Help - Search - Members - Calendar
Full Version: I am infected
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
AshyLarry
Mar 7 2005, 06:06 AM
Hello,

I have a problem with a pop up that will not go away. It opens a DOS window and brings up an error pointing to either bla.exe or alk.exe. I have ran Spybot and Ad-Aware, as well as a virus scan with no luck removing it. Here is the log from HiJackThis:


Logfile of HijackThis v1.99.1
Scan saved at 9:56:21 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\cthelper.exe
C:\WINDOWS\system32\PCsync.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\WINFRW.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\rk.exe
C:\rk.exe
C:\rk.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8F916F94-C19B-C8D4-2EF3-E8824FCBD83F} - C:\WINDOWS\atlts32.dll (file missing)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)





Any help is greatly appriciated.
Bobbi Flekman
Mar 7 2005, 11:41 AM
Hi AshyLarry,

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.
  1. Download AboutBuster

    Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
  2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
  3. Make sure your PC is configured to show hidden files.How do I show hidden files?
  4. Scan with Hijack This and put check the following:
    O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)
    Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".
  5. Restart your computer in Safe Mode. How do I Safe Boot my computer?
  6. Scan with Hijack This and put check the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\plcnk.dll/sp.html#28129

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {8F916F94-C19B-C8D4-2EF3-E8824FCBD83F} - C:\WINDOWS\atlts32.dll (file missing)

    O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

    Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

    Delete the following files in red (it could be that they are deleted already):

    C:\WINDOWS\system32\plcnk.dll
    C:\WINDOWS\atlts32.dll
    C:\WINDOWS\WINFRW.EXE
    C:\WINDOWS\system32\iexl.exe
  7. Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
  8. Scan with Adaware and let it remove any bad files found.
  9. Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
  10. Restart in normal mode.
  11. NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)

    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  12. Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.

    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)

    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan
When you are all done, post the new HijackThis log and the AboutBuster log here for review.

Go to Online malware scan and submit C:\rk.exe.

Tell me the result.
AshyLarry
Mar 7 2005, 06:57 PM
Thanks for the quick response.

Here is my new HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:59 AM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cthelper.exe
C:\WINDOWS\system32\PCsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\bla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
c:\program files\180solutions\sais.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [alulih] C:\WINDOWS\alulih.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Raheem\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)




And the AboutBuster Log:



Scanned at: 9:17:24 AM on: 3/7/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\ntdtcsetup.log:splcn
C:\WINDOWS\unvise32qt.exe:fpjgp


Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


Removed Data Streams:
C:\WINDOWS\ntdtcsetup.log:splcn
C:\WINDOWS\unvise32qt.exe:fpjgp


Attempted Clean Of Temp folder.
Pages Reset... Done!




Malware scan results:


Service load:
0% 100%
File: rk.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
UPX

AntiVir
Heuristic/Trojan.Downloader (probable variant) (0.37 seconds taken)
Avast
No viruses found (1.53 seconds taken)
AVG Antivirus
No viruses found (0.47 seconds taken)
BitDefender
No viruses found (0.50 seconds taken)
ClamAV
No viruses found (0.59 seconds taken)
Dr.Web
Trojan.DownLoader.1894 (0.89 seconds taken)
F-Prot Antivirus
No viruses found (0.09 seconds taken)
Fortinet
No viruses found (0.47 seconds taken)
Kaspersky Anti-Virus
No viruses found (1.23 seconds taken)
mks_vir
No viruses found (0.22 seconds taken)
NOD32
No viruses found (0.48 seconds taken)
Norman Virus Control
No viruses found (0.54 seconds taken)

Statistics
Last piece of malware found was Trojan.Downloader.Agent.Fz in Mike__sHardAimbot.exe, detected by:

Scanner Malware name Time taken
AntiVir X 0.41 seconds
Avast X 1.52 seconds
AVG Antivirus X 0.50 seconds
BitDefender Trojan.Spy.Agent.Y 0.50 seconds
ClamAV X 0.69 seconds
Dr.Web Trojan.MulDrop.1676 0.89 seconds
F-Prot Antivirus X 0.25 seconds
Fortinet X 0.45 seconds
Kaspersky Anti-Virus not-a-virus:RiskWare.Monitor.Perflogger.al 1.14 seconds
mks_vir Trojan.Downloader.Agent.Fz 0.36 seconds
NOD32 X 0.53 seconds
Norman Virus Control X 2.73 seconds


Service statistics:

1462 files (1158 of those unique) have been uploaded & scanned since 06/03/2005, the day of the last database purge.
374 of those 1158 files contained a virus or any other form of malware.
This page has been visited 1949 times in this time period.
This service managed to spot 25 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 166 suspicious files without any help from scanner results.
However, 1 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 99.91% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.

No I am not sitting still! A new, better version of this service is being developed.
If you have suggestions and/or comments, please send me them!
Most popular malware:

Rank Malware name Uploaded Last known filename
1 w32/mewpacked.gen 35 times WebClaw5.exe
2 im-worm.win32.kelvir.a 24 times cute.txt
3 trojan.spy.agent.y 13 times Mike__sHardAimbot.exe
4 worm/bagle.be 11 times virus.rar
5 win32:spybot-a334 11 times cthelper.exe
6 bds/improg.2 8 times bifrost_unpack.exe.40000
7 win32:trojan-gen. {other} 8 times wer1316.dll
8 trojan.agent.ap 8 times Mike__s_Aimbot.rar
9 worm/rbot.104648 7 times winmes.exe
10 tr/dldr.agent.bq 7 times fmero.dll
11 trojan-psw.win32.gamania.d 7 times 0.zip
12 backdoor.trojan 7 times mail_text-data.txt____________
13 tr/dldr.istbar.ok.2 6 times start.exe
14 trojan.dragonbot 6 times Dragonbot.exe
15 bds/nuclear.14 6 times example.dll



Thanks for all your help.
AshyLarry
Mar 8 2005, 08:09 AM
Just a little more to add:

My internet connection is running very slow and in processes i have a lot of IEXPLORER.exe running as well as 6 svchosts.exe.
Bobbi Flekman
Mar 8 2005, 11:10 AM
Hi AshyLarry,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [alulih] C:\WINDOWS\alulih.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Raheem\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\WINFRW.EXE
C:\WINDOWS\alulih.exe
c:\Windows\System32\hotkeysvc.exe
All Files in C:\Documents And Settings\Raheem\Local Settings\Temp
C:\WINDOWS\system32\iexl.exe
c:\rk.exe

Delete the following folders in red (it could be that they are deleted already):

c:\program files\180solutions
C:\Program Files\Power Scan
C:\Program Files\Web_Rebates

Restart your computer and post a new log in this thread.

Run HijackThis. Click on "Config...", "Misc Tools", "Open ADS Spy...". Click on "Scan", and on "Save log..." to save what it finds. Please post the resulting log here.

P.S. The amount of svchosts running is normal.
AshyLarry
Mar 8 2005, 04:55 PM
Here are the two logs:


HiJackThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 8:11:55 AM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\cthelper.exe
C:\WINDOWS\system32\PCsync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Update Machine] MSOICONS.EXE
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] MSOICONS.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] MSOICONS.EXE
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware GSX Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)



And the ADS Spy Log:


C:\WINDOWS\comsetup.log : glvchc (9728 bytes)
C:\WINDOWS\daemon.dll : ydoibm (29184 bytes)
C:\WINDOWS\FeatherTexture.bmp : bfrayz (11592 bytes)
C:\WINDOWS\Headphone.bin : ugkgaj (7305 bytes)
C:\WINDOWS\iis6.log : mguluu (3567 bytes)
C:\WINDOWS\imsins.BAK : fhnyww (68096 bytes)
C:\WINDOWS\NeroDigital.ini : zwbxl (95744 bytes)
C:\WINDOWS\Santa Fe Stucco.bmp : zwbxl (95744 bytes)
Bobbi Flekman
Mar 9 2005, 04:57 PM
Hi AshyLarry,

Run HijackThis. Click on "Config...", "Misc Tools", "Open ADS Spy...". Click on "Scan", and select the following items
C:\WINDOWS\comsetup.log : glvchc (9728 bytes)
C:\WINDOWS\daemon.dll : ydoibm (29184 bytes)
C:\WINDOWS\FeatherTexture.bmp : bfrayz (11592 bytes)
C:\WINDOWS\Headphone.bin : ugkgaj (7305 bytes)
C:\WINDOWS\iis6.log : mguluu (3567 bytes)
C:\WINDOWS\imsins.BAK : fhnyww (68096 bytes)
C:\WINDOWS\NeroDigital.ini : zwbxl (95744 bytes)
C:\WINDOWS\Santa Fe Stucco.bmp : zwbxl (95744 bytes)
 and click on "Remove selected".

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [Microsoft Update Machine] MSOICONS.EXE
O4 - HKLM\..\RunServices: [Microsoft Update Machine] MSOICONS.EXE
O4 - HKCU\..\Run: [Microsoft Update Machine] MSOICONS.EXE

O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\iexl.exe (file missing)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\system32\MSOICONS.EXE
C:\WINDOWS\system32\iexl.exe

Restart your computer and post a new log in this thread.
AshyLarry
Mar 10 2005, 09:14 AM
Bobbi Flekman,

Thank you for all your help. I really appriciate the time and effort you put into my problem. The last few days have been really frustrating for me and I got fed up and decided to format my hard drive and reinstall Windows. So, Problem solved. I have read the forum tips on prevention and taken the appropriate steps. I'd like to thank you again for your help.


Spyware 1, AshyLarry 0
You won this round Spyware :(
Bobbi Flekman
Mar 10 2005, 02:48 PM
:(

Okay. Happy (and safe) surfing for the future.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.