Please review log

Discussion in 'adware, spyware & hijack cleaning' started by ronywood, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. ronywood

    ronywood Guest

    I am pasting the log from Highjack THIS below. I have experienced many popups

    Logfile of HijackThis v1.97.7
    Scan saved at 8:17:03 PM, on 1/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\WINNT\mwsvm.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINNT\System32\shaadow.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\WINNT\System32\lexpps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\WEATHE~1\Weather.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\System32\PalrgYwG.exe
    C:\WINNT\System32\Fmr0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\highjack this\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=0053141921681101
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startium.com/index.php?dst=DIST1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=29F15176-1408-4A0A-A88C-059184AD1EAB&version_id=18
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {03400f7f-34bd-4fbd-9f78-1caf5cf1e049} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: Veevo Library - {6E34D984-4054-45E3-8452-0159A2F0D232} - C:\WINNT\System32\Veevo.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: rmoueavzthb - {e7017a00-f31f-42d2-8a10-cba936dd2980} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GameBar\gamebar.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [shaadow.exe] C:\WINNT\System32\shaadow.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
    O4 - HKLM\..\Run: [3WHG8#K4MGX3T8] C:\WINNT\System32\IpuFld.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
    O4 - HKLM\..\Run: [ADGKN] C:\WINNT\ADGKN.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Exploder - http://download.games.yahoo.com/games/clients/y/vtk_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_27/QDow.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON39120/flash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37612.4306944444
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterSP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://roxypalace.microgaming.com/roxypalace/FlashAX.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/BundleOuter1132031209.EXE
    O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k11869.ecpm.com
    O17 - HKLM\Software\..\Telephony: DomainName = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C49376-2260-4348-A683-40C4F5786CC7}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D10054-7D80-4325-9A23-B57C87AF0768}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6C9AC08-A7AF-4DC6-AF42-744B9F79D7FE}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k11869.ecpm.com
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi ronywood :)

    Welcome to wilders.

    Please download and run CWShredder at this link,

    http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe

    then post a fresh HighjackThis log.





    snowbound
     
  3. ronywood

    ronywood Guest

    Please review log 2

    Thanks Snowbound. I have run CWShedder and here is the resulitng log from rerunning Highjack THIS.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:42:43 PM, on 1/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\WINNT\mwsvm.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINNT\System32\shaadow.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\uptodate.exe
    C:\Program Files\Save\Save.exe
    C:\WINNT\System32\lexpps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\WEATHE~1\Weather.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\System32\PalrgYwG.exe
    C:\WINNT\System32\Fmr0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM95\aim.exe
    C:\highjack this\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=0053141921681101
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startium.com/index.php?dst=DIST1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=29F15176-1408-4A0A-A88C-059184AD1EAB&version_id=18
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {03400f7f-34bd-4fbd-9f78-1caf5cf1e049} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: Veevo Library - {6E34D984-4054-45E3-8452-0159A2F0D232} - C:\WINNT\System32\Veevo.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: rmoueavzthb - {e7017a00-f31f-42d2-8a10-cba936dd2980} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GameBar\gamebar.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [shaadow.exe] C:\WINNT\System32\shaadow.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
    O4 - HKLM\..\Run: [3WHG8#K4MGX3T8] C:\WINNT\System32\IpuFld.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
    O4 - HKLM\..\Run: [ADGKN] C:\WINNT\ADGKN.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Exploder - http://download.games.yahoo.com/games/clients/y/vtk_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_27/QDow.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON39120/flash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37612.4306944444
    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterSP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://roxypalace.microgaming.com/roxypalace/FlashAX.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/BundleOuter1132031209.EXE
    O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k11869.ecpm.com
    O17 - HKLM\Software\..\Telephony: DomainName = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C49376-2260-4348-A683-40C4F5786CC7}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D10054-7D80-4325-9A23-B57C87AF0768}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6C9AC08-A7AF-4DC6-AF42-744B9F79D7FE}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k11869.ecpm.com
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re:please review log 2

    You lost me there, i didn't know you were going to start a new thread ;)

    ok, there is some very suspicious things in your log but i'm sorry, i don't have enough experience to advise you any further.

    The expert log readers will help you with the rest of your log.

    Please be patient as most of the experts live in different time zones.



    snowbound
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi ronywood,

    This is going t be quite some work, but it will be well worth it. :)

    First see if you can uninstall Save! aka WhenUsave aka SaveNow in Add/Remove software.

    Then download and run this file to fix Peper Trojan:
    http://experts.spywareinfoforum.com/pieter/uninst.exe
    double click on 'uninst.exe', let it run and terminate.
    To delete all the associated files download the following tool:
    http://www.mjc1.com/files/mo/drpeper.html
    It will self extract to C:.
    Find :
    C:\drpeper\Find backup and Delete Peper files.vbs file and double click.
    On the first prompt copy and paste:
    PalrgYwG.exe
    And hit ok.
    You will get a confirmation and proceed:
    On the second, paste:
    IpuFld.exe
    And hit ok

    It will find all the files, delete them and will make backups in the same folder.
    It'll open a text file (Peper.txt) with the list of all files deleted.
    Please post the content of that text file so we can see if no legitimate files were removed.

    Next, check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=0053141921681101
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startium.com/index.php?dst=DIST1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=29F15176-1408-4A0A-A88C-059184AD1EAB&version_id=18

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {03400f7f-34bd-4fbd-9f78-1caf5cf1e049} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: Veevo Library - {6E34D984-4054-45E3-8452-0159A2F0D232} - C:\WINNT\System32\Veevo.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O3 - Toolbar: rmoueavzthb - {e7017a00-f31f-42d2-8a10-cba936dd2980} - C:\DOCUME~1\Darrin\APPLIC~1\sscruvhnw.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL

    O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GameBar\gamebar.dll

    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [slmss] \slmss.exe
    O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [shaadow.exe] C:\WINNT\System32\shaadow.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
    O4 - HKLM\..\Run: [3WHG8#K4MGX3T8] C:\WINNT\System32\IpuFld.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
    O4 - HKLM\..\Run: [ADGKN] C:\WINNT\ADGKN.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    C:\Program Files\Common Files\slmss
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/payload2.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_27/QDow.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/FON39120/flash.cab

    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab

    O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterSP.cab

    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://roxypalace.microgaming.com/roxypalace/FlashAX.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.com/bannerfarm/47309/BundleOuter1132031209.EXE
    O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k11869.ecpm.com
    O17 - HKLM\Software\..\Telephony: DomainName = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92C49376-2260-4348-A683-40C4F5786CC7}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2D10054-7D80-4325-9A23-B57C87AF0768}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6C9AC08-A7AF-4DC6-AF42-744B9F79D7FE}: Domain = k11869.ecpm.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k11869.ecpm.com

    Then reboot, preferably into safe mode and delete:
    C:\Program Files\\INCREDIFIND <= entire folder
    C:\Program Files\ClearSearch <= entire folder
    C:\WINNT\System32\stcloader.exe
    C:\Program Files\Common Files\slmss <= entire folder
    C:\WINNT\Belt.exe
    C:\WINNT\mwsvm.exe
    C:\Program Files\Media\Media <= entire folder
    C:\WINNT\uptodate.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\nCase <= entire folder
    C:\Program Files\Save <= entire folder

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    And read this on how to prevent future infections: http://boards.cexx.org/viewtopic.php?t=957

    Then you have two files, that I would love to have a closer look at. Could you please mail those to the address in my profile:
    C:\WINNT\System32\Veevo.dll
    C:\WINNT\System32\shaadow.exe

    Thanks in advance,

    Pieter
     
Thread Status:
Not open for further replies.