hit w/virus again?

Discussion in 'malware problems & news' started by cyberfilly, Jan 30, 2004.

Thread Status:
Not open for further replies.
  1. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    Greetings again! ok so I have another "problem"
    hopefully someone can help.. wait I have FAITH some one can help LOL
    Im getting a strange notepad popup (2 copies actually) when I reboot my com heres what it says

    " [.ShellClassInfo]
    LocalizedResourceName=@shell32.dll,-21785
    "

    my cable connection keeps dropping off and I keep getting errors like action canceled and no page to display when I know there is.
    Now.. I have done all the recomended scans both AV and anti-spy cleaned out anything they said to,
    Logfile of HijackThis v1.97.7
    Scan saved at 8:35:57 AM, on 1/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jaydillar.com/forums/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4320/mcfscan.cab

    PLEASE HELP! and thanks bunchs! Lisa

    EDITED TO ADD, I did a scan with ATS and it picked up a infection in C:\\windows\impborl.dll it was the I-worm.w95.mtx.dr
    I deleted it and will continue my hunt!
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi cyberfilly,
    just some question.. you have HP installed??
    do u use Zero knowledge Dialer Modem??

    anyway fix these two in Hijackthis (u know how to do that right?? no other window should be opened ;) )

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab

    and do wait for experts to help you out very soon
     
  3. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    ohoh confused here do I have HP installed?? its the brand of computer I have?
    and I dont think I use any dialer as I'm on a cable modem
    thanks and again Cheers Lisa
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    just see whether there is a "Freedom " folder in the program files..
     
  5. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    I do have a file/folder . Zero Knowledge inside is the Freedom folder?
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
  7. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    :D HEHEH what matter? :D
    I think I have missed something
    SORRY for seeming so dense
    edited to add Ill be gone for about 15 mins its feeding time here at the "zoo"
    ok im back
    DUH i found the "clickable" in your post
     
  8. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    ok I just got the PM and I did take a look and Im really not sure if it relates because I can get data in and out from my modem? and I thought that freedom was a good thing? lol
     
  9. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    if you are on cable internet and dun have any modem dunno if that zero thing is good on your machine o_O maybe some expert could help you more.
    anyways just chk the fixes i posted in my previous post and post a fresh log plz

    thx
     
  10. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    ok done but now Im getting another error?
    in a popup box is
    iexplore.exe application error the instruction at " 0x73dd1c9d" referenced memory at "0x00000038" the memory could not be read, click ok to terminate the program


    Logfile of HijackThis v1.97.7
    Scan saved at 11:37:16 AM, on 1/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jaydillar.com/forums/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
     
  11. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi cyberfilly,
    just wait for some expert review your log and provide you the best possible solution
    thx
     
  12. cyberfilly

    cyberfilly Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    16
    o_O Help anyone!
    please and many thanks!
     
  13. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Cyberfilly - I think if you post your Hijack This log on this forum "Adware, Spyware & Hijack Cleaning" you will get excellent help from Pieter Arntz who is an expert at interpreting hijack logs. Give it a go. Peaches
     
Loading...
Thread Status:
Not open for further replies.