Help - Search - Members - Calendar
Full Version: Help...680180 pop up plus more.
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
hubbahubba
Sep 1 2004, 01:43 AM
Hi, what's up?

Well, I ain't so good. My computer is mass infected, and when I was back, I noticed that I got this 680180 pop up, plus more viruses (posibly).

I got recently Hijack this, and I guess I have to post the log file.

Also, could you recommend me, some free antivurs programs? I really need one of those, please....

Well, here it goes:

Logfile of HijackThis v1.98.2
Scan saved at 07:03:01 p.m., on 31/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\Navnt\npssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\jsnxov.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Dudle3U6.exe
C:\WINDOWS\System32\UjliI59.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\msagent\intl\eulac.exe
C:\WINDOWS\System32\aSSVXDREM.exe
C:\Documents and Settings\Oscar Alejandro\Escritorio\Mata-virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pojo.biz/board
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: SDWin32 Class - {50700C34-AC40-4268-B377-8CBA7034F5FF} - C:\WINDOWS\System32\xmuev.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\itnabil.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8bccef0a-275e-43ce-b8f3-f2cae2e77c2a} - (no file)
O3 - Toolbar: fork vc bend - {4E8C4EEB-8789-33F1-DBCE-A3C95ACC7A12} - C:\ARCHIV~1\MPEGDV~1\Setup Drv.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Archivos de programa\SEP\sep.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [2MH35QP496C##K] C:\WINDOWS\System32\Pwbm74i.exe
O4 - HKLM\..\Run: [xmuevc] C:\WINDOWS\System32\xmuevc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [vptbwvsw] C:\WINDOWS\System32\jsnxov.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [eulac] C:\WINDOWS\msagent\intl\eulac.exe
O4 - HKLM\..\Run: [libanti] C:\WINDOWS\Speech\libanti.exe
O4 - HKLM\..\RunOnce: [*libanti] C:\WINDOWS\Speech\libanti.exe
O4 - HKLM\..\RunOnce: [*eulac] C:\WINDOWS\msagent\intl\eulac.exe
O4 - HKCU\..\Run: [65808] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65808.cpl
O4 - HKCU\..\Run: [65870] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65870.cpl
O4 - HKCU\..\Run: [393500] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\393500.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Cpsp] C:\Documents and Settings\Oscar Alejandro\Datos de programa\sort.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpcc.exe
O4 - HKCU\..\Run: [rqpsd] C:\WINDOWS\rqpsd.exe
O4 - HKCU\..\Run: [hyd] C:\WINDOWS\hyd.exe
O4 - HKCU\..\Run: [HOLE JUNK] C:\ARCHIV~1\BLEHBL~1\waveamok32.exe
O4 - HKCU\..\Run: [ojohkz] C:\WINDOWS\ojohkz.exe
O4 - HKCU\..\Run: [aSSVXDREM] C:\WINDOWS\System32\aSSVXDREM.exe
O4 - HKCU\..\Run: [sp] C:\sp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\Tasks\dllpc.exe ren
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE



I'll appreciate any help.

E I
D T: made some changes, some fixes, so new Log. ;)

Logfile of HijackThis v1.98.2
Scan saved at 08:41:51 p.m., on 31/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\Navnt\npssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\jsnxov.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\aSSVXDREM.exe
C:\WINDOWS\msagent\intl\eulac.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Oscar Alejandro\Escritorio\Mata-virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pojo.biz/board
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: SDWin32 Class - {50700C34-AC40-4268-B377-8CBA7034F5FF} - C:\WINDOWS\System32\xmuev.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\itnabil.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\OSCARA~1\CONFIG~1\Temp\calue.dat
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8bccef0a-275e-43ce-b8f3-f2cae2e77c2a} - (no file)
O3 - Toolbar: fork vc bend - {4E8C4EEB-8789-33F1-DBCE-A3C95ACC7A12} - C:\ARCHIV~1\MPEGDV~1\Setup Drv.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [2MH35QP496C##K] C:\WINDOWS\System32\Pwbm74i.exe
O4 - HKLM\..\Run: [xmuevc] C:\WINDOWS\System32\xmuevc.exe
O4 - HKLM\..\Run: [vptbwvsw] C:\WINDOWS\System32\jsnxov.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [eulac] C:\WINDOWS\msagent\intl\eulac.exe
O4 - HKLM\..\Run: [libanti] C:\WINDOWS\Speech\libanti.exe
O4 - HKLM\..\RunOnce: [*libanti] C:\WINDOWS\Speech\libanti.exe
O4 - HKLM\..\RunOnce: [*eulac] C:\WINDOWS\msagent\intl\eulac.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\ARCHIV~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE" "+b1"
O4 - HKCU\..\Run: [65808] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65808.cpl
O4 - HKCU\..\Run: [65870] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65870.cpl
O4 - HKCU\..\Run: [393500] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\393500.cpl
O4 - HKCU\..\Run: [65778] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65778.cpl
O4 - HKCU\..\Run: [65792] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65792.cpl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Cpsp] C:\Documents and Settings\Oscar Alejandro\Datos de programa\sort.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpcc.exe
O4 - HKCU\..\Run: [rqpsd] C:\WINDOWS\rqpsd.exe
O4 - HKCU\..\Run: [hyd] C:\WINDOWS\hyd.exe
O4 - HKCU\..\Run: [HOLE JUNK] C:\ARCHIV~1\BLEHBL~1\waveamok32.exe
O4 - HKCU\..\Run: [ojohkz] C:\WINDOWS\ojohkz.exe
O4 - HKCU\..\Run: [aSSVXDREM] C:\WINDOWS\System32\aSSVXDREM.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\system\bakwms.exe ren
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
Siggyx
Sep 1 2004, 04:01 AM
Welcome to the forum. ahah.gif

This will take a few steps so lets get started.

Please do the following,

Step #1

You have a peper infection that we need to remove

http://www.memorywatcher.com/uninst.exe

When you run the uninstaller, you MUST have an internet connection active for it to work

This Peper removal tool only works if run twice. To complete each stage of the Peper removal you need to REBOOT to clear the peper infection each time you run the tool, or the infection will remain.

Step # 2

Please download and run CWShredder. Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

http://www.majorgeeks.com/download4086.html

REBOOT

Step #3

Please download and run Spybot Search & Destroy and AdAware SE . Then follow the instructions in the links below to run.

Spybot Tutorial

AdAware Tutorial

Step # 4

Please do an online scan, 2 would be better,

Panda http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp

Make sure that you choose "fix" or "clean".

Reboot and post a new HiJackThis log
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.