65 replies to this topic

[krit86lr]

Logfile of HijackThis v1.99.1
Scan saved at 7:33:27 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: XXX.XXX.XX.XX auto.search.msn.com
O1 - Hosts: XXX.XXX.XX.XXX search.netscape.com
O1 - Hosts: XXX.XXX.XX.XXX ieautosearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize313.exe"
O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk145YYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...e8b1d7686ab8d56
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)


How does it look Rock Stars?!?!

[rridgely]

The computer has a couple infections krit. Your either going to have to tell your IT department(if their is one. I have no clue what your job is.) or clean it up your self.

This computer dosen't even have an antivirus. Run the usual antispyware scans.

[krit86lr]

rridgely, on Apr 4 2006, 08:14 PM, said:

The computer has a couple infections krit. Your either going to have to tell your IT department(if their is one. I have no clue what your job is.) or clean it up your self.

This computer dosen't even have an antivirus. Run the usual antispyware scans.

There isn't an IT department. (Can't you tell? )

The computer is seriously soooo slow that I wanted to know if there were infections before running the scans, because it is going to take a very long time.

Will the scans alone clean it all up?

[AndyManchesta]

Hi K

As RR said your best installing Antivirus, Ewido & Adaware and run them on full scans as there is a fair amount of junk showing,


O1 - Hosts: XXX.XXX.XX.XX auto.search.msn.com
O1 - Hosts: XXX.XXX.XX.XXX search.netscape.com
O1 - Hosts: XXX.XXX.XX.XXX ieautosearch
Im not sure if you have replaced the numbers with x's but they are added by IGetNet Adware, its used to redirect requests through their servers and display ads if keywords are matched.

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
Another IGetNet entry, more info Here

O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll

Wintools Adware, usually quite difficult for some scanners to remove due to 3 exe files protecting each other and one part running as a Windows service but its only showing one line in the log, Goto Add/Remove screen and check for WebSearch Toolbar, TS Toolbar or Search Toolbar and remove if found then fix the entry. If you have any problems there is a fixtool from Symantec Here

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll (file missing)
This is a Bargain Buddy/Cashback entry but the file is missing so it may of already been removed, Check the Add/Remove screen for Bargain Buddy, Cashback ot The BullsEye Network and remove if found then fix the entry.

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize313.exe"
Adware from Avenue Media - Remove Internet Optimizer from Add/Remove screen then fix the entry and remove the Internet Optimizer folder from the Program Files area. Symantec has a fixtool Here if needed.

O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
Might be a VX2 file, Run Adaware and then Install the VX2 cleaner plugin from Here. With it being random named its hard to know what it is but you could upload it at Jotti's or VirusTotal . After fixing remove the Qdztn folder

O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
IGETNet, after fixing remove the WinStart001.EXE file.

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
Again might be a VX2 file. It would help if you can upload this and let us know the results before removing the AutoUpdate folder.

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk145YYUS
MyWebSearch related, FunWebProducts is in the 016 area so its probably come from that and can be fixed unless you want the myweb menu item.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Added by Microsoft initially but they are Alexa related (creates a menu item that points to a web page stored on your pc that points to an MSN search page that uses the Alexa engine ), They can be fixed or run Spybot as that will fix them.

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http:// public.windupdates.com/get_file.php...e8b1d7686ab8d56
WindUpdates Adware

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http:// ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
FunWebProducts - Optional as it uninstalls without problems but it bundles the MyWeb Toolbar and Search Assistant and its already been used so isnt required now.

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.X.X
Again not sure if you added the X's to hide the IP address but it should be your ISP's DNS servers.

O23 - Service: ISEXEng - Unknown owner - C:\WINNT\system32\angelex.exe (file missing)
Bargain Buddy entry

Optional
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
This is often added by a tweaking tool and not a problem, There is a folder in the IE favorites menu called Links, if you remove it then its recreated but if the LinksFolderName reg value is changed or equals a blank string you can remove the Links folder without it coming back, Its fine to ignore it but If its fixed it will just return the value to default = Links.

Run Some scans and install some protection K then run Panda or another online scanner to make sure there is nothing left. Let us know if you have any problems.

Andy

[krit86lr]

Okay, I'm still working on it. There is a lot to do.

I have a question: What should I use for protection? Isn't it illegal to use free AV products on a work machine? Maybe eTrust would be okay?

I can't use Windows Defender because my computer is missing something. So maybe TeaTimer, SpywareBlaster, and DSOStop2 are the only protection that I can use.

Oh, well. Current Status...
1. CWShredder Fixed 3 problems.
2. Ewido cleaned 114 infected objects.
3. Adaware is still scanning, but has found 70 total so far. Adaware finished with 97 objects.


Oh my....

BTW - Thanks everyone!

[krit86lr]

This the new HJT log after removing over 200 infected objects.


Logfile of HijackThis v1.99.1
Scan saved at 11:04:40 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steph\Desktop\K DOCS\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccleaner.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.XX.XXX,XXX.XX.X.X
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XXX.XXx,XXX.XXX.X.X
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)

[AndyManchesta]

Hi K ,

eTrust should be fine to use, I dont think Windows Defender is essential to install with it being a beta test and the alternative products you mention especially Spybots Immunize and Spyware Blaster will help keep the pc clean.

Still these showing in the log

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)

O4 - HKLM\..\Run: [Xjrwpsjz] C:\Program Files\Qdztn\Bqxv.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http:// ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab


Close all open browser and other windows except for Hijack This and press the Fix Checked button

Then remove these folders

C:\Program Files\Qdztn\
C:\Program Files\Common Files\WinTools\

And finish off with a scan at Panda Activescan.

[krit86lr]

I'm running the Symantec Websearch Removal tool now, because it won't go away. I hope that this works. (Wish me luck)

[AndyManchesta]

If its the 02 that will not go away then make sure all Browser Windows are closed first before fixing the entry and if it remains try remove it in Safe mode,

Good Luck

[krit86lr]

Is she pretty now?

Logfile of HijackThis v1.99.1
Scan saved at 11:26:41 PM, on 4/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Steph\Desktop\K DOCS\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ccleaner.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E14B86-D800-4DAA-B9FE-1855A2AD6200}: NameServer = XXX.XXX.14.XXX,XXX.XXX.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED29B642-20B6-499C-B4CC-200B05CDD7FD}: NameServer = XXX.XXX.XX.XXX,XXX.XXX.1.8
O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe" "WMP54G.exe (file missing)

AndyManchesta, on Apr 4 2006, 11:17 PM, said:

Then remove these folders

C:\Program Files\Qdztn\
C:\Program Files\Common Files\WinTools\

And finish off with a scan at Panda Activescan.

I can't find these program files. Is that okay?

[AndyManchesta]

Nice Work K ,

That a clean log

Just need some AV Protection and then run an online scanner to make sure there is no leftover files.

About the files to remove, the scanners might of already removed them and just left the run commands in place, set Windows to show Hidden and System files and see if they can be found.

Reconfigure Windows to show hidden files:

click the My Computer icon then C:\Drive, Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm. Click OK. (Press Restore Defaults after checking for the files to hide the folders again)

[krit86lr]

AndyManchesta, on Apr 4 2006, 11:35 PM, said:

Nice Work K ,

That a clean log

Just need some AV Protection and then run an online scanner to make sure there is no leftover files.

Sweet! I'll finish it up in the morning.

Thanks for the help.

[AndyManchesta]

No Problem, I edited my last post after seeing your question about the files,

Chat to you later

Andy

[krit86lr]

I went ahead and installed AVG for the time being. I'll install eTrust tomorrow. I wanted something to keep it safe since it's clean now.

I'll double check the files again tomorrow, and start the online scanner when I leave.

There are some extra towers in the office that match mine, so I'm going to pull the memory cards and put them in my tower tomorrow. My boss isn't going to know what to do with me.

Now I just need to get the stupid thing to defrag! (3rd party tools will be needed)


I used CCleaner to clean up because the Disk Cleanup kept stalling. CCleaner actually couldn't even handle all of the crap. I had to check 1 box at a time the first round, but now it's working properly.


Thanks again. Later!
K

[krit86lr]

I just ran eTrust and it found 4 Win32/Propo. Are these false/positives by any chance?

[AndyManchesta]

Hi K

If its finding Propo then its worth running Blacklight or Rootkit Revealer just to make sure its not the Rootkit variant of Apropos, it's simple enough to remove if it is, Does it let you know where the files are ?

[krit86lr]

AndyManchesta, on Apr 6 2006, 02:41 PM, said:

Hi K

If its finding Propo then its worth running Blacklight or Rootkit Revealer just to make sure its not the Rootkit variant of Apropos, it's simple enough to remove if it is, Does it let you know where the files are ?

The files were in C:\Documents and Settings\username\Temp....

The file names are/were:
Win32/Propo
1. ic3plug.exe
2. jetceng.exe
3. jobueng.exe
4. solime.exe

I'll try your suggestion now. BTW, is Trojan Hunter good?


Thanks

Why can't I unzip the file with Windows 2000? Is there a trick or something?

Okay, Blacklight didn't find anything. Does that mean that I'm okay?


Bummer though is that the popups are still here, but not as bad. I just don't understand why popups are opening IE windows and I am using FF. <baffling> haha

[AndyManchesta]

Hi K

Ive never tried Trojan Hunter K but it sounds good and It is recommended on alot of sites, If you get the warning again for the files can you send them to me using the Suspicious file packer and I will see what they are.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

insert full path to file(s) into the SFP window, one per line then click "Continue".

email the created .cab file to AndyManchesta[AT]hotmail.com

Hopefully CA was able to remove them and its now clean

Andy

[krit86lr]

AndyManchesta, on Apr 6 2006, 08:31 PM, said:

Hi K

Ive never tried Trojan Hunter K but it sounds good and It is recommended on alot of sites, If you get the warning again for the files can you send them to me using the Suspicious file packer and I will see what they are.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

insert full path to file(s) into the SFP window, one per line then click "Continue".

email the created .cab file to AndyManchesta[AT]hotmail.com

Okay, but how do I unzip in Windows 2000? It doesn't give me the options to unzip... (I"m out of practice )

[AndyManchesta]

Here is a link to the sfp.exe file, just right click the link and choose Save Target As but it probably will not be needed if they have already been removed.