Browser Hijacked...

Discussion in 'adware, spyware & hijack cleaning' started by kiwijetpilot, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Hi all,

    I'm having a problem with something that, every ten minutes or so, takes over my browser (or starts it), and invites me to download and install some software from someone called MediaTickets, in order to view content on what looks like a porn site.

    SpywareBlaster doesn't seem to see it, neither does Ad-Aware. Anybody have any idea what it is?

    I have tried doing a system restore, deleted everything Ad-Aware found. Running out of ideas...

    More information, the site it is trying to get me access is www.silvermagnet.com/babe . It attempts to get me to accept the software four times before it lets go. Maybe I should capitulate...

    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:17:53 p.m., on 3/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\wuam.exe
    C:\WINDOWS\essspk.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Paltalk\pnetaware.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\SIMON~1.SIM\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12
     
    Last edited: Jun 3, 2004
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Howdy, and welcome to Wilders! I've moved you to what I think is the best forum section for solving your problem. I do believe that if you follow the directions given in the "posting your HijackThis log" thread in this section, on of our experts will get you sorted as fast as possible!
     
  3. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kiwijetpilot,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe

    Then reboot and let us know if that cures it.
    Could you please mail me a (preferably zipped) copy of:
    C:\WINDOWS\System32\wuam.exe
    Use the address in my profile please.

    Regards,

    Pieter
     
  5. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Well, tried that and couldn't find wuam.exe or even wuam.* , using the standard XP Pro search, looking in hidden files and folders.

    However, let HijackThis fix the entries, and so far the problem hasn't recurred.

    Any idea how this got to my PC, and how to prevent it?

    Cheers,

    Simon
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  7. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Thanks for that. I got curious and did a search... I assume I had the W32/Rbot-M worm. At least that seems to be the case from information on the Sophos site.

    Again, thanks for all the help!

    Simon
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  9. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Further to this, I have discovered that although running HijackThis, and "fixing" the three files noted above, solves the problem, it only lasts until I reboot the PC, at which point we are back to the same problem.

    Anybody know how to fix it so that it doesn't load at startup?

    Only Sophos seems to know about this worm, I haven't found any other refererences to it on other virus sites.

    Any ideas?

    Thanks!
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you post a new HijackThis log?
    And let me know if there are any other actively used user accounts.

    Regards,

    Pieter
     
  11. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    OK, here you go.

    There are four user accounts in total, only three are likely to have accessed the internet.

    A couple of other things.

    The PC has been sitting idling for about six hours, with no new instances of the problem. However, I just had another example of its behaviour - a browser opening and inviting me to install some software from MediaTickets- roughly ten minutes or so since I first opened internet explorer (which is the usual frequency that the problem occurs at). My PC is connected to the internet via an "always on" cable connection. When I disable the connection, the problem seems to go away.

    I complained to MediaTickets, the company whose software appears to want me to install it. They have a website (www.mediatickets.net) which gives some clue as to how their software works. This was the reply (from stan@mediatickets.net):

    So I did that, but the problem persists - although after running the downloaded removal tool, it indicated the program had been removed.

    The reason I mention this, is that it appears that the problem may not be a virus exactly.

    I downloaded a trial version of Sophos, but it only found four examples of the sasser worm, in backup files I made before a recent re-installtion of XP. I have instructed Sophos to disinfect them.

    Anyway, here is the log - made just before the last occurrence:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:54:12 a.m., on 9/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\essspk.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuam.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Paltalk\pnetaware.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Zips and Exes\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12


    Cheers,

    Simon
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Simon,

    I would be very surprised if this is not something far more nasty, evil and viral then MediaTickets:
    C:\WINDOWS\System32\wuam.exe

    I want to get rid of that first. If it solves the MediaTickets Mysery as well, I'll jump for joy.

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: wuam.exe

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Regards,

    Pieter
     
  13. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Even more:

    Although I still can't find wuam.exe, I did find a file called WUAM.EXE-09C950C6.pf . This lives in C:\windows\prefetch. Is that of interest to you? I can't email it to you as your email is disabled, and I don't think I can attach to a private message.

    Cheers,

    Simon
     
  14. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    I can't get to the page you mention, to get RegSrch.vbs . I get the old "The page cannot be displayed" line. Anywhere else I can get it?

    Cheers,

    Simon
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Here you go.

    Regards,

    Pieter
     

    Attached Files:

  16. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Thanks for that. Here you go:

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "wuam.exe" 9/06/2004 1:48:16 a.m.

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"="wuam.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Microsoft Update Time"="wuam.exe"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"="wuam.exe"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Google\NavClient\1.1\History]
    "wuam.exe"=hex:1c,3c,bf,40

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
    "000"="wuam.exe"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
    "f"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\pf]
    "a"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"="wuam.exe"

    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"="wuam.exe"
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kiwijetpilot,

    First "unhide" hidden files and folders like this:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Then open op TaskManager and endtask wuam.exe

    Then copy the part in bold below into notepad and save it as wuamrun.reg

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Microsoft Update Time"=-

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-

    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Time"=-


    Then doubleclick the file and confirm you want to merge it with the registry.
    Then reboot and you should be able to find and delete:
    C:\WINDOWS\System32\wuam.exe

    If not, post back.

    Regards,

    Pieter
     
  18. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    OK, did all that successfully, but still no wuam.exe . Is this file actually meant to be there...o_O Only other difference is that wuam.exe is no longer running in Task Manager. Here is the latest regsrch output:

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "wuam.exe" 9/06/2004 2:32:45 a.m.

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Google\NavClient\1.1\History]
    "wuam.exe"=hex:1c,3c,bf,40

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
    "000"="wuam.exe"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
    "f"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

    [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\pf]
    "a"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"


    This is fun, in a peverse kind of way...!!!

    Cheers,

    Simon
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    We are making progress if it is no longer running and all the startups are gone.

    If you look at the runing processes of your log from 12:54:12 a.m., on 9/06/2004
    you will see that the file exists. It runs therefore it is, to twist Descartes arm. :)

    Ok next stage, removing it.

    Surf to http://download.broadbandmedic.com/
    and download The Killbox.

    Run the program and copy&paste the full path in the dialog box.
    C:\WINDOWS\System32\wuam.exe

    Then see to it that there is a checkmark in the backup box and use the Kill File button.

    Regards,

    Pieter
     
  20. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    I'm sure Descartes won't mind!

    OK did all that. Killbox found and deleted the file. I did ask for a backup (default position anyway), but I have no idea where killbox put it, or what it is now called! I tried searching for wuam.* but had no success. I really want to send you this file!

    Cheers,

    Simon
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Look if C:\!Submit\[date] with the date of today exists.
    If it does zip it up and mail it to me.

    Regards,

    Pieter
     
  22. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    No, that doesn't exist... well I can't find it, anyway. Maybe it does exist and I am selectively refusing to see it. Maybe I have an anti-wuam.exe psychosis. Maybe the world is no longer turning... :D
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    At the risk of wasting our time, could you post one more HijackThis log?

    Regards,

    Pieter
     
  24. kiwijetpilot

    kiwijetpilot Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    14
    Certainly!

    I emailed the Killbox people to ask about where it stores its backup files, but haven't heard back yet.

    Just wondering - the log below lists two system32 folders, one System32 (big S) one system32 (small s). Windows explorer only shows one folder (small s). There appear to be two iterations of some processes running. Should I be worried, or is that simply paranoia...o_O

    Enjoy...

    Simon
    ----------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 10:05:06 p.m., on 9/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\essspk.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\Paltalk\pnetaware.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Zips and Exes\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kiwijetpilot,

    No need for that. It makes a C:\!Submit\[date] folder to store the backups. ;)

    Paranoia. :D On both counts
    Windows makes no difference between Capital and undercast.
    Several processes (like svchost.exe) are supposed to be present several times.

    Clean, I'm happy to say.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.