Skip to main content

ky331

3 Apprentice

 • 

15.6K Posts

November 29th, 2005 12:00

I'm gonna try to start things off for you... see how far we'll get... and then call-in someone else to continue...

First, you should move the HJT program from your Desktop:

C:\Documents and Settings\David\Desktop\HijackThis.exe

into a separate folder of its own... We recommend using folder C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exe

[if you prefer, it's okay to have an HJT folder on your desktop, move the hjt program into this folder, and then run the program from there.]

This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just "clutter-up" your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to "undo" [restore] some of the things you "FIX" incorrectly.

 

***************

close your internet browser(s).

Run HJT. Place a check-mark in the box in front of each of the lines:

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (nofile)

O15 - Trusted Zone: *.coolwebsearch.com


O15 - Trusted Zone: *.searchmeup.com

Click on FIX CHECKED.  close HJT.

*************************

download CWShredder from http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

open CWShredder, click on FIX

when it's done, REBOOT, generate a brand new HiJackTHis log, REPLY to this thread, and PASTE it here.

daved18

14 Posts

November 30th, 2005 02:00

Thank you for providing such quick assistance, I had to wait until I returned home this evening to try out your directions.

I followed the directions, did not find the entry for
02 -BHO:9no name)-{ all zeros }- nofile

but I did find the entries for coolwebsearch and searchmeup,

pulled down cwshredder, ran it and it reported no spyware found,
rebooted,
reran HJT and the log is:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:36 PM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\staroffice7\program\soffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\David\Desktop\hijack_holder_folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.east.sun.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {2B520EDA-1829-45A3-ACF5-AC32A72A166C} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {5492A99C-444A-4A31-AE9C-9E6ED3ABCFA3} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {714F532E-951F-4A04-878D-96BEAA278292} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B711} - C:\WINDOWS\adsldpbd.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {9E612BF8-C192-4571-9FDF-D1A2172082F0} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\java\Packages\mfcsrv.dll
O2 - BHO: (no name) - {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - C:\WINDOWS\mpatrol.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: StarOffice 7.lnk = C:\Program Files\staroffice7\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: mfcsrv - C:\WINDOWS\java\Packages\mfcsrv.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

ky331

3 Apprentice

 • 

15.6K Posts

November 30th, 2005 12:00

you wrote: " pulled down cwshredder, ran it and it reported no spyware found"... well it, or something, did remove  some bad files, and we can touch-up the corresponding HJT entries:
 

close your internet browser(s).

Run HJT. Place a check-mark in the box in front of each of the lines:

 

O2 - BHO: C:\WINDOWS\adsldpbc.dll - {2B520EDA-1829-45A3-ACF5-AC32A72A166C} - C:\WINDOWS\adsldpbc.dll (file missing)


O2 - BHO: C:\WINDOWS\adsldpbc.dll - {5492A99C-444A-4A31-AE9C-9E6ED3ABCFA3} - C:\WINDOWS\adsldpbc.dll (file missing)


O2 - BHO: C:\WINDOWS\adsldpbc.dll - {714F532E-951F-4A04-878D-96BEAA278292} - C:\WINDOWS\adsldpbc.dll (file missing)


O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B711} - C:\WINDOWS\adsldpbd.dll (file missing)


O2 - BHO: C:\WINDOWS\adsldpbc.dll - {9E612BF8-C192-4571-9FDF-D1A2172082F0} - C:\WINDOWS\adsldpbc.dll (file missing)


 

Click on FIX CHECKED.  close HJT.

*******************

i'm not sure which of the "standard" Winfixer instructions you've already tried... but even if you've already done so, please do the following now:

Download [but do *NOT* yet run] FixVundo from

http://securityresponse.symantec.com/avcenter/FixVundo.exe

[we'll have you run it later]

Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.

********************

Next, download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

 just reboot if your system "jams"

*********************

After rebooting, it's now time to run FixVundo (which you had downloaded earlier).

Make sure all other programs, including your Internet Browser, are closed.

Double-click the FixVundo.exe file to start the removal tool.

Click Start to begin the process, and then allow this tool to run.

Important: Do not launch any new applications while the tool is running!

Reboot your computer.

Run the FixVundo removal tool again to ensure that the system is clean.

*********************

It's now time to report back to us:

VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.

 

 

daved18

14 Posts

November 30th, 2005 17:00

Thanks again for round two of this effort,

In response to your question, "the standard " instructions I followed, were the same as the instructions you provided, this should be reflected in my VBG logfile, but I'm forced to pare it down to the resultsof the most recent run in order to meet the 20,000 character limit of the site,

Also , although cwshredder reported no viruses, I believe the HJT actions you reccomended prior to running cwshredder probably fixed some of the malware problems.

Also, my son't XP account is starting to show some problems and his desktop icons are dissapearing after a couple of messages reffering to the st3.dll of IE not being part of the release kit.


My most recent HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 2:51:38 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\staroffice7\program\soffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Documents and Settings\David\Desktop\hijack_holder_folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.east.sun.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - C:\WINDOWS\mpatrol.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: StarOffice 7.lnk = C:\Program Files\staroffice7\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe




My VBG log below:


[11/23/2005, 19:58:39] - Starting Process...
[11/23/2005, 19:58:39] - Looking for Browser Helper Object [MSEvents Object]
[11/23/2005, 19:58:39] - 1: {00000000-0000-0000-0000-000000000000} -
[11/23/2005, 19:58:39] - WARNING: 1: {00000000-0000-0000-0000-000000000000} - BHO Name is blank.
[11/23/2005, 19:58:39] - Checking for WinLogon Notify reference. (File: )
[11/23/2005, 19:58:39] - Couldn't find in Winlogon Notify. Ignoring {00000000-0000-0000-0000-000000000000}.
[11/23/2005, 19:58:39] - 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class


Lot's of entries for 11/23/05 edited out



[11/23/2005, 22:21:10] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\mpatrol.dll)
[11/23/2005, 22:21:10] - Couldn't find mpatrol in Winlogon Notify. Ignoring {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}.
[11/23/2005, 22:21:10] - Finished searching for [MSEvents Object]
[11/23/2005, 22:21:10] - Finishing up...
[11/23/2005, 22:21:10] - Enabling Automatic Reboot on STOP Error.
[11/23/2005, 22:21:10] - Attempting to Restart via STOP error (Blue Screen!)

[11/30/2005, 12:51:56] - Starting Process...
[11/30/2005, 12:51:56] - Looking for Browser Helper Object [MSEvents Object]
[11/30/2005, 12:51:56] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/30/2005, 12:51:56] - 2: {16875E09-927B-4494-82BD-158A1CD46BA0} -
[11/30/2005, 12:51:56] - WARNING: 2: {16875E09-927B-4494-82BD-158A1CD46BA0} - BHO Name is blank.
[11/30/2005, 12:51:56] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\prflbmsgp32.dll)
[11/30/2005, 12:51:56] - Couldn't find prflbmsgp32 in Winlogon Notify. Ignoring {16875E09-927B-4494-82BD-158A1CD46BA0}.
[11/30/2005, 12:51:56] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/30/2005, 12:51:56] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/30/2005, 12:51:56] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/30/2005, 12:51:56] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/30/2005, 12:51:56] - 4: {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
[11/30/2005, 12:51:56] - 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/30/2005, 12:51:56] - 6: {B8B55274-0F9A-41E5-9067-A3539BD9E860} - MSEvents Object
[11/30/2005, 12:51:56] - Found MSEvents Object!
[11/30/2005, 12:51:56] - File location: C:\WINDOWS\java\Packages\mfcsrv.dll
[11/30/2005, 12:51:56] - Attempting to kill C:\WINDOWS\java\Packages\mfcsrv.dll
[11/30/2005, 12:51:56] - Terminating Process: RUNDLL32.EXE
[11/30/2005, 12:51:56] - Terminating Process: IEXPLORE.EXE
[11/30/2005, 12:51:56] - Disabling Automatic Shell Restart
[11/30/2005, 12:51:57] - Terminating Process: EXPLORER.EXE
[11/30/2005, 12:51:57] - Suspending the NT Session Manager System Service
[11/30/2005, 12:51:57] - Terminating Windows NT Logon/Logoff Manager
[11/30/2005, 12:51:57] - Re-enabling Automatic Shell Restart
[11/30/2005, 12:51:57] - Renaming C:\WINDOWS\java\Packages\mfcsrv.dll -> C:\WINDOWS\java\Packages\mfcsrv.dll.vir
[11/30/2005, 12:51:57] - File successfully renamed!
[11/30/2005, 12:51:57] - Removing Registry references to {B8B55274-0F9A-41E5-9067-A3539BD9E860}
[11/30/2005, 12:51:57] - Adding Internet Explorer Protection (Kill ActiveX) for {B8B55274-0F9A-41E5-9067-A3539BD9E860}
[11/30/2005, 12:51:57] - Removing Winlogon Notify Entry: mfcsrv
[11/30/2005, 12:51:57] - BHO list has been changed! Starting over...
[11/30/2005, 12:51:57] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/30/2005, 12:51:57] - 2: {16875E09-927B-4494-82BD-158A1CD46BA0} -
[11/30/2005, 12:51:57] - WARNING: 2: {16875E09-927B-4494-82BD-158A1CD46BA0} - BHO Name is blank.
[11/30/2005, 12:51:57] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\prflbmsgp32.dll)
[11/30/2005, 12:51:57] - Couldn't find prflbmsgp32 in Winlogon Notify. Ignoring {16875E09-927B-4494-82BD-158A1CD46BA0}.
[11/30/2005, 12:51:57] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/30/2005, 12:51:57] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/30/2005, 12:51:57] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/30/2005, 12:51:57] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/30/2005, 12:51:57] - 4: {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
[11/30/2005, 12:51:57] - 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/30/2005, 12:51:58] - 6: {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} -
[11/30/2005, 12:51:58] - WARNING: 6: {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - BHO Name is blank.
[11/30/2005, 12:51:58] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\mpatrol.dll)
[11/30/2005, 12:51:58] - Couldn't find mpatrol in Winlogon Notify. Ignoring {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}.
[11/30/2005, 12:51:58] - Finished searching for [MSEvents Object]
[11/30/2005, 12:51:58] - Finishing up...
[11/30/2005, 12:51:58] - Enabling Automatic Reboot on STOP Error.
[11/30/2005, 12:51:58] - Attempting to Restart via STOP error (Blue Screen!)

[11/30/2005, 12:52:34] - Starting Process...
[11/30/2005, 12:52:34] - Looking for Browser Helper Object [MSEvents Object]
[11/30/2005, 12:52:34] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/30/2005, 12:52:34] - 2: {16875E09-927B-4494-82BD-158A1CD46BA0} -
[11/30/2005, 12:52:34] - WARNING: 2: {16875E09-927B-4494-82BD-158A1CD46BA0} - BHO Name is blank.
[11/30/2005, 12:52:34] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\prflbmsgp32.dll)
[11/30/2005, 12:52:34] - Couldn't find prflbmsgp32 in Winlogon Notify. Ignoring {16875E09-927B-4494-82BD-158A1CD46BA0}.
[11/30/2005, 12:52:34] - 3: {53707962-6F74-2D53-2644-206D7942484F} -
[11/30/2005, 12:52:34] - WARNING: 3: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/30/2005, 12:52:34] - Checking for WinLogon Notify reference. (File: C:\PROGRA~1\SPYBOT~1\SDHelper.dll)
[11/30/2005, 12:52:34] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/30/2005, 12:52:34] - 4: {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
[11/30/2005, 12:52:34] - 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/30/2005, 12:52:34] - 6: {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} -
[11/30/2005, 12:52:34] - WARNING: 6: {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - BHO Name is blank.
[11/30/2005, 12:52:34] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\mpatrol.dll)
[11/30/2005, 12:52:34] - Couldn't find mpatrol in Winlogon Notify. Ignoring {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}.
[11/30/2005, 12:52:34] - Finished searching for [MSEvents Object]
[11/30/2005, 12:52:34] - Nothing found! Exiting.


Thanks again, Dave Dorfman

ky331

3 Apprentice

 • 

15.6K Posts

November 30th, 2005 18:00

Nice work. Looks like VirtumundoBeGone successfully deactivated [your latest bout with] the bad WinFixer file. Have you noticed any difference, in terms of WinFixer popups, and overall system speed/performance?

At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have.  when they get here, you can let them know that you have another user profile [your son's] that they can also help you with.

Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.

Good luck.

daved18

14 Posts

November 30th, 2005 21:00

I wish you were right, but alas, I received another pop-up on my last sign on.

On the positive side my son's account came back to life, on the negative side I had to snuff out about 100 dwwin.exe processes, each consuing 5MB. This recovered about 300MBV od phys mem.

I assume they will be back some time????





My HJT log follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:39 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\staroffice7\program\soffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\David\Desktop\hijack_holder_folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.east.sun.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - C:\WINDOWS\mpatrol.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: StarOffice 7.lnk = C:\Program Files\staroffice7\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

ky331

3 Apprentice

 • 

15.6K Posts

November 30th, 2005 22:00

you wrote:  " I received another pop-up on my last sign on"... was it specifically WinFixer again?  or some other popup?
the point being,at the moment,  i am "specializing" in (and focusing on) WinFixer popups  --- no more, no less --- which is why i'm calling in someone else to analyze the remainder of your log.
 
as for WinFixer, your log no longer shows the standard signs (vundo/virtumundo trojan, installer, surfAccuracy)... so if the popup you're getting now is still WinFixer, we can try testing for a "stealth" (hidden) version.   so let me (or the next person) know... are we talking still about WinFixer, in particular, or some other type of popup.

Message Edited by ky331 on 11-30-2005 07:58 PM

RKinner

2 Intern

 • 

5.9K Posts

November 30th, 2005 23:00

Close Internet Explorer (iexplore.exe)

Run HijackTHis (Scan only) and check these then Fix Checked.

O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll
O2 - BHO: (no name) - {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - C:\WINDOWS\mpatrol.dll

 

Reboot and make a new log and post it as a reply.

Just to make sure:

 

Start, Run, sigverif, OK and then when the new program comes up press Start.  When it finishes look through the list and see if it found wininet.dll.  IF not what did it find (just a few samples if there are a lot of them)

Ron


 

daved18

14 Posts

December 1st, 2005 00:00

Oops, I just got the full screen WinFixer 2005 IE advert, looks like I'm still infested.

daved18

14 Posts

December 1st, 2005 00:00

sorry, I figured out what Sigverif is, I'm running it now, I guess I guessed right

daved18

14 Posts

December 1st, 2005 00:00

yep, it was the small version of winfixer, the first pop-up that notifies you horrible things will happen unless you agree to download, etc.

I decided not to close the pop-up or respond to it, I used the task manager to kill it. The I noticed literallyt dozens of dwwin.exe processes running, each consuming about 5MB of memory. I took the time to kill them all one by one, and they have not come back. I'll follow the directions from Rkinner, but I have to admit that I don't know what "sigverif" refers to?


What is "sigverif"

Dave

RKinner

2 Intern

 • 

5.9K Posts

December 1st, 2005 00:00

On the last login you posted, get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and Install.  You won't see anything happen but the O15 lines should disappear from your next HJT log.  Next time you run
HJT on this login, check/Fix Checked this line:
 
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
 
Spywarestormer is garbage.
 
Ron
 
 

 

RKinner

2 Intern

 • 

5.9K Posts

December 1st, 2005 00:00

Your log looks OK.  Can we see one from your son's login?

Also you should have some interesting events in the event viewer:

 

Start, Run, evenvwr.msc, OK then select System and look for red marked events that happened when you got all the dr watson processes.  Double click on one to open it then copy the text by press the bottom of the three buttons then move to a reply and Edit Paste or Ctrl + v.  Give me a sample of the different red marked events you see there and also in Applications.  Don't need 10 copies of the same type event.

Finally run rootkitrevealer from

http://www.sysinternals.com/Utilities/RootkitRevealer.html

search through the list it brings up for files that end in .dll or .exe or .sys.  Especailly interested in wingenerics.dll.

Ron

daved18

14 Posts

December 1st, 2005 00:00

One other strange behavior, a weird sound comes out of the server audio speaker ( not external speakers ) when I hit shift or control for the first time from my sons account??? go figure?

I'll try the additional directions next and add a further reply


HJC log from my suns account:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:03 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\hijack_holder_folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.munky.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

daved18

14 Posts

December 1st, 2005 00:00

Thanks for jumping into the fray, the HJT log is below, I have to admit I don't know what "siverif" is ( I'd guess it's an MD5 verifier for the windows release kit) or how to get it. Can I get a clue?

Here is the log after taking the reccommended checkbox actions:

Logfile of HijackThis v1.99.1
Scan saved at 9:21:35 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\staroffice7\program\soffice.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\David\Desktop\hijack_holder_folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.east.sun.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: StarOffice 7.lnk = C:\Program Files\staroffice7\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

Was this post helpful?

View All

No Events found!

Top