12 replies to this topic

[ChopperFucker]

Logfile of HijackThis v1.99.1
Scan saved at 12:14:17 AM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://scotts.eprize.net/speedintogreen/in...hupwju0cw27l2j5
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://nascarsetups.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Owner\My Documents\AIM\aim.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126145627593
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[AndyManchesta]

Hi ChopperF****r Welcome to the forum

Can you do a search on your system, Start Menu > Search > choose All files and folders then scroll down to 'Advanced Options', place a check next to 'Search System Folders' 'Search Hidden Files and Folders' & 'Search Subfolders' then enter this:

winlog.exe

Find out if its in the Windows folder or System32 then goto one of these two sites and have it scanned for malware:

http://virusscan.jotti.org/

http://www.virustotal.com/

You can copy and paste the results from Jotti's and on VirusTotal you can left click and cover the results then press Control and C together to copy to clipboard then paste it back.

Next run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back with the winlog file results.

Cheers

Andy

[ChopperFucker]

When I searched for winlog.exe nothing came up.

Panda is running now, so far its found 44 spyware detected files. I'll post back when it's done.

[AndyManchesta]

Hi Again

Yes it looks like a Virus/Worm entry but I just wanted the file to be scanned to see what infection it is before fixing it. If you are sure that the file isnt on the system and you have enabled the advanced options when searching then its start up entry can be fixed.

Run Hijack This and choose Do A System Scan then place a check next to this entry

O4 - HKLM\..\RunServices: [winlog] winlog.exe

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Post back the Panda log when its finished and we can see what else needs removing.

Thanks Andy

[AndyManchesta]

EDIT: Removed Double post, It kept going to a 'Page cannot be displayed' error screen when I sent it, I've just been able to get back into this area and noticed it made the same post twice

[ChopperFucker]

Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\baseprocthisidle\AntiSoap.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@ct.360i[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@doubleclick[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@microsofteup.112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@searchportal.information[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@trafficmp[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@www.myaffiliateprogram[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Stephney\Cookies\stephney@yadro[1].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Adware:Adware/WeatherCast Not disinfected C:\Program Files\MyEmoticons\VVSNI_S3_MYEM_Inst.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\f3PSSavr.scr


I searched again and I found winlog.exe. It's in C:\WINDOWS\system32\ The first time I must if did something wrong. Anyway, I scanned it on those 2 sites you posted and no viruses were found.

[AndyManchesta]

Its looks like you have picked up the LOP infection by installing Messenger Plus and accepting the sponsor program. The sponsor is LOP so usually its easier to remove Messenger Plus from the Add/Remove screen and choose to also remove the sponsor which will take LOP with it. As you have no signs of LOP in the Hijack Log and the scanner has only found one folder it may not be needed as just removing that folder might be enough. Most of the Panda scan found cookies so they are more of a privacy concern than a Spyware threat. They can easily be removed using Ccleaner by pressing the Run Cleaner button.

You will have to set Windows to show hidden files and folders to find all these files below:

To enable hidden files: Click Start. Goto MyComputer then c:\drive

Select the Tools menu from the top bar and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have removed the files by opening the same page and pressing the restore defaults button.

Next remove these files from the system by following the path to the file (example for System32 you open C:\drive then the Windows folder then System32) but let me know if you have any problems

C:\Documents and Settings\All Users\Application Data\baseprocthisidle <--Remove this folder
C:\Program Files\MyEmoticons<--Remove this folder
C:\WINDOWS\system32\f3PSSavr.scr <--Remove this file

To be sure there isnt other problems on the System can you install and run Ewido.

Download Ewido from Here

When installing, under Additional Options uncheck Install background guard and Install scan via context menu. Run Ewido, On the left hand side of the main screen click Update. Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display (Update successful). Click on Scanner then click Complete System Scan , If ewido finds something, it will pop up a notification. Select Remove and check the boxes Perform action with all infections and Create encrypted backup then click on OK. When the scan finishes, click on Save Report and save it to your desktop or c:/drive and post back the results.




I just saw the part about Winlog.exe , there is a genuine Microsoft file called Winlogon.exe so make sure its not that which was uploaded, If its called Winlog.exe can you send it to me . Open system32 and find the Winlog.exe file, Right click the file and choose Send To then Compressed (zipped) Folder , this will make a copy of the file and add it to another area of System32 in a folder with a zip icon, can you then send that file as an attachment via email to AndyManchesta@hotmail.com as Id like to check it before saying its safe.

Thanks

Andy

[ChopperFucker]

lol yeah it was Winlogon.exe that was my mistake... I can't find anything when searching for Winlog.exe

Ewido is done searching and nothing was found.

Thanks for the fast replies and help. Other times when I've had problems sites like these take days to get people to help you on lol

Only thing left now is that I can't find Winlog.exe, what does that mean ?

[AndyManchesta]

No Problem

I agree that some Hijack This sites will keep you waiting for days to reply , its mainly because they have alot of visitors and only a small amount of helpers so it can lead to the helpers only taking logs that are afew days old before looking at the news ones as they try to catch up.

Its not a problem if you cannot find Winlog.exe , Its added a start up entry in the registry which is the 04 line to make it start with Windows but it wasnt in your running processes so its possible that its already been removed from the system. With it not having a path to the file and only showing Winlog.exe it indicates the file is either in the Windows folder or System32 so we can create a small batch file that will check for the file just to be sure it doesnt exist.

Can you open Notepad (Start Menu > run > type notepad and press OK)

Then copy and paste the contents of the code box into Notepad:

@echo off
IF EXIST %systemroot%\winlog.exe echo **%systemroot%\Winlog.exe present**>>files.txt
IF NOT EXIST %systemroot%\winlog.exe echo %systemroot%\Winlog.exe not present!>>files.txt
IF EXIST %systemroot%\System32\winlog.exe echo **%systemroot%\System32\Winlog.exe present**>>files.txt
IF NOT EXIST %systemroot%\System32\winlog.exe echo %systemroot%\System32\Winlog.exe not present!>>files.txt
notepad files.txt
del files.txt
EXIT

Goto File on the top bar of notepad and choose Save As, On the Save As Type change it to All Files, name it check.bat and save it to your desktop

Double click check.bat, you will just notice cmd screen open then close and then open Notepad. If it shows the file was not found in both folders, its already been removed by some protection software and its just left the startup entry in place which can be fixed using Hijack This.

Are you having any problems on the pc ?

We can run more scanners if you feel its needed but with Panda and Ewido showing only minor problems its looking good

Andy

[ChopperFucker]

C:\WINDOWS\Winlog.exe not present!
C:\WINDOWS\System32\Winlog.exe not present!

[AndyManchesta]

Good to see

You can just fix that 04 Winlog entry then and if your not having other problems its looking fine

Andy

[ChopperFucker]

Only other problem I have now is when I log into the admin account(mine) when the desktop comes up and stuff it takes a few mins before everything is stopped so I can go into a program, if not when I click on something it takes a while for it to come up. But I can get on the other account and it is much faster. The only programs I have that starts up when the computer does is my firewall and anti-virus. I scan for viruses every week and use ccleaner every day and ad-aware about every other day so I'm confused on what it might be. After that everything comes up instantly

[AndyManchesta]

I might be Zone Alarm thats causing the delay, I get that on my system where it takes awhile booting untill Zone Alarm is up and running then its fine (but not a few minutes), You can right click the system tray or press Control + Alt + Delete together after a reboot and check Task Manager's processes tab to see whats taking up the CPU usage, If its not Zone Alarm thats causing it try running the system file checker if you have the Windows disk.

Place the disk into the CD-Rom drive then goto start menu > run > and type

SFC /SCANNOW

Press OK and it will check the protected Windows files and if any are damaged or missing they will be replaced using the disk,

Does your Anti-Virus program keep any logs of the files it removes, I will have to re-check your log but I think it was AVG, It would be useful to find out what that winlog.exe file was as the name is used by different Trojans and Viruses such as the Agobot Worm, the only reference I can find to that specific run key value [winlog] = winlog.exe has it listed as unknown Adware which isnt much help.

Try checking Task Manager's processes tab when the system reboots and running the System File Checking feature and let me if it continues.

Andy