Little blue search toolbar...

Hello,
In the middle of writing a final essay, Norton popped up to tell me it had found and killed a virus (a trojan dropper). Subsequently, a million spyware and adware claiming to clean my pc came and installed themselves before my vey eyes! I managed to clean most of it up with adaware, hijackthis, spyware blaster, jason's toolbox, etc... BUT I had popups for the first time in my life! and then there's this very annoying little blue search toolbar that appeared each time i rebooted... how do I get it out?

Catalina

Logfile of HijackThis v1.97.7
Scan saved at 23:57:53, on 06.06.04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Symbol Commander\Sensiva.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\WINDOWS\System32\Trirot.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\System32\THKem.exe
C:\WINDOWS\System32\TFNF5.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\WINDOWS\System32\pmktto.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Active Desktop Calendar\ADC.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvrac32.exe
C:\WINDOWS\System32\regsvrac32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\El kompyootaa.HUEONA\My Documents\HijackThis.exe

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [dbpmprgcva] C:\WINDOWS\System32\pmktto.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKLM\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
O4 - HKCU\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Sticky Notes.lnk = C:\WINDOWS\system32\stikynot.exe
O4 - Startup: TSkin.lnk = C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

Hi kintrala,

You have some very interesting files there.
Could you please zip up copies of:
C:\WINDOWS\System32\cdsm32.dll
C:\WINDOWS\system32\regsvrac32.dll
C:\WINDOWS\System32\pmktto.exe
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\System32\k10w6yl.exe
C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat
Send that lovely bunch to pieterATwilderssecurity.org (replace AT with @)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll

O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [dbpmprgcva] C:\WINDOWS\System32\pmktto.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe

O4 - HKLM\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe
O4 - HKCU\..\RunOnce: [k10w6yl.exe] C:\WINDOWS\System32\k10w6yl.exe

O4 - Startup: TSkin.lnk = C:\Documents and Settings\Default User\Local Settings\Temp\TSkin.bat

I will let you know what to do with the originals asap.
Post a new log when you are done, so we can see if everything worked out as planned.

Regards,

Pieter

 

Thank you!!
I did all you told me to do, but the things I couldnt do I told you in the email.
What's next?

Catalina


Logfile of HijackThis v1.97.7
Scan saved at 22:56:44, on 07.06.04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Symbol Commander\Sensiva.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\WINDOWS\System32\Trirot.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\System32\THKem.exe
C:\WINDOWS\System32\TFNF5.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\WINDOWS\System32\pmktto.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Active Desktop Calendar\ADC.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\regsvrac32.exe
C:\WINDOWS\System32\regsvrac32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\El kompyootaa.HUEONA\My Documents\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [THKem] C:\WINDOWS\System32\THKem.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Sticky Notes.lnk = C:\WINDOWS\system32\stikynot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

Hi Kintrala,

Surf to http://download.broadbandmedic.com/ and download the Killbox
Unzip and run Killbox.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\pmktto.exe

Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu
and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and
select "Process and Reboot". You'll be prompted to reboot, do so.

Regards,

Pieter

 

Hello!
I went to broadband medic as you suggested, but it says the file could not be found... is there anything similar I could use?

I got your email, but for some reason my messages have been disappearing from outlook, so i cannot find it. what did it say?

thank you!

catalina

 

My email gave you the identity of two of the files you sent me:
C:\WINDOWS\System32\cdsm32.dll <= SeekSeek Hijacker
C:\WINDOWS\system32\regsvrac32.dll <= Adware.Margoc

I will upload The Kilbox here for you as an attachment.

Regards,

Pieter

 

thank you so much!!