casino palazza, nasty sex etc

Discussion in 'adware, spyware & hijack cleaning' started by ndmonkey, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    Hi I'm so glad I found this forum. I purschased Spy Killer before realising it is scumware and I had no idea how to reach other people with knowledge of the virus/trojan etc. I think in my particular case I have a virus which affects my online searches and causes pop-ups (and unders). My home page changes between coolsearch and some res:// prefix. I've tried following tips to rename the start page in the IE/All section of the registry but each time the browser is closed/opened, it resets to the bad page. Also several adult links are dumped in my favourites. An shortcut icon that points to IE (usually teensex or something) is left on my desktop. When leaving IE open for a while, a few adult websites will open every few minutes. I don't know if this is related but I also used to get the "messenger" pop-ups until I turned off the messenger service.

    I have downloaded and used AdAware and now HiJackthis. Below are the contents of the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:18:32, on 26/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\VVSN\VVSN.exe
    C:\WINDOWS\System32\services\msxmidi.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\uvucivz.exe
    C:\Program Files\TrojanHunter 3.9\THGuard.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\program files\internet optimizer\sim\msbb.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\Program Files\Save\Save.exe
    C:\Program Files\Kontiki\bin\kontiki.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Documents and Settings\nickroman\Application Data\etrr.exe
    C:\WINDOWS\System32\wapicc.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=137837
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=137837
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=137837
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
    F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [otdimadru] C:\WINDOWS\System32\uvucivz.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
    O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\program files\internet optimizer\sim\msbb.exe
    O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
    O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapicc.exe
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: bet365 Poker (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
    O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - http://www.cameup.com/download2/ToolBand.cab
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi ndmonkey

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Run HJT again and pls. post a FRESH log. Thanks.
     
  3. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    Hi Marianna

    Thanks for helping so much, it has now stopped with the static browser and no popups just yet. I ran CW Shredder and Ad-Aware not SpyBot but it seems to have done some good.

    I would be grateful if you could have a look at the new log anyway just to make sure.

    Thanks - Nick


    Logfile of HijackThis v1.97.7
    Scan saved at 11:49:11, on 27/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\TrojanHunter 3.9\THGuard.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\System32\MstInst.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\windows\system32\idecntl.exe
    C:\windows\system32\sncntr.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\windows\system32\qsearch.exe
    C:\Program Files\Kontiki\bin\kontiki.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
    F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
    O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [MsdInfo] C:\WINDOWS\System32\MstInst.exe
    O4 - HKLM\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [QSearch] c:\windows\system32\qsearch.exe /install
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
    O4 - HKCU\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: bet365 Poker (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi ndmonkey,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
    F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll

    O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

    O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
    O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [MsdInfo] C:\WINDOWS\System32\MstInst.exe
    O4 - HKLM\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [QSearch] c:\windows\system32\qsearch.exe /install
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
    O4 - HKCU\..\Run: [Idecntl] c:\windows\system32\idecntl.exe

    O9 - Extra button: bet365 Poker (HKLM)

    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Then reboot into safe mode and delete:
    C:\Program Files\AutoUpdate <= entire folder
    C:\Program Files\VVSN <= entire folder
    c:\windows\system32\idecntl.exe
    C:\Program Files\WindowsSA <= entire folder
    C:\Windows\System32\wsaupdater.exe
    C:\Documents and Settings\nickroman\Application Data\etrr.exe

    And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

    Then I would like you to find the following files and mail them to me if you have them:
    C:\WINDOWS\system32\notepad.com
    C:\WINDOWS\System32\MstInst.exe
    lfcoader.exe
    Please send them (preferably zipped) to pieterATwilderssecurity.org (replace AT with @)

    Regards,

    Pieter
     
  5. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    I shall do tonight Pieter, thanks
     
  6. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    I tried to follow your instructions but some of the files were not available to delete. I removed/fixed the rest of it through safe mode, but on the new reboot, similar websites/popups are appearing.

    I have prepared a new HijackThis log: (I also couldnt get the other two files - the nearest available was notepad.EXE




    Logfile of HijackThis v1.97.7
    Scan saved at 00:10:21, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\addol32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\ntzr.exe
    C:\windows\system32\aulecvdc.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bqvrc.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O2 - BHO: (no name) - {BC202B40-4228-E5C4-D46E-F1D1D27E63DE} - C:\WINDOWS\system32\ipzn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [ntzr.exe] C:\WINDOWS\ntzr.exe
    O4 - HKLM\..\Run: [AULECVDC] c:\windows\system32\aulecvdc.exe /install
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: winlgn.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi ndmonkey,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\addol32.exe
    C:\WINDOWS\ntzr.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bqvrc.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
    O2 - BHO: (no name) - {BC202B40-4228-E5C4-D46E-F1D1D27E63DE} - C:\WINDOWS\system32\ipzn.dll

    O4 - HKLM\..\Run: [ntzr.exe] C:\WINDOWS\ntzr.exe

    O4 - Global Startup: winlgn.exe

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\WINDOWS\addol32.exe
    C:\WINDOWS\ntzr.exe
    C:\WINDOWS\system32\ipzn.dat
    C:\WINDOWS\system32\bqvrc.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.