Always Learning NOT to Trust computers

Discussion in 'adware, spyware & hijack cleaning' started by huroncomputers, May 16, 2004.

Thread Status:
Not open for further replies.
  1. huroncomputers

    huroncomputers Registered Member

    Joined:
    May 16, 2004
    Posts:
    1
    Just had to look at my wife's system, having got home page grabbed by Spy Wiper's site, Default-homepage-network.com

    She has up to date Norton Antivirus 2004 and runs Spybot all the time, but still got popped.

    Installed Ad-Aware, up dated, got another 44 traces that got deleted

    Installed CWShredder and updated - had one that infected Media Player

    Installed Spware Blaster, but wasn't able to update because of having to download new version. protected against the existing ones on old version

    Tried to Install Spysweeper, but got an error message on attempting to run the scan. It DID detect the wife's Gator that she insists on having

    THEN, I installed AVG and updated it. It found 18 Visures that norton had not found!!!

    Here is the AVG Log

    esults of Complete Test, date and time 5/16/2004 19:30:08 :

    Testing C:\ serial C0CF-E051
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\GOBACKIO.BIN Cannot open; not checked!
    C:\WINDOWS\INFAMOUS.EXE repaired
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\AL\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\AL\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\MH3810JI\OBJECT~1.HTA Could be infected Startpage
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\G9EB8HE3\BDL140~1.EXE Trojan horse Revop.C
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\GTQFCPIV\INFAMO~1.EXE repaired
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\U729MNOP\HP1_1_~1.EXE Trojan horse Downloader.Small.5.Y
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\49YV4PEV\EXPLOI~1.EXE repaired
    C:\Documents and Settings\AL\Local Settings\Temporary Internet Files\CONTENT.IE5\LAB3SHOA\OBJECT~1.HTA Could be infected Startpage
    C:\Documents and Settings\AL\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\AL\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\SYMLCSYS.DLL Cannot open; not checked!
    C:\Program Files\Windows Media Player\WMPLAY~1.TMP Trojan horse Downloader.Small.5.Y
    C:\Program Files\Serials 2000\S2K030~1.ZIP:\Liveshow.exe Trojan horse Dialer
    C:\Program Files\Serials 2000\S2K~1.030\LIVESHOW.EXE Trojan horse Dialer
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP234\A0060936.EXE Trojan horse Downloader.Small.5.Y
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP234\A0060941.EXE Trojan horse Downloader.Small.5.Y
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP234\A0060942.EXE Trojan horse Downloader.Small.5.Y
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP234\A0060943.EXE Trojan horse Downloader.Small.5.Y
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP234\A0060954.DLL repaired
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP196\A0052610.EXE repaired
    C:\System Volume Information\_restore{4402C6E8-E9F9-45B8-BCB5-022A230F8521}\RP196\A0052626.EXE repaired
    C:\RECYCLED\DC1.EXE Trojan horse Downloader.Small.5.Y

    Test finished, duration 00:27:43.7 s
    30951 objects tested, 18 found infected

    I took Care of the one file NOT repaired. It had been on the system for over a year!

    Logfile of HijackThis v1.97.7
    Scan saved at 7:46:41 PM, on 5/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\PrecisionTime\PrecisionTime.exe
    C:\Program Files\Gator.com\Gator\Gator.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euchreclub.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://world.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Netpenny, Inc.
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.euchreclub.com"); (C:\Documents and Settings\Al\Application Data\Mozilla\Profiles\default\863adxh8.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Al\Application Data\Mozilla\Profiles\default\863adxh8.slt\prefs.js)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\olescn16.dll
    O2 - BHO: (no name) - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: iLOR Toolbar - {EDFB8B62-59EE-11d5-86C2-00E02975242F} - C:\WINDOWS\System32\Ilorbar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [VirtuaReminder] C:\Program Files\VirtuaReminder\VirtuaReminder.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
    O8 - Extra context menu item: Allow popups - file://C:\Program Files\Ultimate Popup Killer\Popupkiller.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.com
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://activex.liveupdate.com/controls/cres.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hweuchre_scecab_63.246.70.126.2966610474781941279_326155.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveXInstallerProj1.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.115787037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CD0FB3-6001-44F7-9451-A618CD04AD40}: NameServer = 216.138.134.10 216.138.134.11

    Let me know of any suggestions (Besides getting rid of Gator! LOL) that I can do to help her out!

    Thanks! Al
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi huroncomputers,

    OK First off: http://www.roboform.com/gator.html :cool:

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

    O2 - BHO: (no name) - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\olescn16.dll

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q

    O4 - HKCU\..\Run: [VirtuaReminder] C:\Program Files\VirtuaReminder\VirtuaReminder.exe

    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe

    Then disable System Restore. Reboot and re-enable System Restore:
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    After you replaced Gator with roboform delete:
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\Program Files\Date Manager <= entire folder
    C:\Program Files\PrecisionTime <= entire folder
    C:\Program Files\Common Files\GMT <= entire folder
    C:\Program Files\Gator.com <= entire folder

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.