Homepage keeps resetting.

Discussion in 'adware, spyware & hijack cleaning' started by solorbob, May 27, 2004.

Thread Status:
Not open for further replies.
  1. solorbob

    solorbob Registered Member

    Joined:
    May 27, 2004
    Posts:
    5
    My homepage is getting set to any-find.com

    I've ran Ad-Aware 6, rebooted, and ran the Hijackthis.exe.

    Here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:56:27 PM, on 5/27/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\windows\cvchost.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://qwertysearch123.biz/?id=1017
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qwertysearch123.biz/?id=1017
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
    O4 - HKLM\..\Run: [47RDYTT4T42MQH] C:\WINDOWS\System32\Cjo9g.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [fu5r7udmpj] C:\WINDOWS\jubvmdvw6k.exe
    O4 - HKCU\..\Run: [pbdpbv08oe] C:\WINDOWS\o588eua016.exe
    O4 - HKCU\..\Run: [wfvtpjtac9] C:\WINDOWS\wgkiktyac1.exe
    O4 - HKCU\..\Run: [s6xfxi3vy3] C:\WINDOWS\a4lzm6z6ex.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &AroundWeb Search - res://C:\Program Files\AroundWeb\awtoolb.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O13 - WWW. Prefix: http://
    O16 - DPF: Win32 Classes -
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi solorbob,

    You have quite a few nasty things running there.

    First download and run this uninstaller to get rid of the pepertrojan:
    http://www.memorywatcher.com/uninst.exe
    Doubleclick the uninst.exe and let it run. You must be connected to the internet for the tool to work, and allow the uninstaller to access the internet.
    It may take a few minutes before it finishes, then it will just close when it is done. Then run the uninst.exe a second time to be sure we remove peper.

    Next, to remove the CoolWebSearch infection, download http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Make sure ALL browsers and any open windows are closed before running CWShredder.
    Click the *Fix button (not the scan only) and follow the instructions you will receive when the program runs.

    Reboot your computer, then go as quickly as you can to http://v4.windowsupdate.microsoft.com/en/default.asp
    Download and install SP1 for XP, along with ALL Critical Updates listed for XP and IE6, or you will be reinfected again.

    Finally, go to one of these on-line antivirus sites and do a FULL system scan: http://www.wilders.org/free_services.htm

    Make sure Ad-Aware is up-to-date and follow up with another scan. Reboot after scanning with Ad-Aware, then run Hijackthis again and post a new log here to be checked. There will be more steps to follow once we've cleaned it up a bit.

    Regards,

    snap
     
  3. solorbob

    solorbob Registered Member

    Joined:
    May 27, 2004
    Posts:
    5
    I'll do it, and let you know in a few minutes. Thanks for the help.
     
  4. solorbob

    solorbob Registered Member

    Joined:
    May 27, 2004
    Posts:
    5
    I've done the suggested. The online realtime scan didn't find anything. I had to run CWShredder a few times, but I think it is clean now.

    Here is the new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:09:17 AM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\windows\cvchost.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKCU\..\Run: [fu5r7udmpj] C:\WINDOWS\jubvmdvw6k.exe
    O4 - HKCU\..\Run: [pbdpbv08oe] C:\WINDOWS\o588eua016.exe
    O4 - HKCU\..\Run: [wfvtpjtac9] C:\WINDOWS\wgkiktyac1.exe
    O4 - HKCU\..\Run: [s6xfxi3vy3] C:\WINDOWS\a4lzm6z6ex.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: winlogin.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &AroundWeb Search - res://C:\Program Files\AroundWeb\awtoolb.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O13 - WWW. Prefix: http://
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.77625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Thanks again for your help.
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi solorbob,

    Well looks like we got rid of peper, but there's still quite a few items there needing fixed.

    You may want to print this out, or save it as a .txt file.

    First, bring up TaskManager (ctrl+alt+del keys) and look for the following files, If they are there, then stop them from running by right-clicking and choosing End Process:
    cvchost.exe
    winlogin
    (the one with the two i's)
    winh.exe
    msrexe.exe


    Then uninstall WhenUSearch from "Add/Remove Programs" and continue on.

    Next, with only HijackThis open, put a check beside the following items.
    Make sure ALL windows/browsers are closed (except HijackThis) and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm

    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
    O4 - HKCU\..\Run: [fu5r7udmpj] C:\WINDOWS\jubvmdvw6k.exe
    O4 - HKCU\..\Run: [pbdpbv08oe] C:\WINDOWS\o588eua016.exe
    O4 - HKCU\..\Run: [wfvtpjtac9] C:\WINDOWS\wgkiktyac1.exe
    O4 - HKCU\..\Run: [s6xfxi3vy3] C:\WINDOWS\a4lzm6z6ex.exe
    O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe

    O4 - Global Startup: winlogin.exe

    (If you did not set this yourself in Spybot Search&Destroy Immunization, then fix it too)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O8 - Extra context menu item: &AroundWeb Search - res://C:\Program Files\AroundWeb\awtoolb.dll/MENUSEARCH.HTM

    O13 - WWW. Prefix: http://

    O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab


    Reboot your computer into safe mode by tapping the F8 key just before Windows begins to load. Then find and delete the following files and folders listed in bold:

    C:\PROGRA~1\WHENUS~1 <--folder "WhenUsearch"
    C:\Program Files\AutoUpdate <--folder
    C:\WINDOWS\system32\pcs <--folder
    C:\Program Files\Common Files\Dpi <--folder
    C:\PROGRA~1\INCRED~1 <--folder

    C:\WINDOWS\winh.exe
    C:\WINDOWS\System32\msrexe.exe
    C:\WINDOWS\jubvmdvw6k.exe
    C:\WINDOWS\o588eua016.exe
    C:\WINDOWS\wgkiktyac1.exe
    C:\WINDOWS\a4lzm6z6ex.exe
    c:\windows\cvchost.exe <--watch the spelling, this one starts with a 'c'
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <--Note the spelling with two i's. Do not delete the legitimate winlogon.exe file.

    Some of the above files may be hidden. To unhide all files and folders follow these instructions:
    In Windows Explorer or My Computer:
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select "Show hidden files and folders".
    UNcheck the "Hide protected operating system files (recommended)" option.
    UNcheck "Hide file extensions for known file types"
    Click Yes to confirm.
    Click OK

    Run CWShredder again while in safe mode.

    Reboot your computer normally, and post a new log.

    Regards,

    snap

    For further details:
    msrexe.exe - http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html
    winh.exe - http://www.kephyr.com/spywarescanner/library/lolaweb.winhost/index.phtml
     
  6. solorbob

    solorbob Registered Member

    Joined:
    May 27, 2004
    Posts:
    5
    Snap,

    Thanks for the help so far. Here is where I'm at now.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:07:42 AM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.77625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi solorbob,

    That is one goodlooking log you got there. :cool:
    Nice job by you two.

    I take it your problems are solved as well?

    Regards,

    Pieter
     
  8. solorbob

    solorbob Registered Member

    Joined:
    May 27, 2004
    Posts:
    5
    Thanks for all of everyone's help... What can I do to keep from getting back like I was before? I have a few ad/spy ware things running. I have trend-micro running..

    Any suggestions would be appreciated.

    Thanks again.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Here is a good start: https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.