Suspect Hijack

Discussion in 'adware, spyware & hijack cleaning' started by edbees, May 28, 2004.

Thread Status:
Not open for further replies.
  1. edbees

    edbees Registered Member

    Joined:
    May 28, 2004
    Posts:
    3
    Hello,
    I'm running Spybot, but everytime I re-boot, I keep getting persistent pop-ups. I disabled Messenger, to no avail. Here is my hijackthis log.


    Logfile of HijackThis v1.97.7
    Scan saved at 7:29:02 PM, on 5/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\avgamsvr.exe
    D:\PROGRA~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common files\WinTools\WSup.exe
    D:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    D:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9280BDA7-1568-4614-86CB-F15DFDB9F300} (QDiagKNUpdateObj Class) - http://www.xraypc.com/knsite/html/qdiagkn.cab?259
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37814.4709027778
    O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

    Thanks
     
  2. edbees

    edbees Registered Member

    Joined:
    May 28, 2004
    Posts:
    3
    I forgot to mention that Spybot keeps showing CleverIEhooker.jeired at every scan.

    Ed
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ed,

    Welcome to Wilders.

    Before you begin, please create a new, permanent folder and move HijackThis.exe into the new folder.
    Hijackthis creates backups in the folder it is ran from, and we want to contain the backups in one folder incase we need to restore any of them.

    Then with only HijackThis open, put a check beside the following items.
    Close ALL windows/browsers (except HijackThis) and click *Fix checked*:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    ***

    Download LSPfix from here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    ***

    Reboot to Safe Mode:
    How to start the computer in Safe mode

    Show hidden files and folders:
    Show hidden files & folders

    Find and delete these files & folders listed in bold:
    C:\Program Files\Common files\WinTools <--folder
    C:\Program Files\TV Media <--folder

    Repost a new log to be checked.

    Regards,

    snap
     
  4. edbees

    edbees Registered Member

    Joined:
    May 28, 2004
    Posts:
    3
    Thank you snap.
    I followed your instructions and here are the results,

    Logfile of HijackThis v1.97.7
    Scan saved at 2:13:29 PM, on 5/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\avgamsvr.exe
    D:\PROGRA~1\avgupsvc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Program Files\Palm\HOTSYNC.EXE
    C:\WINDOWS\Explorer.EXE
    D:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
    O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - d:\program files\WebBug.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9280BDA7-1568-4614-86CB-F15DFDB9F300} (QDiagKNUpdateObj Class) - http://www.xraypc.com/knsite/html/qdiagkn.cab?259
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37814.4709027778
    O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


    Thanks again,
    Ed
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ed,

    Just one left-over that needs fixed.

    In HijackThis, place a check beside the follow.
    Make sure ALL windows/browsers are closed (except HijackThis) and click *Fix checked*:

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    (if you don't recognize the addresses for these, then you can include them too)
    O16 - DPF: {9280BDA7-1568-4614-86CB-F15DFDB9F300} (QDiagKNUpdateObj Class) - http://www.xraypc.com/knsite/html/qdiagkn.cab?259
    O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/act.../karaokeCom.ocx

    Reboot your computer.

    Then once you are sure your system is clean, turn off System Restore to purge old restore points to remove any infection that would have been backed up in there:
    System Restore Instructions.
    Remember to reboot your computer then re-enable System Restore and set a new Restore Point.

    Here are some steps to follow to help tighten your security and prevent future infection: https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    snap
     
Thread Status:
Not open for further replies.