Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Search bar hell! HJT log.

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Closed Thread
 
LinkBack Thread Tools
Old 13th January 2005   #1
Senior Member
 
Profile:
Join Date: Nov 2002
Posts: 51
Computer Experience:
experienced
Vortigern Wolf Reputation Level
Question Search bar hell! HJT log.
Hi

Have a computer running Windows XP Home. It has been hit by ISTBar and some other search bars have attacked it. Causing it to run slow. I have been into the register and using Hijack this, Ad Aware and Antivirus software thought I had successfully removed it all over the past two days. Then when I attatched the computer back to the internet to my horror all the search bars re-appeared. I could have cried. Machine was re-infected. Must have missed something.

So I seek help please. Its driving me insane.

Here is the current Hijack log. The computer is off the internet, I have run ad aware before getting the log.

Any help is soooo greatfully recieved you just wouldnt believe it.

Thanks

Logfile of HijackThis v1.99.0
Scan saved at 10:47:59, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Broadband Basic Help\bin\mad.exe
C:\Connect4\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\System32\audiosrv.exe
O4 - HKLM\..\Run: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [] iexpl0res.exe
O4 - HKLM\..\RunServices: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\RunServices: [] iexpl0res.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\Run: [Ijnwk] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [] iexpl0res.exe
O4 - HKCU\..\RunServices: [] iexpl0res.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Vortigern
Vortigern Wolf is offline  
Didn't find the information you thought to find?
Check out these Similar Threads
Old 13th January 2005   #2
Senior Member
 
Profile:
Join Date: Nov 2002
Posts: 51
Computer Experience:
experienced
Vortigern Wolf Reputation Level
Ok so I shouldnt have done the Hijack log straight after Adaware.

Here is the Hijack log after a reboot.

Thanks again.

Logfile of HijackThis v1.99.0
Scan saved at 13:13:39, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Broadband Basic Help\bin\mad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Connect4\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\System32\audiosrv.exe
O4 - HKLM\..\Run: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [] iexpl0res.exe
O4 - HKLM\..\RunServices: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\RunServices: [] iexpl0res.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\Run: [Ijnwk] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [] iexpl0res.exe
O4 - HKCU\..\RunServices: [] iexpl0res.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Vortigern
Vortigern Wolf is offline  
Old 13th January 2005   #3
SuperGeek
 
charlesvar's Avatar
 
Profile:
Join Date: Feb 2002
Location: New Jersey
Posts: 7,308
Computer Experience:
indeterminate
charlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Level
Hello Vortigern Wolf

O4 - HKCU\..\Run: [] iexpl0res.exe
http://castlecops.com/startuplist-6721.html

C:\WINDOWS\System32\w?nlogon.exe Doesn't look right.

Plus you have unecessary processes running:

http://www.answersthatwork.com/Taskl...s/tasklist.htm Look up your startups

Regards - Charles
charlesvar is offline  
Old 13th January 2005   #4
SuperGeek
 
Profile:
Join Date: Dec 2002
Location: Washington state USA
Posts: 2,310
Computer Experience:
Typeos-are-Us
Lonny Jones Reputation Level
Hello

Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file
O4 - HKLM\..\Run: [e80519c58c15] C:\WINDOWS\System32\audiosrv.exe
O4 - HKLM\..\Run: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [] iexpl0res.exe
O4 - HKLM\..\RunServices: [Microsofts Legacy Support] java.exe
O4 - HKLM\..\RunServices: [] iexpl0res.exe
O4 - HKCU\..\Run: [Ijnwk] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [] iexpl0res.exe
O4 - HKCU\..\RunServices: [] iexpl0res.exe
==========================
Hit fix checked and close Hijackthis.
Restart the PC

Dont depend on any one antivirus program go get preferably two free onlines
(especialy it seams norton)
Trend Micro-Free online Scan: http://housecall.trendmicro.com/
check all box's except [ ]auto clean !!, scan and if it cannot clean tell it to delete found files !!

BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php

Save there reports and Copy back here please.
Lonny Jones is offline  
Old 13th January 2005   #5
SuperGeek
 
charlesvar's Avatar
 
Profile:
Join Date: Feb 2002
Location: New Jersey
Posts: 7,308
Computer Experience:
indeterminate
charlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Levelcharlesvar Reputation Level
C:\WINDOWS\System32\w?nlogon.exe

Lonny, what is that? Never saw that before.

Regards - Charles
charlesvar is offline  
Old 13th January 2005   #6
Senior Member
 
Profile:
Join Date: Nov 2002
Posts: 51
Computer Experience:
experienced
Vortigern Wolf Reputation Level
Ok

Removed the Hijack bits. Then ran housecall which found and deleted:

C:\Windows\gukrlqn.exe
C:\Windows\qaadoc.exe

Then ran bit defender without the autoclean, it found a lot, but I couldnt find a delete the file option . Checked the hard drive and the virused files are still there. Do I have to manually delete them? Anyway, heres the bit defender Log:

C:\dload.exe=>(Upx): infected with Trojan.Downloader.Small.DG
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AVEB6HAD\sfbho13[1].dll: infected with Adware.SideFind.A
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C1U9IHAJ\istbar_mainstream[1].dll: infected with Trojan.Downloader.IstBar.GJ
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C1U9IHAJ\sidefind[1].exe: infected with Trojan.Downloader.IstBar.DA
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected

** Deleted the C:\Program Files\Norton SystemWorks\Norton CleanSweep\*.*: password protected as this made the post too many characters **

C:\Program Files\Windows TaskAd\WinSched.exe=>(Upx): infected with Adware.WinAD
C:\SEPinst.exe: infected with Trojan.Septic.A.dr
C:\uninstallwizard.exe: infected with Trojan.Downloader.IstBar.Z1
C:\WINDOWS\livesex.cal=>(Upx): infected with Trojan.Dialer.AF
C:\WINDOWS\system32\.pif: infected with Backdoor.BotGet.FtpB.Gen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\A74d.dll: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5UBQULGG\addit[1].exe=>(NSIS o)=>zlib_nsis0001: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5UBQULGG\addit[1].exe=>(NSIS o)=>zlib_nsis0002: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5UBQULGG\clicks[1].dll: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RMORZH1B\ticket[1].htm: infected with HTML.MediaTickets.A
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XGXZL3MP\all_files10[1].exe=>(NSIS o)=>zlib_nsis0001=>(NSIS o)=>zlib_nsis0003: infected with Trojan.Sandbox.A
C:\WINDOWS\system32\Dfm38Uh.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Dhf4e8R.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Dnkzz.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\dust: infected with Backdoor.BotGet.FtpB.Gen
C:\WINDOWS\system32\exul1.exe: infected with Adware.BBuddy.A
C:\WINDOWS\system32\exul2.exe: infected with Adware.BBuddy.A
C:\WINDOWS\system32\Fah1q6.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\o: infected with Backdoor.BotGet.FtpB.Gen
C:\WINDOWS\system32\Szqu0w1A.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\TcvX0HeM.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Vwb73.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Wzx4.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Yqn4Uxf.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\system32\Zxj35W2.exe: infected with Trojan.Downloader.VB.EM
C:\WINDOWS\Temp\addit.exe=>(NSIS o)=>zlib_nsis0001: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\Temp\addit.exe=>(NSIS o)=>zlib_nsis0002: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\Temp\all_files10.exe=>(NSIS o)=>zlib_nsis0001=>(NSIS o)=>zlib_nsis0003: infected with Trojan.Sandbox.A
C:\WINDOWS\Temp\clicks.dll: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\Temp\fixit.exe=>(NSIS o)=>zlib_nsis0002: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\Temp\over.exe=>(NSIS o)=>zlib_nsis0001: infected with Adware.Statmedia.A
C:\WINDOWS\Temp\sidefind.exe: infected with Trojan.Downloader.IstBar.DA
C:\WINDOWS\Temp\Updater.exe: infected with Trojan.Spy.Middadle.A
C:\WINDOWS\tool1.exe: infected with Trojan.Downloader.IstBar.Z8
C:\WINDOWS\tools.exe: infected with Trojan.Downloader.IstBar.Z9
C:\WINDOWS\toolx.exe: infected with Trojan.Downloader.IstBar.Z7

Thanks

Vortigern
Vortigern Wolf is offline  
Old 14th January 2005   #7
SuperGeek
 
Profile:
Join Date: Dec 2002
Location: Washington state USA
Posts: 2,310
Computer Experience:
Typeos-are-Us
Lonny Jones Reputation Level
Hi

Those are pretty common lately, I think lots of different nasties are now using odd characters like that thinking we will suggest deleting it, or just to make it harder for us to cleanup.
All you need to do is either ignore it, once the run is fixed it is effectively out of the picture. or say look for C:\WINDOWS\System32\w?nlogon.exe
where the ? is an odd character, do not attempt to delete the real windows file, check the properties first. as in right click >properties, if your unsure leave it alone.

The bad guy probably has an FMC icon,and uses an underscore
(w_nlogon.exe) see attachment. that doesn't by any means mean all those that look like this are bad.

later tell us if you found it ?
===================================
If it isn't already Set windows to show hidden file's, folder's and extensions
>click here for instructions<.
find and delete (ONLY THESE EXACT) files and folder's (If present)
C:\Program Files\Windows TaskAd
C:\SEPinst.exe
C:\uninstallwizard.exe
C:\WINDOWS\livesex.cal
C:\WINDOWS\system32\.pif
C:\dload.exe
C:\WINDOWS\system32\Dfm38Uh.exe
C:\WINDOWS\system32\Dhf4e8R.exe
C:\WINDOWS\system32\Dnkzz.exe
C:\WINDOWS\system32\dust
C:\WINDOWS\system32\exul1.exe
C:\WINDOWS\system32\exul2.exe
C:\WINDOWS\system32\Fah1q6.exe
C:\WINDOWS\system32\o
C:\WINDOWS\system32\Szqu0w1A.exe
C:\WINDOWS\system32\TcvX0HeM.exe
C:\WINDOWS\system32\Vwb73.exe:
C:\WINDOWS\system32\Wzx4.exe
C:\WINDOWS\system32\Yqn4Uxf.exe
C:\WINDOWS\system32\Zxj35W2.exe
:\WINDOWS\tool1.exe
C:\WINDOWS\tools.exe
C:\WINDOWS\toolx.exe
====================
C:\WINDOWS\System32\audiosrv.exe
C:\WINDOWS\System32\iexpl0res.exe
C:\WINDOWS\System32\w?nlogon.exe

Do a file search for java.exe and tell us if its found anywhere except windows and system32 folders

Empty the recycle bin
Important
Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp and these below..
Delete the contents of the C:\windows\temp folder
C:\WINDOWS\Prefetch < delete the contents
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temp <delete the contents
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\ <<<<<delete contents
Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.
=========
We need to see a new hijackthis log
Lonny Jones is offline  
Old 14th January 2005   #8
Senior Member
 
Profile:
Join Date: Nov 2002
Posts: 51
Computer Experience:
experienced
Vortigern Wolf Reputation Level
Hi

This is starting to look good . Here is the latest Hijack this log after removing files and reboot.

Logfile of HijackThis v1.99.0
Scan saved at 09:53:24, on 14/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Connect4\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\RunServices: [MSN Messenger /background] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thanks

Vortigern
Vortigern Wolf is offline  
Old 14th January 2005   #9
SuperGeek
 
Profile:
Join Date: Dec 2002
Location: Washington state USA
Posts: 2,310
Computer Experience:
Typeos-are-Us
Lonny Jones Reputation Level
Hi

That looks fine, so where did you find java.exe ?
did you find w_nlogon.exe and did it have an fmc icon ?
Lonny Jones is offline  
Old 14th January 2005   #10
Senior Member
 
Profile:
Join Date: Nov 2002
Posts: 51
Computer Experience:
experienced
Vortigern Wolf Reputation Level
Thanks again for your time.

Didn't find any W_login.exe or W?login.exe only ones are winlogin.exe. Didnt find any Java.exe neither. Searched whole drive and hidden files and folders.

Vortigern
Vortigern Wolf is offline  
Closed Thread

« New "Users"? ("cannot find dltime.dll") | [help with] hijack report »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with a HJT log for my PC BillB Malware and Virus Removal 5 3rd January 2005 06:15
Need help with yet another HJT log BillB Malware and Virus Removal 12 27th September 2004 02:11
Presario random errors...HJT Log Triger General Security 2 9th June 2004 12:12
headache of extra search bar z4u Internet Explorer 2 23rd October 2003 15:52
Removing A Toolbar Or Search Bar In Ie caraloca Internet Explorer 2 22nd June 2003 18:02


All times are GMT +1. The time now is 05:17.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32