Don't do a System Restore to fix the virus. Since anti-virus tools don't remove viruses from the System Restore folder (_Restore), you could bring some of the bad stuff right back. I would try a removal tool or manually remove it at this point.
The file vxd32v.exe file referenced at startup is not a Windows file and you don't want it back. It was the process put in place by the virus. Use a removal tool like the one Symantec offers for free at the link below to see if it fixes the issue or manually remove it from startup (registry & system.ini file) if it doesn't find the virus on your system anymore.
After doing that good advice, post a hijackthis log from the instructions below.
---------------------------
Use these to remove Malware (Virus, Spyware and Adware).
1)
SpyBot Search and Destroy After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2)
Get Ad-Aware After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of
http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
therock247uk (In Training at TomCoyotes)
irelynmisses (In Training at TomCoyotes)
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
Thank you so much, zygor. I did not even consider the fact the this could have been created by the virus. I did as you advised, and the removal tool did locate and delete the virus. Everything seems to be running smoothly now, and we no longer receive the error message at log in. Thanks again, Toni
Hey ChrisRLG, Since most of our business is on-line, do you have an idea as to how long these downloads and scans may take? If it is a lengthy process then I will need to schedule accordingly. Thanks, Toni
Hijackthis is very small, a few minutes, spybot S&D and ad-aware a little longer. If on dialup just do one of them, my preferance would be Spybot S&D (But others would opt for Ad-Aware). Under 30 mins each.
If going to my site for other recommended software, spywareblaster and spywareguard under 15 mins on dialup (But I am on ADSL).
Even though I am on a dial-up, I was able to download and run the spybot search and destroy yesterday evening, didn't take long at all. And after receiving your response today, I was able to download and run the ad-aware.
Here is a copy of the hijackthis log; (I am glad you know what you are doing, because it all looks pretty complicated to me)
Logfile of HijackThis v1.97.7 Scan saved at 12:56:40 PM, on 3/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Yes it is complicated, we have a school on the net to teach it. About 150 classmates learning at the moment. Free classes for those that will be willing to help people on forums like this. I have been doing this for some 6 months now, still not expert grade, just Trusted Advisor, but the standard is very high.
----------------------------------------
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
they could be malware or they could be the settings given by your ISP on how to connect to the net. If removed and they are needed you would lose connect with the internet. So are these the DNS or gateway servers that your ISP has told your to use.
here is some info on them from the net (sam spade)
--------------------------
03/05/04 00:00:11 IP block 12.168.164.2
Trying 12.168.164.2 at ARIN
Trying 12.168.164 at ARIN
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
GREEN DRAGON CREATIONS GREEN-DR74-164 (NET-12-168-164-0-1)
12.168.164.0 - 12.168.167.255
# ARIN WHOIS database, last updated 2004-03-03 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
-------------------------------
03/05/04 00:01:04 IP block 63.175.34.2
Trying 63.175.34.2 at ARIN
Trying 63.175.34 at ARIN
Sprint SPRN-BLKS (NET-63-160-0-0-1)
63.160.0.0 - 63.175.255.255
WATER VALLEY INTERCHANGE FON-1068441600621011 (NET-63-175-32-0-1)
63.175.32.0 - 63.175.35.255
# ARIN WHOIS database, last updated 2004-03-03 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
---------------------------------
Please get your ISP to check that these are OK. If not we will need to fix those too.
Post back BEFORE you try fixing with any info your ISP has.
Ok everything is done as instructed and here is the new log; As for the two you are concerned with, I am not sure how to get my ISP to check these, but after I connected, I checked the status of the connection and clicked on the detilas tab, and it is showing the Server IP as 12.168.164.12 and the Client IP address as 63.175.35.167. I even went as far as to diconnect and re-connect and checked again, and of course the last group of numbers of each has changed. Also the names of the information you that you found on the net; Green Dragon Creations and Water Valley Interchange are for our local dial-up connection server. If you need more verification, please advice as to the best way to obtain it. Thanks, Toni
Logfile of HijackThis v1.97.7 Scan saved at 7:00:34 PM, on 3/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like AV they need to be updated regularly, I do mine weekly, AV daily.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
Thanks so much for all your help In my book you are expert grade. I have printed all information from this post, and will be keeping it handy. I do have a few questions though;
You advised to run Spybot S&D and Ad-Aware weekly, which is no problem. What about the Hijackthis program, do it weekly also?
If so, how will I be able to understand the log? I would hate to bother you every week. I guess the simplest soultion would be to keep a copy of this last log which you said is clear. Then I can compare with any new logs, and send you a post of any new items???
Hijackthis is a tool for experts, not for people with no or little knowledge. There is a tutorial written by the author merijn, but in it he does say that you should consult experts to get advice. You can make your machine unusable with it. A link to the tutorial is in the pegged posts at the top of this virus board.
As you say keep a copy of the current state of your log and check with any new ones.
zygor
12 Posts
0
March 2nd, 2004 18:00
Don't do a System Restore to fix the virus. Since anti-virus tools don't remove viruses from the System Restore folder (_Restore), you could bring some of the bad stuff right back. I would try a removal tool or manually remove it at this point.
The file vxd32v.exe file referenced at startup is not a Windows file and you don't want it back. It was the process put in place by the virus. Use a removal tool like the one Symantec offers for free at the link below to see if it fixes the issue or manually remove it from startup (registry & system.ini file) if it doesn't find the virus on your system anymore.
Dumaru Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.removal.tool.html
Manual Removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.html#removalinstructions
ChrisRLG
3.9K Posts
0
March 3rd, 2004 11:00
---------------------------
Use these to remove Malware (Virus, Spyware and Adware).
1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
therock247uk (In Training at TomCoyotes)
irelynmisses (In Training at TomCoyotes)
You could also go to one of the more specalist forums where more experts will be able to help.
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
ilmn8u2
6 Posts
0
March 3rd, 2004 21:00
ilmn8u2
6 Posts
0
March 3rd, 2004 21:00
ChrisRLG
3.9K Posts
0
March 4th, 2004 11:00
Hijackthis is very small, a few minutes, spybot S&D and ad-aware a little longer. If on dialup just do one of them, my preferance would be Spybot S&D (But others would opt for Ad-Aware). Under 30 mins each.
If going to my site for other recommended software, spywareblaster and spywareguard under 15 mins on dialup (But I am on ADSL).
ilmn8u2
6 Posts
0
March 4th, 2004 17:00
ChrisRLG,
Even though I am on a dial-up, I was able to download and run the spybot search and destroy yesterday evening, didn't take long at all. And after receiving your response today, I was able to download and run the ad-aware.
Here is a copy of the hijackthis log; (I am glad you know what you are doing, because it all looks pretty complicated to me)
Logfile of HijackThis v1.97.7
Scan saved at 12:56:40 PM, on 3/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cidaemon.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {933EC14C-7B6A-4F8B-8770-820167956CC3} (ShapeShifter.Mask) - http://www.rovion.com/Controls/shapeshifter.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
I await your advice, Thanks again for all your help, Toni
ChrisRLG
3.9K Posts
0
March 4th, 2004 22:00
----------------------------------------
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {933EC14C-7B6A-4F8B-8770-820167956CC3} (ShapeShifter.Mask) - http://www.rovion.com/Controls/shapeshifter.cab
Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
Folder > C:\PROGRA~1\MYWEBS~1\bar
Then Reboot and post a fresh log for me to check.
These one I will need some advice from you.
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
they could be malware or they could be the settings given by your ISP on how to connect to the net. If removed and they are needed you would lose connect with the internet. So are these the DNS or gateway servers that your ISP has told your to use.
here is some info on them from the net (sam spade)
--------------------------
03/05/04 00:00:11 IP block 12.168.164.2
Trying 12.168.164.2 at ARIN
Trying 12.168.164 at ARIN
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
GREEN DRAGON CREATIONS GREEN-DR74-164 (NET-12-168-164-0-1)
12.168.164.0 - 12.168.167.255
# ARIN WHOIS database, last updated 2004-03-03 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
-------------------------------
03/05/04 00:01:04 IP block 63.175.34.2
Trying 63.175.34.2 at ARIN
Trying 63.175.34 at ARIN
Sprint SPRN-BLKS (NET-63-160-0-0-1)
63.160.0.0 - 63.175.255.255
WATER VALLEY INTERCHANGE FON-1068441600621011 (NET-63-175-32-0-1)
63.175.32.0 - 63.175.35.255
# ARIN WHOIS database, last updated 2004-03-03 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
---------------------------------
Please get your ISP to check that these are OK. If not we will need to fix those too.
Post back BEFORE you try fixing with any info your ISP has.
ilmn8u2
6 Posts
0
March 4th, 2004 23:00
Ok everything is done as instructed and here is the new log; As for the two you are concerned with, I am not sure how to get my ISP to check these, but after I connected, I checked the status of the connection and clicked on the detilas tab, and it is showing the Server IP as 12.168.164.12 and the Client IP address as 63.175.35.167. I even went as far as to diconnect and re-connect and checked again, and of course the last group of numbers of each has changed. Also the names of the information you that you found on the net; Green Dragon Creations and Water Valley Interchange are for our local dial-up connection server. If you need more verification, please advice as to the best way to obtain it. Thanks, Toni
Logfile of HijackThis v1.97.7
Scan saved at 7:00:34 PM, on 3/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cidaemon.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FBF7A3C-1A59-470A-9613-38E78C34B218}: NameServer = 12.168.164.2 63.175.34.2
ChrisRLG
3.9K Posts
0
March 5th, 2004 14:00
It sounds from what you say that those lines are legit. Do advise if you have problems still.
---------------------------------
This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like AV they need to be updated regularly, I do mine weekly, AV daily.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
ilmn8u2
6 Posts
0
March 5th, 2004 17:00
ChrisRLG,
Thanks so much for all your help
In my book you are expert grade. I have printed all information from this post, and will be keeping it handy. I do have a few questions though;
You advised to run Spybot S&D and Ad-Aware weekly, which is no problem. What about the Hijackthis program, do it weekly also?
If so, how will I be able to understand the log? I would hate to bother you every week. I guess the simplest soultion would be to keep a copy of this last log which you said is clear. Then I can compare with any new logs, and send you a post of any new items???
Again THANK YOU for all you help, Toni
ChrisRLG
3.9K Posts
0
March 5th, 2004 18:00
Hijackthis is a tool for experts, not for people with no or little knowledge. There is a tutorial written by the author merijn, but in it he does say that you should consult experts to get advice. You can make your machine unusable with it. A link to the tutorial is in the pegged posts at the top of this virus board.
As you say keep a copy of the current state of your log and check with any new ones.