK again to close the Content options screen.

Let me know if it doesnt work and also details on the script errors if thats still causing you problems

Regards

Andy