maybe something can be done about this

Discussion in 'SpywareBlaster & Other Forum' started by b1kra, Jul 22, 2003.

Thread Status:
Not open for further replies.
  1. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    This seems to get through SpywareBlaster and is constantly being removed by spybot SD.

    I have attached the text file created by spybot for reference :)
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi b1kra,

    There are five instances of Whazit in SpywareBlasters database, but there could of course be more.
    Could you post your HijackThis log
    Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.
    The items under O16 would be of interest in this case, so if you don't want to post the entire log, those would do.

    Regards,

    Pieter
     
  3. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    Will do, I will post the HJ log in this thread.

    Thanks for the reply Pieter_Arntz :)
     
  4. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    Well, here it is. Sure hope it helps.


    Logfile of HijackThis v1.95.1
    Scan saved at 5:10:01 PM, on 7/22/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\kmw_run.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\KMW_SHOW.EXE
    C:\Program Files\Washer\washer.exe
    C:\Program Files\IE New Window Maximizer\iemaximizer.exe
    C:\Program Files\Bugtoaster\bugwatcher.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\AnalogX\POW\pow.exe
    C:\Program Files\SpeedFan\speedfan.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Toshiba\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
    O4 - HKCU\..\Run: [BugWatcherService] "C:\Program Files\Bugtoaster\bugwatcher.exe"
    O4 - Startup: Shortcut to pow.lnk = C:\Program Files\AnalogX\POW\pow.exe
    O4 - Startup: Shortcut to speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: YahooPOPs.lnk = ?
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/195de437c9fd772c5a23/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_2.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    :) :) :) :) :)
     
  5. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    I doubt that I was able to capture the references with my running Hijack This. I re-ran Spybot sd and turned up nothing.

    If I do find something with Spybot sd I will run Hijack This first before removing.

    I do have SB sd text files still if they would be of any use. If so, can I get them to you via PM attachment? I have them zipped, but I also have the individual files in text format(about 2 KB ea.)
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi b1kra,

    Good you posted the entire log.
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/195de437c9fd772c5a23/netzip/RdxIE601.cab
    O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_2.cab

    Reboot after doing so.

    Regards,

    Pieter
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hang on to those for a while, please.
    Maybe these would be of use to javacool. If so, I'm sure he will respond.

    Regards,

    Pieter
     
  8. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    Thank you very much Pieter_Arntz

    Ran it again and checked the items you outlined and had hijack this fix 'em. We will see what this does after I reboot :D

    P.S. will hang on to the spybot sd log files till notified
     
  9. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Sorry for the late reply.

    Would you be able to send those files to press@wilderssecurity.net ?

    TIA. :)

    Best regards,

    -Javacool
     
  10. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    No problem would you lik'em as a zip file or individual files? Let me know, glad that they may be of some use :) - hope so.
     
  11. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    A zip file if possible - thanks! :)

    Best regards,

    -Javacool
     
  12. b1kra

    b1kra Registered Member

    Joined:
    Jul 22, 2003
    Posts:
    11
    done,

    Hope that it is helpful. :)
     
Thread Status:
Not open for further replies.