Driving me crazy!

Discussion in 'adware, spyware & hijack cleaning' started by OliverX669, Apr 13, 2004.

Thread Status:
Not open for further replies.
  1. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello,

    I wonder if someone can help me with this infuriating problem. My pc seems infected with a virus? or something I don't understand.

    I run Hijackthis and the log file is copied here.

    Scan saved at 13:26:46, on 13/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\GRISOF~1\avgserv.exe
    C:\TURNPIKE\INSIGHT\ARMon32a.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WinfaxPro\WFXMOD32.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\GRISOF~1\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\docume~1\owner\applic~1\winlogon.exe
    C:\AOL 9.0\aoltray.exe
    C:\Iomega\IomegaBackup\dtsc.exe
    C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    C:\PGP Privacy\PGPtray.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rtegnt.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rtegnt.t.muxa.cc/h.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rtegnt.t.muxa.cc/s.php?aid=586 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Demon
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-cache.demon.co.uk:8080;ftp=www-cache.demon.co.uk:8080;gopher=www-cache.demon.co.uk:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.demon.net;ftp.demon.co.uk;www.demon.co.uk;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://rtegnt.t.muxa.cc/h.php?aid=586 (obfuscated)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Yahoo Messenger\Messenger\ycomp.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Yahoo Messenger\Messenger\ycomp.dll (file missing)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [WFXSwtch] c:\WINFAX~1\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LanguageMonitor] %WIN%System32Oplmsb00.exe OKI B4200(PCL)
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\GRISOF~1\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [System Update2] c:\docume~1\owner\applic~1\winlogon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\AOL 9.0\aoltray.exe
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Iomega\IomegaBackup\dtsc.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    O4 - Global Startup: PGPtray.lnk = ?
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.demon.net
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    You can see lots of entries for "rtegnt.t.muxa.cc" which are "obfuscated", I remove these using Hijackthis but they recur on every power up.

    On an earlier scan I spotted a file "teekids.exe" and suspecting this I had Hijack this remove it but it hasn't helped.

    I also suspect this entry as I don't understand it

    “R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.demon.net;ftp.demon.co.uk;www.demon.co.uk;<local>”

    I really would appreciate any advice you can offer.

    Kind regards,

    Oliver
     
    OliverX669, Apr 13, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Pieter_Arntz, Apr 13, 2004
    #2
  3. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello,

    Thank you Pieter, I'll get on with this right away.

    Oliver


     
    OliverX669, Apr 13, 2004
    #3
  4. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Hello Pieter,

    Back again.


    QUOTE=Pieter_Arntz]Hi OliverX669,

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Ran this, it found 1 file and fixed it.


    Then download and run the Blaster Removal tool

    Downloaded and ran this, it found nothing


    Next is the Gaobot Removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.removal.tool.html


    Downloaded and ran this, it found nothing


    Then reboot, run HijackThis again and post a new log.


    Did this, copied below


    Logfile of HijackThis v1.97.7
    Scan saved at 18:27:20, on 13/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\GRISOF~1\avgserv.exe
    C:\TURNPIKE\INSIGHT\ARMon32a.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\WinfaxPro\WFXMOD32.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SOINTGR.EXE
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\GRISOF~1\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\docume~1\owner\applic~1\winlogon.exe
    C:\AOL 9.0\aoltray.exe
    C:\Iomega\IomegaBackup\dtsc.exe
    C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    C:\PGP Privacy\PGPtray.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Demon
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Yahoo Messenger\Messenger\ycomp.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Yahoo Messenger\Messenger\ycomp.dll (file missing)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
    O4 - HKLM\..\Run: [WFXSwtch] c:\WINFAX~1\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LanguageMonitor] %WIN%System32Oplmsb00.exe OKI B4200(PCL)
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\GRISOF~1\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [System Update2] c:\docume~1\owner\applic~1\winlogon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\AOL 9.0\aoltray.exe
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Iomega\IomegaBackup\dtsc.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    O4 - Global Startup: PGPtray.lnk = ?
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.demon.net
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Regards,

    Pieter[/QUOTE]


    Regards,

    Oliver
     
    OliverX669, Apr 13, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    these 2 entries concern me somewhat

    O4 - HKLM\..\Run: [LanguageMonitor] %WIN%System32Oplmsb00.exe OKI B4200(PCL)
    O4 - HKCU\..\Run: [System Update2] c:\docume~1\owner\applic~1\winlogon.exe

    the first I am not sure about, it could just be a corrupt entry for what appears to be a printer driver but!!!
    the second is definitely bad

    so
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKCU\..\Run: [System Update2] c:\docume~1\owner\applic~1\winlogon.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    c:\documents & Settings\owner\application data\winlogon.exe

    then
    Reboot normally &

    then Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
     
    dvk01, Apr 13, 2004
    #5
  6. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23
    Thank you. Before I carry out your directions may I make a couple of comments just in case theyr'e relevant?


     
    OliverX669, Apr 13, 2004
    #6
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    the language monitor entry is very likely to be an oki entry that just hasn't appeared properly but if the printer works don't worry

    the system update 2 entry is known to be an entry that several of the cws baddies use and is never good

    it will not have anythoing to do with you in putting passwords
     
    dvk01, Apr 13, 2004
    #7
  8. OliverX669

    OliverX669 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    23


    Thank you, I'll remove that entry as you advise.

    Many, many, thanks for all the help I've received, it is very much appreciated.

    Kind regards,

    Oliver
     
    OliverX669, Apr 13, 2004
    #8
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...