Help - Search - Members - Calendar
Full Version: help please
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
robdebdan
Aug 23 2004, 09:03 PM
i think i have toolbar hijacker and homepage hijacker, can you help please, simple terms if possible.
thanks
robdebdan
Aug 23 2004, 09:12 PM
hijack this log that follows Logfile of HijackThis v1.98.2
Scan saved at 21:49:42, on 23/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Hotbar\bin\451~1.0\SBInst.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\winenc32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O3 - Toolbar: hotwebsearch.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\winenc32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm312
O9 - Extra button: NiceMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\NiceMP3 (file missing)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - http://toolbar2.globalwebsearch.com/toolbar/winenc32.cab
Siggyx
Aug 24 2004, 01:15 AM
Hi and welcome to the forum.

The first thing we need to do is get you up to date as both XP & Explorer are missign SP1. There is a service pack 2 but I would not install it at this time as there are a few problems with it. If we dont get you those service packs you will just keep getting infected.

Internet Explorere Service Pack 1

http://www.microsoft.com/windows/ie/downlo...p1/default.mspx

Windows XP Service Pack 1

http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Thne please do a virus scan,

Panda http://www.pandasoftware.com/activescan/co...n_principal.htm

Then post a new log please.
robdebdan
Aug 30 2004, 08:59 PM
Hi,
Thanks for your help, and i have now done everything you told me to do. Please find below the new scan result as requested.


Incident Status Location

Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\polall1l.exe
Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\polall1l.exe
Virus:Trj/SubSearch.E Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH674PYN\install_pv[1].exe
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[1].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[3].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[4].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[6].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[7].cab[vxiewer.ocx]
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[3].htm

Incident Status Location

Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\polall1l.exe
Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\polall1l.exe
Virus:Trj/SubSearch.E Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH674PYN\install_pv[1].exe
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[1].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[3].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[4].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[6].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[7].cab[vxiewer.ocx]
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[3].htm
Siggyx
Aug 31 2004, 02:52 AM
Please bo ot to safe mode (tap f8 while bios loads)

Please empty all you temp folders. DO NOT DELETE THE FOLDERS ONLY THE CONTENTS.
C:\WINDOWS\Temp\ CONTENTS
C:\Temp\ CONTENTS
C:\Documents and Settings\username\Local Settings\Temp\ CONTENTS
Also delete your Temporary Internet Files Tools>InternetOptions delete all cookies, files as well as offline files.

Reboot

Step #1

Please download and run Spybot & AdAware SE . Then follow the instructions in the link below to run.

Spybot Tutorial

AdAware Tutorial

Step # 2

Please do an online scan,

Trend Micro http://housecall.trendmicro.com/

Make sure that you choose "fix" or "clean".

Reboot and post a new HiJackThis log.
robdebdan
Sep 3 2004, 09:36 PM
Thanks for all the help and i have now completed everything you wanted me to do.
Below is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 22:24:13, on 03/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\ctfmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\dcbeyyfa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\winenc32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O3 - Toolbar: hotwebsearch.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\winenc32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zgztyz] C:\WINDOWS\System32\dcbeyyfa.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: NiceMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\NiceMP3 (file missing)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - http://toolbar2.globalwebsearch.com/toolbar/winenc32.cab
Siggyx
Sep 4 2004, 05:44 PM
Please boot to safe mode (tap f8 while bios loads) the scan again with hijackthis and put a check beside these lines and choose FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\winenc32.dll

O3 - Toolbar: hotwebsearch.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\winenc32.dll

O4 - HKLM\..\Run: [zgztyz] C:\WINDOWS\System32\dcbeyyfa.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - http://toolbar2.globalwebsearch.com/toolbar/winenc32.cab


Then while still in safe mode delete these files, you may need to show hidden files tutorial here >>> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

C:\WINDOWS\System32\dcbeyyfa.exe<<<file
C:\WINDOWS\conscorr.exe<<<file
C:\PROGRA~1\COMMON~1\tsa<<<folder

Reboot and post a new log.

Please move Hijackthis to its own folder C:\HJT for example. It is not recommended to sit in a temp file as the backups that are made could be lost.
robdebdan
Sep 5 2004, 01:01 AM
Hi,
Thanks for all the help. I have now completed the tasks ( i think). :wub:
The deleted files and folder that you wanted me to do, i have left in my recycle bin as i was not sure if i had done all the correct ones. :blink:

Below is the new log anyway.
Logfile of HijackThis v1.98.2
Scan saved at 01:54:23, on 05/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ctfmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\dcbeyyfa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\winenc32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zgztyz] C:\WINDOWS\System32\dcbeyyfa.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: NiceMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\NiceMP3 (file missing)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - http://toolbar2.globalwebsearch.com/toolbar/winenc32.cab

Thanks again,
Deb
Siggyx
Sep 6 2004, 02:59 AM
Download Adaware HERE . Insure that you check for updates then close Adaware.

- Close Ad-Aware SE and Ad-Watch (if running)
- Download the free VX2 Cleaner at » http://updates.ls-servers.com/plvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware SE
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Boot to safe mode (tap f8 while bios laods)

Then scan again with hijackthis and put a check besdie these loines and choose FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotwebsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\winenc32.dll

O4 - HKLM\..\Run: [zgztyz] C:\WINDOWS\System32\dcbeyyfa.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Also put a check besdie all of the 016 lines as they are activex files and will be reloaded if and when you visit those sites again.

Then while still in safe mode delete these files, you may need to show hidden files tutorial here >>> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

C:\WINDOWS\System32\dcbeyyfa.exe<<<file
C:\WINDOWS\conscorr.exe<<<file
C:\PROGRA~1\COMMON~1\tsa<<<folder

Then reboot and post a new log.
robdebdan
Sep 10 2004, 05:16 PM
Hello and thanks once again for your help.

Below is the new log you requested.

Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\polall1l.exe
Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\polall1l.exe
Virus:Trj/SubSearch.E Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH674PYN\install_pv[1].exe
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[1].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[3].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[4].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[6].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[7].cab[vxiewer.ocx]
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[3].htm

Incident Status Location

Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI389A.tmp\polall1l.exe
Virus:Trj/Downloader.GK No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\localNrd.cab[polall1l.exe]
Virus:Trj/Downloader.GK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI3DCB.tmp\polall1l.exe
Virus:Trj/SubSearch.E Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH674PYN\install_pv[1].exe
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[1].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[3].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[4].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[6].cab[vxiewer.ocx]
Virus:Trj/Downloader.QV No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXQZC9E7\vxiewer[7].cab[vxiewer.ocx]
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[1].htm
Virus:Exploit/ObjectData Disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U9123QLC\start[3].htm
Deb
Siggyx
Sep 10 2004, 06:21 PM
Please boot to safe mode.

Empty all you temp folders. DO NOT DELETE THE FOLDERS ONLY THE CONTENTS.
C:\WINDOWS\Temp\ CONTENTS
C:\Temp\ CONTENTS
C:\Documents and Settings\username\Local Settings\Temp\ CONTENTS
Also delete your Temporary Internet Files Tools>InternetOptions delete all cookies, files as well as offline files. Also clean out your recycle bin.

Then a new hijackthis olg please.
robdebdan
Sep 11 2004, 03:20 PM
Hi,
All done, below is the new log.
ogfile of HijackThis v1.98.2
Scan saved at 16:15:10, on 11/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: NiceMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\NiceMP3 (file missing)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thanks,
Deb
Siggyx
Sep 11 2004, 06:29 PM
Boot to safe mode and scan with hijackthis then put a check beside these lines nd choose FIX.

O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll

O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll

O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe

O9 - Extra button: NiceMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\NiceMP3 (file missing)
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.1\eBayBand.dll

Then delete these files/folders


C:\Program Files\eBay<<<folder

Then Reboot. How is it running after the reboot? Any issues?

New log please.
robdebdan
Sep 13 2004, 03:31 PM
Hi again,
Yes it is working much better. I have not had any pop ups and the address bar has all come back as it was now.
Thanks for all your help, and below is the new log again.

Logfile of HijackThis v1.98.2
Scan saved at 16:28:54, on 13/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
timone97
Sep 17 2004, 07:56 PM
Am I imagining it or can I still see this
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/search.html
in the hijack this log?
Sorry if I am out of line but I love reading the way you people fix things, it is absolutely amazing and I salute you. :thumb:
Siggyx
Sep 18 2004, 06:59 PM
Yep you are correct ;)

Please scan with hjt and put a heck beside this line and choose FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotwebsearch.com/search.html

Then a new log please.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.