Hijack This Log sandoxer jmnad1

[elgaucho]

Lo all!

First of all, fantastic forum! Lots of information here it seems, so congrats!

Secondly... I'm hoping someone can lend me a hand sorting out an adware problem with the two addies in the thread title. I've tried everything to get rid of them, and don't even now how they got onto my system in the first place. I only surf a very limited number of websites on the whole... so it's extremely frustrating to have gotten this...

Anyway, another thread (http://www.wilderssecurity.com/showt...oto=nextoldest) highlighted my problem, but as it seems log dependent, I feel more comfortable asking here just to verify I'm not going to do anything I'll regret. Furthermore, I ONLY use firefox, and this is an IE popup, and even uninstalling IE in control panel hasn't gotten rid of them....

Downloaded memory watcher as recommended by pieter, but I can't tell what that does... any advice from here would be VERY much appreciated. Thank you.

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 15:33:45, on 20/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\CTHELPER.EXE
G:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
G:\WINDOWS\System32\glpknb.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
G:\Program Files\PopupBlock\PopupBlock.exe
H:\Creative\PC-CAM Center\CAMTRAY.EXE
H:\POP-UP~1\dpps2.exe
G:\WINDOWS\System32\paccon.exe
G:\Documents and Settings\El Gaucho\Application Data\atta.exe
G:\WINDOWS\System32\NDrv.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
G:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
G:\WINDOWS\System32\CTsvcCDA.exe
G:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
G:\WINDOWS\System32\nvsvc32.exe
G:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SysAI\SysAI.exe
H:\Firefox\firefox.exe
G:\WINDOWS\system32\notepad.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Documents and Settings\El Gaucho\Desktop\HijackThis.exe
G:\WINDOWS\system32\notepad.exe
G:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=134272
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=134272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.preys-world.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=134272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - G:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - G:\Program Files\PopupBlock\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - H:\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - H:\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "G:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] G:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [jwD.exe] G:\windows\temp\jwD.exe
O4 - HKLM\..\Run: [qqpihx] G:\WINDOWS\System32\glpknb.exe
O4 - HKLM\..\Run: [AutoLoaderr0py1JWlXLPN] "G:\WINDOWS\System32\slbllreg.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PopupBlock] G:\Program Files\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [Power Scan] G:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] H:\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "H:\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [r76O37j] slbllreg.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [awpERXHng] paccon.exe
O4 - HKCU\..\Run: [Tuew] G:\Documents and Settings\El Gaucho\Application Data\atta.exe
O4 - HKCU\..\Run: [NDrv] G:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = H:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = G:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - H:\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - H:\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.3249189815
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Gavin - DiamondCS]

Hi !

I'm sure you mean you downloaded MemoryWatcher UNINSTALLER which would remove many adware programs
Tick the following items in HijackThis and then close all programs and fix them
Reboot, let us know

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=134272
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=134272

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=134272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - G:\WINDOWS\System32\NDrv.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

O4 - HKLM\..\Run: [jwD.exe] G:\windows\temp\jwD.exe
O4 - HKLM\..\Run: [qqpihx] G:\WINDOWS\System32\glpknb.exe
O4 - HKLM\..\Run: [AutoLoaderr0py1JWlXLPN] "G:\WINDOWS\System32\slbllreg.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [Power Scan] G:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [r76O37j] slbllreg.exe

O4 - HKCU\..\Run: [awpERXHng] paccon.exe
O4 - HKCU\..\Run: [Tuew] G:\Documents and Settings\El Gaucho\Application Data\atta.exe
O4 - HKCU\..\Run: [NDrv] G:\WINDOWS\System32\NDrv.exe

I'd appreciate if you find all the EXE and DLL files referenced there and send them to submit @ diamondcs.com.au

The one that is a bit iffy is
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Sure it could be legit.. fix it but send me that if you want to be sure, it could be for one of your programs. Can you tell by looking at it ?

[elgaucho]

Thanks for the reply Gavin!

I've followed your instructions, and in addition have sent all the exe's and dll files to the email shown in your reply in a zip file, except where otherwise stated, and detailing the reason behind it.

This is my new logfile, though I can't tell for sure it's all gone yet.

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 17:11:30, on 27/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\CTHELPER.EXE
G:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
G:\Program Files\PopupBlock\PopupBlock.exe
H:\Creative\PC-CAM Center\CAMTRAY.EXE
G:\Program Files\Messenger\msmsgs.exe
H:\POP-UP~1\dpps2.exe
G:\WINDOWS\System32\lindpa.exe
G:\WINDOWS\System32\lnko35.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
H:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
G:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\WINDOWS\System32\CTsvcCDA.exe
G:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
G:\WINDOWS\System32\nvsvc32.exe
G:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\MsPMSPSv.exe
G:\WINDOWS\system32\NOTEPAD.EXE
H:\Applications\browsers\Spyware+Popups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.preys-world.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - G:\Program Files\PopupBlock\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - H:\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - H:\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "G:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "G:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] G:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PopupBlock] G:\Program Files\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] H:\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "H:\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [r76O37j] lindpa.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [awpERXHng] lnko35.exe
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] G:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Acrobat Assistant.lnk = H:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = G:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - H:\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - H:\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.3249189815
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Many thanks again! I'll update if I find anything new!

PS: I HAVE left the autoupdate.exe intact, although I could not identify what it pertained to. It strikes me as odd that an autoupdate should be running from C: where my system and all installed apps are on other drives in this partition. It, and a dll (libexpat.dll) in the same folder, are attached in the email also.

[Taz71498]

Hello,

Run Hijackthis again and check these items and then on Fix:

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r76O37j] lindpa.exe
O4 - HKCU\..\Run: [awpERXHng] lnko35.exe

Reboot the computer into safe mode

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Find and delete these files/folders:

C:\Program Files\AutoUpdate
lindpa.exe
lnko35.exe

Reboot and run HJT again and post a new log here.