I know this is bad so what can I do?

Discussion in 'adware, spyware & hijack cleaning' started by Trevor, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Trevor

    Trevor Guest

    The machine will no longer connect to the internet. There are shortcuts to online casinos on the desktop, there is an annoying and unwanted searchbar.



    Logfile of HijackThis v1.97.7
    Scan saved at 16:00:07, on 16/02/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SCVHOST.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MDMSETPE.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    C:\PROGRAM FILES\SEEKPINGCAST\FUNK UP COMP.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchexe.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {04202D0E-E513-57DE-B27F-EFC6BF887C66} - C:\PROGRAM FILES\SHIMBAT01\BORE LOG.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: BITS KEEP - {B28CEE48-1230-39CA-1A1E-899388990599} - C:\PROGRAM FILES\SHIMBAT01\BORE LOG.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ModemUtility] mdmsetpe.exe
    O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
    O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg
    O4 - HKLM\..\Run: [Meow safe] C:\PROGRA~1\seekpingcast\Funk up comp.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
    O4 - HKCU\..\Run: [YourMP3] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:YourMP3:t
    O4 - HKCU\..\Run: [ThemeMP3] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:ThemeMP3:t
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: YourMP3 (HKLM)
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37979.1310532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.negativebeats.com/mp3.plugin.exe
    O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://63.215.149.59/go.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - file://c:\windows\temp\demo.exe

    Thanks

    Trev
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Trevor,

    Download, unzip and run: http://www.zerosrealm.com/downloads/CWShredder.zip
    Use the Fix button and follow the intructions you will receive.
    If that gives you back your internet access follow the instructions in this post:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

    Then reboot and post a new log.

    Regards,

    Pieter
     
  3. Trevor

    Trevor Guest

    Hi Pieter, thanks for the reply.

    I should have said this log was done AFTER CWS, the bad stuff seems to be there after rebooting.

    I tried to d/l Spybot on another PC but failed :(

    The AV situation is good, AVG 6 with the latest definitions has given it the all clear

    Trev
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Trevor,

    OK, then we will do it manually.

    Before you start would you mind mailing me:
    C:\PROGRAM FILES\SHIMBAT01\BORE LOG.DLL
    Use the address in my profile.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchexe.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topsearcher.com/ie/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html

    O2 - BHO: (no name) - {04202D0E-E513-57DE-B27F-EFC6BF887C66} - C:\PROGRAM FILES\SHIMBAT01\BORE LOG.DLL

    O3 - Toolbar: BITS KEEP - {B28CEE48-1230-39CA-1A1E-899388990599} - C:\PROGRAM FILES\SHIMBAT01\BORE LOG.DLL


    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
    O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    O4 - HKLM\..\Run: [SystemSearch] C:/WINDOWS/REGEDIT.EXE -s C:/WINDOWS/system.reg

    O4 - HKCU\..\Run: [YourMP3] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:YourMP3:t
    O4 - HKCU\..\Run: [ThemeMP3] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:ThemeMP3:t

    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.negativebeats.com/mp3.plugin.exe
    O16 - DPF: {11111111-1111-1111-1111-111300000000} - mhtml:C:\\NO_SUCH_MHT.MHT!http://63.215.149.59/go.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - file://c:\windows\temp\demo.exe

    Then reboot into safe mode
    and delete:
    C:\WINDOWS\SYSTEM\SCVHOST.EXE <= WATCH the spelling
    C:\WINDOWS\SYSTEM\REGCPM32.EXE
    C:\PROGRAM FILES\WINDOW ACTIVE <= entire folder
    C:\WINDOWS\system.reg

    I think one of the scans would have found this one:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.dasmin.b.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.