I think I did it again

Here is my hijack log...

I keep getting a rads01.quadrogram something popping up on the Ad aware. I think I have everything gone and then... whamo.. they are back...





Logfile of HijackThis v1.97.7
Scan saved at 8:51:59 AM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\documents and settings\my name\local settings\temp\GzA.exe
C:\WINDOWS\System32\srsdx32.exe
C:\WINDOWS\System32\srsdx32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\my name\My Documents\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.micoks.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=10.6.1.1:80;gopher=10.6.1.1:80;http=10.6.1.1:80
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.micoks.net/"); (C:\Program Files\Netscape\Users\bpitt\prefs.js)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [GzA] C:\documents and settings\my name\local settings\temp\GzA.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Atv0h.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoadero02r1KPeLIPc] "C:\WINDOWS\System32\srsdx32.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [o7tX38S] srsdx32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-aware\Ad-watch.exe /min
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://csiweb.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D6F586F-72D4-4273-B136-9262C2ED8CFC}: NameServer = 10.6.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D6F586F-72D4-4273-B136-9262C2ED8CFC}: NameServer = 10.6.1.1

 

Snap..

if you're out there. I emailed you a copy of this too.

I know .. I know.. where do I get these things?


its kind of like asking someone where they got that hickey... it just happens..

~L~

 

My..my...Blake, what have you been doing? (no, don't answer that)

Well you did pick up a few nasty things there. Ad-Aware should have been able to remove the rads01.quadrogram (adware) though. Are you sure you have Ad-Aware up-to-date? The most current Reference File is Build:01R306 19.05.2004, Date: 19.05.2004.

The first thing we have to remove is the PeperTrojan.
That's the O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Atv0h.exe line that is showing in your HijackThis log.

To do that, please download the uninstaller tool to remove the pepertrojan: http://www.memorywatcher.com/uninst.exe (direct download link)
Doubleclick the unist.exe file to run it, and say 'yes' to let it connect to the internet. You must remain online and allow the uninstaller to connect to the internet, otherwise it won't work.
It may take a few minutes before it finishes. (reboot your computer if you are prompted to do so, otherwise continue on with the following instructions)

Bring up the TaskManager (ctrl+alt+del keys) and find the follow files, right-click on them and choose End Process to stop them from running.
srsdx32.exe
GzA.exe

I am not finding any information on the above 2 files, so they may be something new. If you do not recognize them either, then can you navigate to C:\WINDOWS\System32 folder and zip up a copy of the srsdx32.exe and also the GzA.exe in your C:\documents and settings\my name\local settings\temp folder, and submit the zipped copies by email to Pieter_Arntz for analysis. You can find his email addy in his Profile, Here (scroll down and look under Additional Information). Please include a brief message and a link back to this thread so he will be able to find it easily. Thank you kindly.

Once you have emailed the requested files to Pieter, then go to Kaspersky and upload them for a scan. Follow the directions there for scanning individual files.

In case the above files are hidden, make sure you have enable all files and folders to be viewable: How to Show Hidden Files and Folders

Then open Hijackthis, rescan, and place a check in the box beside each of the following items.
Make sure you have closed ALL other browsers/windows, and click *Fix checked

(I don't remember these 3 from last time, but if you set them this way yourself, then do not fix them)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/


R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [GzA] C:\documents and settings\my name\local settings\temp\GzA.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Atv0h.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoadero02r1KPeLIPc] "C:\WINDOWS\System32\srsdx32.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [o7tX38S] srsdx32.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Then boot your computer into safe mode by tapping the F8 key just before windows begins to load.

Find and delete the following files and folders highlighed in bold:
C:\Program Files\SysAI <--entire folder
C:\Program Files\LiveUpdate <--entire folder
C:\WINDOWS\System32\dp-him.exe <--file
C:\WINDOWS\System32\wnsapisv.exe <--file
C:\WINDOWS\System32\toolbar.dll <--file
C:\documents and settings\my name\local settings\temp\GzA.exe <--file (it wouldn't hurt to empty the entire contents of your Temp folder which should be done periodically anyways)

Reboot your computer normally, then post a new log here in this thread to be checked. Please include the scan results from Kaspersky on those two files.

If you have any questions Blake, just ask.

Regards,

snap

PS - you may want to print out the above instructions, I know how busy you can get.

 

I printed it out, and was able to accomplish the majority of the instructions, with the exception of the uninstaller tool. When I double click on the file to run it... it acts like its loading and then shuts down almost immediately.

Other than that... if you wouldn't mind... could you take a peek at the file again and see where I'm at. (I know... I know.. someone's always having to fix a problem I created... but I've learned my lesson.. in the shortrun... and I'll try and be good.... for a little while)


Logfile of HijackThis v1.97.7
Scan saved at 1:29:42 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Brad Pitt\My Documents\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.micoks.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=10.6.1.1:80;gopher=10.6.1.1:80;http=10.6.1.1:80
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.micoks.net/"); (C:\Program Files\Netscape\Users\bpitt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-aware\Ad-watch.exe /min
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://csiweb.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D6F586F-72D4-4273-B136-9262C2ED8CFC}: NameServer = 10.6.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D6F586F-72D4-4273-B136-9262C2ED8CFC}: NameServer = 10.6.1.1


Thanks again for any help. You all are great.



B

 

Uh-huh.....

Well Mr. Pitt Your log is clean and I do not see any signs of the pepertrojan files running, so hopefully the uninstaller was successful. It can look like it just opens for a few seconds and not do anything, then just close. Sometimes it will open and last longer but it depends on how many peper files are involved to be removed. If in a few days you want to do another scan with Hijackthis and just see if there is that O4 line there with that long 14-character .exe file. If there is, please come back. But hopefully it is gone for good.

Were you able to email Pieter those files I requested?
srsdx32.exe
GzA.exe

If they are something new then it helps everyone to have them analysed and submitted for detection.

So as it looks right now, you are good to go Brad.

Regards,

snap

 

~laughing~

I will.. try... to be good.

anyway. I am checking with my onsite tech guy to see if those are from existing programs that are proprietary in nature to my company.

if no.. then yes.. I will send on.. if yes.. then no.. I won't...

and.. its good to touch base with you again...

your ever faithful friend

Brad

 

You can upload them for a scan at Kaspersky (link above in my earlier post), but I understand that they may be special programs.

I would very much appreciate your submitting them if they do turn out to be something your tech doesn't recognize. Thank you muchly Brad.

Please do remember to turn off System Restore and purge any backups that will have the bad files in once your are sure your system is clean. Then turn System Restore back on and set a new restore point.

For XP: System Restore Instructions.

Always good to touch bases with you too Brad.

Regards,

snap

 

I should know by tomorrow...

and seriously.. thanks again...

sometimes I forget that I need to be a little more diligent in all this....

you always help bring me back to earth when I stray too far...