Backdoor.Trojan

We need you to download and install an analysis and repair tool called Hijackthis.

Go here and download the file: http://tomcoyote.com/hjt

Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm


Run Hijackthis, click on the 'scan' button and then 'save log' button. Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt


Stay in this thread for continuity. Reply to this message.


HTH (Hope that Helps)

Texruss

Logfile of HijackThis v1.97.7
Scan saved at 4:21:30 PM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\winnt\system32\Macromed\Flash\EXP\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\winnt\system32\Macromed\Flash\EXP\MSExplorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JJ Palomarez\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.personal.psu.edu/jjp259
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 207.44.194.56 www.google.com
O1 - Hosts: 207.44.194.56 google.com
O1 - Hosts: 207.44.194.56 www.altavista.com
O1 - Hosts: 207.44.194.56 altavista.com
O1 - Hosts: 207.44.194.56 search.yahoo.com
O1 - Hosts: 207.44.194.56 uk.search.yahoo.com
O1 - Hosts: 207.44.194.56 ca.search.yahoo.com
O1 - Hosts: 207.44.194.56 jp.search.yahoo.com
O1 - Hosts: 207.44.194.56 au.search.yahoo.com
O1 - Hosts: 207.44.194.56 de.search.yahoo.com
O1 - Hosts: 207.44.194.56 search.yahoo.co.jp
O1 - Hosts: 207.44.194.56 www.lycos.de
O1 - Hosts: 207.44.194.56 www.lycos.ca
O1 - Hosts: 207.44.194.56 www.lycos.jp
O1 - Hosts: 207.44.194.56 www.lycos.co.jp
O1 - Hosts: 207.44.194.56 alltheweb.com
O1 - Hosts: 207.44.194.56 web.ask.com
O1 - Hosts: 207.44.194.56 ask.com
O1 - Hosts: 207.44.194.56 www.ask.com
O1 - Hosts: 207.44.194.56 www.teoma.com
O1 - Hosts: 207.44.194.56 search.aol.com
O1 - Hosts: 207.44.194.56 www.looksmart.com
O1 - Hosts: 207.44.194.56 search.msn.com
O1 - Hosts: 207.44.194.56 auto.search.msn.com
O1 - Hosts: 207.44.194.56 ca.search.msn.com
O1 - Hosts: 207.44.194.56 fr.ca.search.msn.com
O1 - Hosts: 207.44.194.56 search.fr.msn.be
O1 - Hosts: 207.44.194.56 search.fr.msn.ch
O1 - Hosts: 207.44.194.56 search.latam.yupimsn.com
O1 - Hosts: 207.44.194.56 search.msn.at
O1 - Hosts: 207.44.194.56 search.msn.be
O1 - Hosts: 207.44.194.56 search.msn.ch
O1 - Hosts: 207.44.194.56 search.msn.co.in
O1 - Hosts: 207.44.194.56 search.msn.co.jp
O1 - Hosts: 207.44.194.56 search.msn.co.kr
O1 - Hosts: 207.44.194.56 search.msn.com.br
O1 - Hosts: 207.44.194.56 search.msn.com.hk
O1 - Hosts: 207.44.194.56 search.msn.com.my
O1 - Hosts: 207.44.194.56 search.msn.com.sg
O1 - Hosts: 207.44.194.56 search.msn.com.tw
O1 - Hosts: 207.44.194.56 search.msn.co.za
O1 - Hosts: 207.44.194.56 search.msn.de
O1 - Hosts: 207.44.194.56 search.msn.dk
O1 - Hosts: 207.44.194.56 search.msn.es
O1 - Hosts: 207.44.194.56 search.msn.fi
O1 - Hosts: 207.44.194.56 search.msn.fr
O1 - Hosts: 207.44.194.56 search.msn.it
O1 - Hosts: 207.44.194.56 search.msn.nl
O1 - Hosts: 207.44.194.56 search.msn.no
O1 - Hosts: 207.44.194.56 search.msn.se
O1 - Hosts: 207.44.194.56 search.ninemsn.com.au
O1 - Hosts: 207.44.194.56 search.t1msn.com.mx
O1 - Hosts: 207.44.194.56 search.xtramsn.co.nz
O1 - Hosts: 207.44.194.56 search.yupimsn.com
O1 - Hosts: 207.44.194.56 uk.search.msn.com
O1 - Hosts: 207.44.194.56 search.lycos.com
O1 - Hosts: 207.44.194.56 www.lycos.com
O1 - Hosts: 207.44.194.56 www.google.ca
O1 - Hosts: 207.44.194.56 google.ca
O1 - Hosts: 207.44.194.56 www.google.uk
O1 - Hosts: 207.44.194.56 www.google.co.uk
O1 - Hosts: 207.44.194.56 www.google.com.au
O1 - Hosts: 207.44.194.56 www.google.co.jp
O1 - Hosts: 207.44.194.56 www.google.jp
O1 - Hosts: 207.44.194.56 www.google.at
O1 - Hosts: 207.44.194.56 www.google.be
O1 - Hosts: 207.44.194.56 www.google.ch
O1 - Hosts: 207.44.194.56 www.google.de
O1 - Hosts: 207.44.194.56 www.google.dk
O1 - Hosts: 207.44.194.56 www.google.fi
O1 - Hosts: 207.44.194.56 www.google.fr
O1 - Hosts: 207.44.194.56 www.google.com.gr
O1 - Hosts: 207.44.194.56 www.google.com.hk
O1 - Hosts: 207.44.194.56 www.google.ie
O1 - Hosts: 207.44.194.56 www.google.co.il
O1 - Hosts: 207.44.194.56 www.google.it
O1 - Hosts: 207.44.194.56 www.google.co.kr
O1 - Hosts: 207.44.194.56 www.google.com.mx
O1 - Hosts: 207.44.194.56 www.google.nl
O1 - Hosts: 207.44.194.56 www.google.co.nz
O1 - Hosts: 207.44.194.56 www.google.pl
O1 - Hosts: 207.44.194.56 www.google.pt
O1 - Hosts: 207.44.194.56 www.google.com.ru
O1 - Hosts: 207.44.194.56 www.google.com.sg
O1 - Hosts: 207.44.194.56 www.google.co.th
O1 - Hosts: 207.44.194.56 www.google.com.tr
O1 - Hosts: 207.44.194.56 www.google.com.tw
O1 - Hosts: 207.44.194.56 google.at
O1 - Hosts: 207.44.194.56 google.be
O1 - Hosts: 207.44.194.56 google.de
O1 - Hosts: 207.44.194.56 google.dk
O1 - Hosts: 207.44.194.56 google.fi
O1 - Hosts: 207.44.194.56 google.fr
O1 - Hosts: 207.44.194.56 google.com.hk
O1 - Hosts: 207.44.194.56 google.ie
O1 - Hosts: 207.44.194.56 google.co.il
O1 - Hosts: 207.44.194.56 google.it
O1 - Hosts: 207.44.194.56 google.co.kr
O1 - Hosts: 207.44.194.56 google.com.mx
O1 - Hosts: 207.44.194.56 google.nl
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Windows Backup Configuration] IEXPLORER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Task Scheduler] WincfgM32.exe
O4 - HKLM\..\Run: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\RunServices: [Task Scheduler] WincfgM32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.74125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A3B043-E278-4026-9084-F39DCF01B864}: NameServer = 128.118.25.3,130.203.1.4

 

Your HOSTS file is hijacked and you have other parasites.

Rename your HOSTS file and reboot:

http://www.russelltexas.com/spywareinfo/renamehosts.htm

C:\Documents and Settings\Username\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Comments: This is a bad location for HJT folder...create a new one at C:\HJT and move the hijackthis.exe file into it:
 http://russelltexas.com/spywareinfo/createhjtfolder.htm

Comments: Optional, but recommended....after doing this I would uninstall Wild Tangent in Control Panel (look for icon). It's bundled with some AIM games, but has a bad reputation for spying in my opinion.  The key values for it are below if you can't uninstall and need to delete it in HJT:

C:\WINDOWS\wt\updater\wcmdmgr.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

Delete these entries in HJT and then reboot in Safe Mode and delete wt subfolder in C:\Windows

Other problems:

Run HJT, scan and check for removal:

C:\Program Files\Common files\updmgr\updmgr.exe
Comments: eUniverse/KeenValue adware

R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
Comments: PerfectNav malware

O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
Comments: Limeshop malware

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
Comments: another entry for eUniverse/KeenValue adware

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
Comments: More Limeshop crud

With no other windows open except for HJT, click 'fix checked'

Reboot in Safe Mode (hit F8 on restart)
Delete these folders in Windows Explorer:

C:\PROGRAM FILES\PERFECNAV   folder
C:\Program Files\LimeShop   folder
C:\Program Files\Common files\updmgr   folder

Reboot in normal mode and run the full regimen of Spybot and Adaware:

Download and run these two programs (Spybot S&D and Adaware). Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr
I check all the selected items to be deleted here.

Post a new Hijackthis log in this thread.

HTH,

Texruss

 

 

New Hijackthis log

 

Logfile of HijackThis v1.97.7
Scan saved at 9:30:53 PM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\winnt\system32\Macromed\Flash\EXP\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\winnt\system32\Macromed\Flash\EXP\MSExplorer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\JJ Palomarez\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.personal.psu.edu/jjp259
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Windows Backup Configuration] IEXPLORER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Task Scheduler] WincfgM32.exe
O4 - HKLM\..\Run: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\RunServices: [Task Scheduler] WincfgM32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.74125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A3B043-E278-4026-9084-F39DCF01B864}: NameServer = 128.118.25.3,130.203.1.4

 

You did a great job! Well done. I bet it runs better now. Looks fine to me...any special issues noticed?

1. The main cleanup programs...they are reactive...not proactive:

Spybot Search&dDestroy, Ad-aware Run weekly - or after a heavy internet session.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr
I check all the selected items to be deleted here.

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

5. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

6. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

7. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.wilderssecurity.com


Good luck and safe computing!

Texruss

So what exactly did all that do? Because the Backdoor.Trojan virus is still infecting Run.dll in my System32 folder.

>Because the Backdoor.Trojan virus is still infecting Run.dll in my System32 folder.

What did all that do? Eliminated a lot of parasites...HJT does not see everything. That's why I asked about special issues. Question...does it specifically identify it as run.dll or is the period missing?  (Run dll)

Run.dll is not a legitimate file...if you can find it in Safe Mode and zip it up and email it to my profile address I would appreciate it. Delete it without prejudice in Safe Mode if Norton can't remove it.

Report back on any filenames mentioned, folder locations, and AV deletion attempt messages.

All the best,

Texruss

 

Sorry, I dont know what I was thinking. it's R_BoT.dll

Sounds like an IRC Bot and it's hostile, not a legitimate Windows file by any means. Purge it without prejudice in Safe Mode and you should be good to go. No copy needed for me...it's been saved by security reverse engineers.

Rescan in AV and see what gives.

All the best,

Texruss

 

Logfile of HijackThis v1.97.7
Scan saved at 12:39:49 PM, on 4/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
c:\winnt\system32\Macromed\Flash\EXP\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\winnt\system32\Macromed\Flash\EXP\MSExplorer.exe
C:\Documents and Settings\JJ Palomarez\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.personal.psu.edu/jjp259
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Windows Backup Configuration] IEXPLORER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Task Scheduler] WincfgM32.exe
O4 - HKLM\..\Run: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\RunServices: [Task Scheduler] WincfgM32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.74125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A3B043-E278-4026-9084-F39DCF01B864}: NameServer = 128.118.25.3,130.203.1.4

 

Please post back with a new hijackthis log for us to see.

Hey, thanks for your help with all that stuff. It's running much better now. Last thing. Whenever windows starts, I get a dialogue box that says "services.exe" has encountered a problem and needs to close." What should I do about that, if there is anything I can do?

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy (including the zip copy) so it can't be used.
========================
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

All R0/R1 lines - except the one home and one search page you wish to keep.
O4 - HKLM\..\Run: [Windows Backup Configuration] IEXPLORER.exe
O4 - HKLM\..\Run: [Task Scheduler] WincfgM32.exe
O4 - HKLM\..\RunServices: [Task Scheduler] WincfgM32.exe

It maybe that DogPile was not installed by you - if so check the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.dogpile.com/info.dogpl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

File > > IEXPLORER.exe
(Probably in the c:\windows or c:\windows\system32 folder - NOT IEXPLORE.exe with is the MS file)
File > > WincfgM32.exe
(Probably in the c:\windows or c:\windows\system32 folder)

Then Reboot and post a fresh log for me to check.

 

The following file, (and I think it is malware) I can't find any details on, please locate the file in windows Explorer, right click, properties, and post back with any details found. (You may need to search your computer to find it, probably in the c:\windows or c:\windows\system32 folders)

O4 - HKLM\..\Run: [MSConf-1.6.1] wincmd32.exe
O4 - HKLM\..\RunServices: [MSConf-1.6.1] wincmd32.exe

Just a few questions...what will deleting these do? --

File > > IEXPLORER.exe
(Probably in the c:\windows or c:\windows\system32 folder - NOT IEXPLORE.exe with is the MS file)
File > > WincfgM32.exe
(Probably in the c:\windows or c:\windows\system32 folder)

 

And, will all this help the dialogue box "services.exe has encountered a problem..." not come up?

>File > > IEXPLORER.exe
(Probably in the c:\windows or c:\windows\system32 folder - NOT IEXPLORE.exe which is the MS file)
File > > WincfgM32.exe
(Probably in the c:\windows or c:\windows\system32 folder)

Click on the hot links I made and you'll see you don't want those files.

Texruss