Log: Adaware and HJT

Discussion in 'adware, spyware & hijack cleaning' started by justmeis, May 9, 2004.

Thread Status:
Not open for further replies.
  1. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    You guys did so well with my computer I figured I'd ask for help on another.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:03:37 PM, on 08/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Documents and Settings\staff\My Documents\HJT\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe
    O4 - HKLM\..\Run: [saSyncMgr] rundll32.exe sasync.dll,SyncWait app=SearchAnt wait=10
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\envdhe.exe
    O4 - HKLM\..\Run: [Micosoft Startup] syscall.exe
    O4 - HKLM\..\Run: [Windows NNT] C:\WINNT\SYSTEM32\fqdvdvz.exe
    O4 - HKLM\..\Run: [Micosoft Loggen] qxaw.exe
    O4 - HKLM\..\Run: [svchosts32] C:\Documents and Settings\Sandy\winno.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinSrv] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe WinSrv.exe
    O4 - HKLM\..\Run: [Smss2] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe Smss2.exe rand.dll
    O4 - HKLM\..\Run: [chwin] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe chwin.exe
    O4 - HKLM\..\Run: [NTSrv] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe NTSrv.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [wsclt32] wsclt.exe
    O4 - HKLM\..\Run: [NTP Server] C:\WINNT\SYSTEM32\cccds.exe
    O4 - HKLM\..\Run: [Peer Manager] peere32.exe
    O4 - HKLM\..\Run: [SMT] C:\WINNT\SYSTEM32\FXP.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\RunServices: [Peer Manager] peere32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Windows Anti-Virus Built 32] AntiVirus32.exe
    O4 - HKCU\..\Run: [Peer Manager] peere32.exe
    O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6045023148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Canada Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: NameServer = 198.77.116.8
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This is a very compromised computer that I'm not going to guarantee we can completely clean

    First Download LSPfix here: http://www.cexx.org/lspfix.htm and keep it on the desktop, you will need it a bit later


    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder or get scattered all over the desktop

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchant.com/sp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.searchant.com/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.searchant.com/sp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe
    O4 - HKLM\..\Run: [saSyncMgr] rundll32.exe sasync.dll,SyncWait app=SearchAnt wait=10
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\envdhe.exe
    O4 - HKLM\..\Run: [Micosoft Startup] syscall.exe
    O4 - HKLM\..\Run: [Windows NNT] C:\WINNT\SYSTEM32\fqdvdvz.exe
    O4 - HKLM\..\Run: [Micosoft Loggen] qxaw.exe
    O4 - HKLM\..\Run: [svchosts32] C:\Documents and Settings\Sandy\winno.exe
    O4 - HKLM\..\Run: [WinSrv] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe WinSrv.exe
    O4 - HKLM\..\Run: [Smss2] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe Smss2.exe rand.dll
    O4 - HKLM\..\Run: [chwin] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe chwin.exe
    O4 - HKLM\..\Run: [NTSrv] C:\WINNT\System32\MsDtc\Driver\hiddenrun.exe NTSrv.exe
    O4 - HKLM\..\Run: [wsclt32] wsclt.exe
    O4 - HKLM\..\Run: [NTP Server] C:\WINNT\SYSTEM32\cccds.exe
    O4 - HKLM\..\Run: [Peer Manager] peere32.exe
    O4 - HKLM\..\Run: [SMT] C:\WINNT\SYSTEM32\FXP.exe
    O4 - HKLM\..\RunServices: [Peer Manager] peere32.exe
    O4 - HKCU\..\Run: [Windows Anti-Virus Built 32] AntiVirus32.exe
    O4 - HKCU\..\Run: [Peer Manager] peere32.exe
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\aplsp.dll



    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINNT\system32\version.exe
    C:\WINNT\SYSTEM32\syscall.exe
    C:\WINNT\SYSTEM32\envdhe.exe
    C:\WINNT\SYSTEM32\fqdvdvz.exe
    C:\WINNT\SYSTEM32\qxaw.exe
    C:\Documents and Settings\Sandy\winno.exe
    C:\WINNT\SYSTEM32\ wsclt.exe
    C:\WINNT\SYSTEM32\cccds.exe
    C:\WINNT\SYSTEM32\peere32.exe
    C:\WINNT\SYSTEM32\FXP.exe
    C:\WINNT\SYSTEM32\AntiVirus32.exe
    c:\winnt\system32\aplsp.dll

    and Delete these folders
    C:\WINNT\System32\MsDtc\Driver

    then
    Reboot normally &

    run LSPfix, tick the I know what I'm doing box and select all instances of aplsp.dll in the left hand pane and move them to the right hand remove pane and ONLY those files Do not move any others and press finish
    reboot again

    because you have a particularly nasty backdoor hacker please also do this
    I would strongly recommend downloading and running a specialised anti trojan

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt

    then

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R303 08.05.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  3. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    Everything worked quite well. One of the issues was a stream that TDS found. I couldn't copy anything to text so I deleted the stream. Should I have deleted the host as well? Here is that TDS log :

    Thank you Derek

    Mike


    Scan Control Dumped @ 08:55:07 09-05-04
    File Trace: Default trojan filename: DDoS.RAT.mIRC-Based
    File: C:\WINNT\System32\dhcp\files\delblah.bat

    File Trace: Default trojan filename: DDoS.RAT.mIRC-Based
    File: C:\WINNT\System32\dhcp\files\delete.bat

    File Trace: Default trojan filename: DDoS.RAT.mIRC-Based
    File: C:\WINNT\System32\dhcp\files\dir.bat

    File Trace: Default trojan filename: DDoS.RAT.mIRC-Based
    File: C:\WINNT\System32\dhcp\files\hiddenrun.exe

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
    File: c:\documents and settings\staff\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

    Suspicious Filename: Dual extensions
    File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

    Positive identification: Adware.Look2Me Downloader
    File: c:\winnt\system\n0.exe



    Here is a copy of the other screen:


    http://tds.diamondcs.com.au/radius.td3
    08:20:19 [Init] Licensed users can use the Update facility from the TDS menu
    08:20:20 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    08:20:28 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    08:20:28 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
    08:20:28 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
    08:20:28 [Init] TDS-3 Ready. <Staff@10.100.15.9, 127.0.0.1 - Canada>
    08:20:28 [Tip Of The Day] Don't eat food at the keyboard!
    08:20:28 [TDS] Good morning Staff.
    08:20:35 [Mutex Memory Scan] Started...
    08:20:37 [Mutex Memory Scan] Finished (no trojan mutexes found).
    08:20:37 [Trace Scan] Started...
    08:20:50 [Trace Scan] Finished.
    08:20:50 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    08:23:26 [Quit] Unloading ...
    08:25:28 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    08:25:28 [Init] Started 09-05-04 08:25:28 Pacific Standard Time (UTC: :cool:, Internet Time @684.35
    08:25:28 [Init] Loading TDS-3 Systems ...
    08:25:28 [Init] Token successfully adjusted.
    08:25:28 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    08:25:28 [Init] • Plugins : OK. Loaded 13
    08:25:28 [Init] • Exec Protection : Not Installed
    08:25:28 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    08:25:28 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    08:25:28 [Init] Licensed users can use the Update facility from the TDS menu
    08:25:28 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    08:25:40 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    08:25:40 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
    08:25:40 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
    08:25:40 [Init] TDS-3 Ready. <Staff@10.100.15.9, 127.0.0.1 - Canada>
    08:25:40 [Tip Of The Day] Do you think TDS-3 is missing something that you'd like to see built in? If so, email tech@diamondcs.com.au - TDS-3 was built on customer requests and feedback, and we'd love to hear from you.
    08:25:40 [TDS] Good morning Staff.
    08:25:44 [Mutex Memory Scan] Started...
    08:25:46 [Mutex Memory Scan] Finished (no trojan mutexes found).
    08:25:46 [Trace Scan] Started...
    08:25:58 [Trace Scan] Finished.
    08:25:58 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    08:27:45 [CRC32] Started - verifying 29 files ...
    08:27:46 [CRC32] File doesn't exist: C:\autoexec.bat
    08:27:47 [CRC32] File doesn't exist: C:\WINNT\System32\taskman.exe
    08:28:00 [CRC32] Test finished.
    08:29:59 [Memory Scan] Memory scan started, please wait a moment ...
    08:30:01 [Memory Scan] Memory scan complete.
    08:30:01 [Mutex Memory Scan] Started...
    08:30:03 [Mutex Memory Scan] Finished (no trojan mutexes found).
    08:30:03 [Trace Scan] Started...
    08:30:15 [Trace Scan] Finished.
    08:30:15 [Service\Driver Scan] Scanning for services and drivers ...
    08:30:20 [Service\Driver Scan] Scanned 246 services and drivers.
    08:30:20 [File Scan] Scanning in A:\ ...
    08:30:22 [File Scan] Scanned 0 files: 4 alarms in 1.082031 seconds (Avg 1. files/sec)
    08:30:22 [File Scan] Scanning in C:\ ...
    08:33:12 [NTFS ADS] Stream found - c:\documents and settings\staff\my documents\my pictures\sample.jpg:Q30lsldxJoudresxAaaqpcawXc
    08:49:59 [File Scan] Scanned 42774 files: 7 alarms in 1177.484 seconds (Avg 37.33 files/sec)
    08:49:59 [File Scan] Scanning in D:\ ...
    08:49:59 [File Scan] Scanned 0 files: 7 alarms in 0 seconds (Avg -1.#IND files/sec)
    08:49:59 [Scan] Finished.
    08:53:38 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt
    08:53:57 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt
    08:54:01 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt
    08:54:05 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt
    08:55:07 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt
    08:56:41 [NTFS ADS] Successfully deleted all stream(s) from c:\documents and settings\staff\my documents\my pictures\sample.jpg
    08:58:42 [Quit] Unloading ...
     
  4. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    I just wanted to add that Outlook Express stopped working last night. I won't even load and then it stops responding.

    Mike
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    You need to update TDS to the latest raduius update by following instructions here
    update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    you can quite safely ignore these 2 entries

    Alternate Data Streams attached to jpg's are quite normal for XP/W2K so can be ignored normally, unless they are over approx 8000 bytes


    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
    File: c:\documents and settings\staff\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

    Suspicious Filename: Dual extensions
    File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe


    but all the others right click them in the bottom window and select delete

    If you update TDS I am sure it will find a lot more

    when updated thenscreen should read something like this:

    06:14:00 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    06:14:01 [Init] • Systems Initialised [34181 references - 12910 primaries/9660 traces/11611 variants/other]
    06:14:01 [Init] Radius Systems loaded. <Databases updated 08-05-2004>

    and please post a new HJt log after cleaning so we can check on that side of things

    you will still have a few baddies running that need special cleaning, but let's clear what we can the easy way first
     
  6. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    Here's the HJT log :
    (any thoughts of getting this thing back on outlook express?)

    Thanks Derek

    Mike

    Logfile of HijackThis v1.97.7
    Scan saved at 6:01:59 PM, on 09/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\WINNT\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Documents and Settings\staff\My Documents\HJT\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6045023148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Canada Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: NameServer = 198.77.116.8
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83

    and then go to IE/tools/options/connections/ click on your connection and select settings and untick use a proxy server
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    then beccause you had zestyfind listed earlier I suspect that you ahve the com[plete L2M pest there

    so
    Click Here to download the OE2VX2BetterInternet.exe file.

    1: Shut off all open programs including printer and anything in the System Tray (virus scan, popup blocker, etc.).
    2: Doubleclick the OE2VX2BetterInternet.exe to launch the utility.
    3: Click on “Find VX2.BetterInternet” button. The utility will display the bugs if they’re there and will enable the "Fix" button.
    4: Click “Fix” and let it do it’s thing. It will shut your machine off then reappear. Repeat the Find VX2.BetterInternet and Fix a second time.
    5: If the utility doesn’t reappear by itself, repeat steps 2,3 and 4. This time you will see “We are at step 2” notice above the screen.
    6: It may take 2 or 3 cycles to fix everything.

    or try the alleged fix here
    http://www.look2me.com/cgi-bin/UnInstaller
     
  9. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    Boy I'm having fun here !!! I ran OE2 it found some things seemed to delete everything, I ran it again (twice) and it came up empty. So it looked good. Till I tried outlook again. Not responding. (Just so you know this internet connection is remote so goes through a sat.) When I disable the sat connection and then re enable it sometimes comes up with:

    The host 'pop3.uniserve.com' could not be found. Please verify that you have entered the server name correctly. Account: 'pop3.uniserve.com', Server: 'pop3.uniserve.com', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 11001, Error Number: 0x800CCC0D

    But when I ok that it doesn't even finish loading outlook. When I go to task manager it shows that it's not responding.
    I've ran Adaware again (twice) and it finds nothing wrong. I've had to delete that last thing from HJT a few times because it keeps coming back.

    (R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 )

    I even ran that http://www.look2me.com/cgi-bin/UnInstaller and that didn't help matters.

    Getting on outlook is kind of a priority for me right now Thanks for your advice.

    Mike

    Here's the last log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:28 AM, on 10/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\ups.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\WINNT\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
    C:\Documents and Settings\staff\My Documents\HJT\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Canada Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37892.6045023148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Canada Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{64D68194-ECC3-4A5B-91FE-2E46D129C50D}: NameServer = 198.77.116.8
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    make sure you have carried out this as well

    and then go to IE/tools/options/connections/ click on your connection and select settings and untick use a proxy server

    the error message is a standard one when IE/OE can't find the host

    that happens either because a proxy is blocking it or firewall has blocked outgoing or possibly a hosts file redirect
     
  11. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    It wasn't ticked. I'm not too sure how to proceed. I can see why it would show the error message but the thing is 95% of the time outlook won't even load and I have to ctrl-alt-del.

    Thank you
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  13. justmeis

    justmeis Registered Member

    Joined:
    May 4, 2004
    Posts:
    11
    Thank you Derek it was the AVG keeping it from working.

    Thank you so much for your help.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    glad to hear that

    have all the other problems gone now as well?
     
Thread Status:
Not open for further replies.