Little blue search toolbar...

Discussion in 'adware, spyware & hijack cleaning' started by kintrala, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. kintrala

    kintrala Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    6
    Hello,
    In the middle of writing a final essay, Norton popped up to tell me it had found and killed a virus (a trojan dropper). Subsequently, a million spyware and adware claiming to clean my pc came and installed themselves before my vey eyes! I managed to clean most of it up with adaware, hijackthis, spyware blaster, jason's toolbox, etc... BUT I had popups for the first time in my life! and then there's this very annoying little blue search toolbar that appeared each time i rebooted... how do I get it out?

    Catalina

    Logfile of HijackThis v1.97.7
    Scan saved at 23:57:53, on 06.06.04
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\SYSTEM32\WISPTIS.EXE
    C:\WINDOWS\System32\tabbtnu.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Symbol Commander\Sensiva.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\Trirot.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
    C:\WINDOWS\System32\THKem.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\WINDOWS\System32\pmktto.exe
    C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
    C:\Program Files\Active Desktop Calendar\ADC.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\regsvrac32.exe
    C:\WINDOWS\System32\regsvrac32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\El kompyootaa.HUEONA\My Documents\HijackThis.exe

    R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [Trirot] Trirot.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
    O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [dbpmprgcva] C:\WINDOWS\System32\pmktto.exe
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
    O4 - HKLM\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
    O4 - HKCU\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Sticky Notes.lnk = C:\WINDOWS\system32\stikynot.exe
    O4 - Startup: TSkin.lnk = C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi kintrala,

    You have some very interesting files there.
    Could you please zip up copies of:
    C:\WINDOWS\System32\cdsm32.dll
    C:\WINDOWS\system32\regsvrac32.dll
    C:\WINDOWS\System32\pmktto.exe
    C:\WINDOWS\wdskctl.exe
    C:\WINDOWS\System32\k10w6yl.exe
    C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat
    Send that lovely bunch to pieterATwilderssecurity.org (replace AT with @)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

    O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll

    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [dbpmprgcva] C:\WINDOWS\System32\pmktto.exe
    O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe

    O4 - HKLM\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
    O4 - HKCU\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe

    O4 - Startup: TSkin.lnk = C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat

    I will let you know what to do with the originals asap.
    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. kintrala

    kintrala Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    6
    Thank you!!
    I did all you told me to do, but the things I couldnt do I told you in the email.
    What's next?

    Catalina


    Logfile of HijackThis v1.97.7
    Scan saved at 22:56:44, on 07.06.04
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\SYSTEM32\WISPTIS.EXE
    C:\WINDOWS\System32\tabbtnu.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Symbol Commander\Sensiva.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\Trirot.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
    C:\WINDOWS\System32\THKem.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\WINDOWS\System32\pmktto.exe
    C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
    C:\Program Files\Active Desktop Calendar\ADC.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\regsvrac32.exe
    C:\WINDOWS\System32\regsvrac32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\El kompyootaa.HUEONA\My Documents\HijackThis.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [Trirot] Trirot.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
    O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Sticky Notes.lnk = C:\WINDOWS\system32\stikynot.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Kintrala,

    Surf to http://download.broadbandmedic.com/ and download the Killbox
    Unzip and run Killbox.

    In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\pmktto.exe

    Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu
    and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and
    select "Process and Reboot". You'll be prompted to reboot, do so.

    Regards,

    Pieter
     
  5. kintrala

    kintrala Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    6
    Hello!
    I went to broadband medic as you suggested, but it says the file could not be found... is there anything similar I could use?

    I got your email, but for some reason my messages have been disappearing from outlook, so i cannot find it. what did it say?

    thank you!

    catalina
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    My email gave you the identity of two of the files you sent me:
    C:\WINDOWS\System32\cdsm32.dll <= SeekSeek Hijacker
    C:\WINDOWS\system32\regsvrac32.dll <= Adware.Margoc

    I will upload The Kilbox here for you as an attachment.

    Regards,

    Pieter
     

    Attached Files:

  7. kintrala

    kintrala Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    6
    thank you so much!!
     
Thread Status:
Not open for further replies.