Detected SPYware! System error #384

[rugby1]

Hello,

I have read previous post regarding this error, and have tried to clean but I haven't had any success. Please check my hijack log and advise to what to cleanup. Thanks in advanced.

Logfile of HijackThis v1.97.7
Scan saved at 2:58:44 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [vJtNk9] C:\documents and settings\joseph masciulli\local settings\temp\vJtNk9.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Startup: netdb.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: *.mt-download.com
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtn_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter...0/SYSsfitb.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Thank You.

[rugby1]

Any help would be appreciated. I believe my IE has been hijacked. Thanks

[snapdragin]

Hi rugby1,

Since I am answering in this thread, I'll lock the other duplicate one.

First step, make sure you have Hidden Files and Folders Viewable
Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
Under the "Hidden files and folders" heading, select Show hidden files and folders.
UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

Next, create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis into it's own folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something accidently, then you'll have those backups to restore from.


I am not finding any information on this BHO.
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

Could you please navigate to C:\Program Files\Common Files\ and zip up a copy of the midaddle folder (password protect it and use the word infected as the password) and email the zipped copy of the file for analysis to pieterATwilderssecurity.org (replace the AT with an @). In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily.

Then upload the midaddle.dll file to Kaspersky for a scan (Let me know what the scan results say about the .dll file, please.)

Edit to add: rugby, upload the explorer.exe file that's in the C:\Windows\System32 folder to Kaspersky as well, and submit a zipped copy of it to Pieter. (Let me know what Kaspersky's scan result says about it too)

****

Rescan with Hijackthis and place a check beside the following items.
Close ALL browsers and any other open windows, except HijackThis, and click *Fix checked:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

(Include this if you did not knowingly install it)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [vJtNk9] C:\documents and settings\joseph masciulli\local settings\temp\vJtNk9.exe

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JOSEPH~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

O4 - Startup: netdb.exe

O15 - Trusted Zone: *.mt-download.com

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shoote...00/SYSsfitb.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Go to Add/Remove Programs and uninstall WinTools (if found)

Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load

Find and delete the following listed in bold:

These folders:
C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools

These files:
C:\documents and settings\joseph masciulli\local settings\temp\tb_setup.exe
C:\documents and settings\joseph masciulli\local settings\temp\vJtNk9.exe
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\netdb.exe
C:\WINDOWS\System32\netdc.exe
C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\WINDOWS\system32\explorer.exe <-- NOTE, only delete the one in the Windows System32 folder, do not delete the legitimate explorer.exe in the Windows folder.


Reboot your computer normally, and use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

Then followup with a FULL system scan at one of these on-line scan sites: Free Services

Also, can you look in your Programs Files folder and tell me if there is a WindowsSA folder there?

After you've done the above, post back a new log here in this thread to be checked.


Regards,

snap

More information:
wsaupdater: TROJ_BLAZEFIND.A
netdb & netdc: TROJ_DUMARIN.G

[rugby1]

Hi snap,

Thanks for the response. I have created a midaddle copy, but I don't know how to password protect it (Windows XP). I did run Kaspersky against it and it was clean. I did check it off in hijackthis, because I don't have a clue of what it is, nor does my son who uses this computer. It has an uninstall.exe in it. Should I run that or did I get rid of it in the HiJackit checkoff? I deleted the system32 explorer.exe, before I could Kapersky it. (duh) Would it be in my recycle bin, and if so should I restore it and scan it? I also ran a TrojanScan from your free services, and it came up clean. I uninstalled MSNMessenger, and I keep getting this error about it to send to Microsoft. Is this legit? Can't trust anything these days. Here is my Hijackit log, and thank you so much for all of your help.

Logfile of HijackThis v1.97.7
Scan saved at 1:35:38 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtn_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Thanks

[snapdragin]

Hi rugby1,

That's ok, you can just send the zipped copy of the midaddle folder, and I'll let Pieter know it's coming. It definitely is something new if you don't know what it is, and I can't find anything on it. So yes, we would very much like a copy for sure so it can be put in for detection. Thank you rugby1.

For now, if you want to wait until Pieter has a chance to look through the folder and find out what it does (this will take a few days), you could back the midaddle folder up to a floppy for now (if it isn't too big) or move it to another location on your hard drive where it won't run. I don't want to suggest the 'uninstall' for it since most bad program's uninstall do not usually work, or worse, can reinfect you with something else. You've most likely killed the .dll since fixing it in Hijackthis usually does do that.

Don't worry about the 'explorer.exe' file, and definitely don't restore it. We don't want it that badly where we want you to restore an infected file and end up reinfecting your clean computer again. Noooo! Don't forget to empty your Recycle Bin, along with the temp folders and Temporary Internet Files. You can use the Disk Cleanup Utility for that.

I don't use MSN Messenger, so I'm not familiar with why you are getting a error message to report to Microsoft, but there is no reason you need to send a report back to Microsoft. You might want to look into this thread for a discussion on XP-Antispy and there's a similiar program called Safe XP:
http://www.wilderssecurity.com/showthread.php?t=26424


If you are no longer using the MSN chat client, then you can fix this line.
In Hijackthis, place a check beside the following item.
Close ALL browsers, then click *Fix checked:

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


That is good that you got an on-line trojan scan, but you really should do an on-line virus scan too. There is a list (Panda, Trendmicro, etc) at the link above in my post under Free Services.

Your log looks clean now, but if anything should pop back up that you are unsure of in the next few days, then come back to this thread and post a new Hijackthis log. And check periodically too if Pieter, or myself, have replied to the thread about the midaddle folder.

Once you have done an on-line virus scan and sure you're system is clean, then turn off your System Restore, reboot your computer to purge old restore points. This will remove any infected files that would have been backed up in there: System Restore Instructions for XP. Then turn System Restore back on after a reboot, and set a new Restore Point

Here are some steps to follow to help tighten your security and prevent future infection: Why did I get infected in the first place?

Regards,

snap

[rugby1]

Hi snap,

Thank you again. Today the machine had a hard time booting up we kept getting a screen apologizing, and giving us options to start in Safe Mode, last good config., Start normally. After several attempts it did come up. I did the wiping out of the restore points, and removed that MSNCHAT using Hijackthis. I activated the restore points, and ran an Ad-Aware, and got the following, which kept coming up before to: HKEY_LOCAL_MACHINE:SOFTWARE\MICROSOFT\WINDOWS NT\CUrrentVersion\Winlogon "Shell"(), also CWShredder is still removing CWS.Svchost32. Well, I rebooted and it is taking forever for this thing to come up. I do have Norton Antivirus, and have been running that everyday for the last few days. It's not coming up now at all.

Thanks
Frank

[snapdragin]

Hi rugby1,

You may have to reinstall Nortons if it is not working. It may have been damaged by the infection.

Could you please post another hijackthis log so we can check it.

Regards,

snap

[rugby1]

Hi snap,

I'm not able to get this machine to the blue screen. Like yesterday I keep choosing, safe mode, safe mode networking, safe mode command, Last good config, and start windows normally options, to no avail. I just get a dark screen. I tried booting from Norton Antivirus disk and running NAVDX, but it only scans itself. I really don't know what to do next. Any help or suggestions will be welcomed.

Thanks

[snapdragin]

Hi rugby1,

I'm not sure at what could be causing you not to be able to boot normally into windows. Your last log looked clean and we didn't do anymore fixes after that.

Hang in there (don't turn your computer off yet) and I'll try and find one of the Window Experts to come and take a look. They can be anywhere so it might take me a bit before I can find one.

Regards,

snap

[snapdragin]

Hi rugby1,

I've just been given some instructions that you can follow, and hopefully this will work.

Boot to the Recovery Console:
Description of the Windows XP Recovery Console: http://support.microsoft.com/default...b;EN-US;314058
(I'll also include this link for extra information)
How to install and use the Recovery Console in Windows XP: http://support.microsoft.com/default...scid=kb;EN-US;

At C:\windows (or winnt)
type cd system32 the directory should now be
C:\windows\system32
type :
copy userinit.exe wsaupdater.exe
1 file should be copied, now REBOOT!


Let us know if you're able to get into Windows.

Regards,

snap

[rugby1]

Hi snap,

It finally came up. I don't want to shut this down again until I know it will definately come back. I ran Norton Anti-Virus and it was clean. I don't have internet connection for some reason. For some reason the new Belkin Router I just hooked up Saturday(because my 2-year old Lynksys hub? got trashed, possibly from a storm on Friday) will not give me connection. I wonder if that router detected something and just won't allow access for this machine. I'll use their CD to try and establish that. Boy, did I pick a bad week to give up hard liquor. Anyway, the Ad-Aware is clean and so is the CWShredder. Here is my hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 12:08:55 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtn_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

I hope you can find the culprit(s). I really don't want to shut this down until I know I can get it back up. I'm trying to recall everything that has been done to this point. I still have show hidden files enabled. I did clean out those restore points. Midaddle is still in Program Files/Common Files. I should also note that when I was deleting wsaupdater.exe, and netdc, I also deleted a copy found in a prefetch directory. Thanks for all your help and attention to this matter.

Thanks

[snapdragin]

Hi rugby1,

I've just looked through your log and it's clean. But something must be still hiding for your computer to be acting like it is/was. But no, do not turn it off yet. I've put in a request for an Expert to advise on what next we can use to look into what might have caused the earlier episode of your getting a black screen (I also sent you a IM).

So to make sure where we're at, you didn't have to follow my last instructions and restore the wsaupdater.exe using the Recovery Console then? I'm not seeing that file in your log.

Can you do a search of your hard drive and see if you have a "WindowsSA". I just want to know if it is present for now.

Also, what reference file did you have at the time you did the scan with AdAware? Was it updated to the most recent update? As of today, the Reference Number : 01R326 01.07.2004

Regards,

snap

[rugby1]

Hi snap,

I do have a C:\Program File\WindowsSA last modified 6/9/2004. I do remember when I was deleting *.exe from your first response that I had to search for most of those exe, and anything that had their name I deleted. tb_setup, vJtNk9, NDrv, netdb, netdc, wsaupdater, sfpsvr As I mentioned before I even deleted some that were found in a prefetch subdirectory. The only one I was careful with was explorer.exe. Could I have deleted something that may be causing this problem?

Thanks

[rugby1]

Hi snap,

I did confirm that reference file used on Ad-aware is 01R32601.07.2004.

Thanks

[snapdragin]

Hi rugby1,

Some malware files don't like to 'go' and if removed in the wrong way they can cause quite a bit of damage.

Although the most recent updates of AdAware should no longer remove the wsaupdater.exe, if you had used AdAware with a reference file of 01R314 02.06.2004 or 01R320 19.06.2004, then that would have caused the inability to log back into Windows. But we removed it manually with Hijackthis as this was the advised steps to take with that particular nasty.

But read through this carefully and check the registry keys manually as per the instructions: http://www.lavahelp.com/articles/v6/04/06/0901.html

I'm not sure if you still need to restore the wsaupdater.exe or not at this point since you've been able to get back into windows. I'd rather an Expert advise when it comes to restoring a malware file as nasty as that one. For now, please check for the keys in the registry and let me know if they are there.

Also, can you download the newer version of Hijackthis 1.98. It shows a bit more information.
You can download it from here: http://www.wilderssecurity.com/showthread.php?t=12516 and post a new log.


It was also suggested that you could uninstall the BigFix through the Add/Remove Programs, as it does sometimes cause problems.
It doesn't sound like this is a related problem at this point, but might be something to consider later if you've received any error messages with BigFix: http://support.microsoft.com/?kbid=318571

Regards,

snap

[rugby1]

Hi snap,

I verified that C:\Windows\System32\userint.exe, is in the registry, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

So, it doesn't look like that's the culprit, but I do remember seeing that being deleted by Ad-aware for awhile.

I'm still trying to get that machined networked again so I can download the latest Hijackthis, and send you that log.

Thanks

[snapdragin]

Hi rugby1,

Hijackthis is small enough that you can download it to a floppy and take it over to the other computer, run it, save the log to the floppy, then bring it back to the computer you are using to access the net and post the log here.

Regards,

snap

[rugby1]

Hi snap,

Here it is:
Logfile of HijackThis v1.98.0
Scan saved at 5:01:19 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
A:\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtn_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

Thanks

[rugby1]

Hi snap,

When I was deleting BIGFix from the ADD/DELETE programs I noticed a few others that I don't really recognize: CasProg, CompuServe20000, IEHOST, Winamp, midAdle, SEP. Why are there two Internet Explorers, Internet Explorer Q831167, and Internet Explorer 6 SP1?

Thanks

[snapdragin]

Hi rugby1,

I was just typing up my next post for you.

Well, your last log is looking pretty good, but we still have to delete the WindowsSA folder since it contains the malware files and we don't want it starting all over again.

Let's start here:

In Hijackthis place a check beside the following items.
Close ALL browsers and any other open windows or programs, and click *Fixed checked:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

Then find and delete this folder:
C:\Program Files\WindowsSA

If it won't let you delete it, then you will have to try and delete it in safe mode.

Also, can you look in your Windows\System32 folder for NDrv.dll That dll usually accompanies the NDrv.exe which we deleted earlier, so if you find that, delete it.

The Internet Explorer entries are in your Add/Remove like that because some of Microsoft's Hotfixes/critical updates (that's the entry with the #) can be removed (not recommended as updates are needed), and the one with the SP1 means you have installed the Service Pack1 for your IE, which is always recommended.

The CasProg, CompuServe20000, and SEP, I am not familiar with.

The IEHOST is something we usually fix and remove.
You can check for it in C:\WINDOWS\System32\IEHost.exe
With that .exe it usually shows up in the 04 entries in Hijackthis, but it isn't in your's that I can see from your earlier logs, or I would have had you fix it and delete the IEHost.exe file in the System32 folder. If you find it, you can always check it by uploading it for a scan at Kaspersky's or right-clicking on the file and looking under its Properties to see when it was added, etc.

The Winamp is a media player (I have it too) and there is nothing wrong with it (your son would be familiar with it).

The midAdle we looked at earlier and I have not yet heard back from Pieter about it. We didnt delete the folder since we were unsure what it was for, but you can try the uninstall through the Add/Remove programs if you'd like.
Can you send another zipped copy of the midAdle folder to This Email Address for analysis. dvk01 is a Spyware Moderator and hopefully he will be able to find out what the files in that folder do.

Almost forgot, please reboot your computer and post a new log so we can check it.

Regards,

snap

[rugby1]

Hi snap,

Thanks for your response. I'm still a little leary about rebooting this thing. Remember the past two times I had to reboot this machine it went to black screen, and I wasn't able to get Windows to come up for several hours. Did you check with the OS people for any clues, or is there a way for me to force a restore point so when I do reboot it, it will definately come up?

Thanks

[snapdragin]

Since you had cleared your System Restore, then the only restore point you will have now is for the last time you successfully booted into windows. So yes, make sure you have set a System Restore Point before you do anything else.

I know you are nervous about deleting the WindowsSA folder, but to keep it is to become reinfected all over again. The files in that folder are malware, no doubts about it. I've given a link above in my first post (that would be Post #3) for Troj Blazefind.A if you want to go there first and read more details on manual fix of the registry and removal of the malware files/folders associated with it. That might help make your decision. But the malware files can't stay on your computer, because once you connect to the internet again, they will download more malware files.

Have your bootup discs handy and your XP CD disc, but I am hoping you will be able to boot fine.

Regards,

snap

[rugby1]

Hi snap,

It still has that problem, and won't boot up to blue screen. I posted a message in the other Forum as you suggested, with a link to this thread. I will wait and see if anyone responds to it.

I zipped and sent midAdle folder to that email address requested from your previous post. I'm unable to give you a new Hijackthis log, because the machine won't come up. I tried to boot it from a floppy that I made yesterday with no luck, error message biosinfo.inf could not be loaded. error code 4096.

Thanks


As advised, Member receiving additional help in this thread: http://www.wilderssecurity.com/showthread.php?t=39990 - snap