If you would like us to take a look at your issues, we will need you to follow the directions below. Once your log is posted, please be patient. We are all volunteers with families and real jobs, and the logs being posted are many. We do work the logs in the order they come in. One of the experts here will assist you with your log as soon as possible. Thanks...pskelley
We need you to download and install an analysis and repair tool called Hijackthis.
Please unzip Hijackthis.zip or move the hijackthis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder. If it is properly placed it will look like this, or close to it: C:\HJT\HijackThis.exe.
After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.
Stay in this thread for continuity. Reply to this message.
Thanks,
Pskelley In Training at TomCoyote.com and Spywareinfo.com
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
If you have not received an answer please post a new log. Stay in your original thread please...reply to this message. We are way behind so I am looking for people who are still needing help. If you reposted as a new topic please reply also to this message and if possible paste the URL of your new post. Crossposting (new topics for same problem) is discouraged so don't do this...a simple new reply to your original request will achieve much better responses.
All the best,
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal
Please be advised that the information and the virus is on another computer. It is running so sluggish I figured I had better respond on my system. Thanks for your assistance.
Logfile of HijackThis v1.97.7 Scan saved at 9:39:30 AM, on 7/6/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Download Adaware and Spybot at the link below. For now just work with Adaware.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
I am unsure if I took the correct 010 winsock item out. There were 5 items listed but only one had reference to \inetadpt.dll which is the one I deleted.
Logfile of HijackThis v1.98.0
Scan saved at 10:57:17 AM, on 7/7/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Special Comments: (If WinTools folder resists deletion)
Navigate to C:\Program Files\Common Files\Wintools
Right button click on Wintools folder icon and uncheck Read-only box. Click on Advanced tab and see if there is a security tab. Go in it and check all boxes to give you permissions over that folder.
Do the same if there is a Temp subfolder under WinTools.
Now right button click on Wintools folder and delete. If it doesn't go away then try some more investigation in those Properties. Report back on how you do for this and if these directions worked. I did this at 2 AM in the morning Thursday and my notes are non-existent. *;-)
Exit Explorer...empty Recycle Bin.
Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
If you have any problems with Disk Cleanup completing...XP users can fix it here:
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
All the best,
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
Thank you so much. It looks like we may have it licked. Let me know if you find anything on the log that need to be zapped.
Logfile of HijackThis v1.98.0 Scan saved at 3:48:23 PM, on 7/13/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:
WToolsS.exe WToolsA.exe WSup.exe SysAI.exe
Special Deletion Comments: If Wintools resists:
Navigate to C:\Program Files\Common Files\Wintools
Right button click on Wintools folder icon and uncheck Read-only box. Click on Advanced tab and see if there is a security tab. Go in it and check all boxes to give you permissions over that folder.
Do the same if there is a Temp subfolder under WinTools.
Now right button click on Wintools folder and delete. If it doesn't go away then try some more investigation in those Properties. Report back on how you do for this and if these directions worked. If it deletes, exit Explorer and empty Recycle Bin.
Next....Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Navigate down the folder structure in left hand window and then in the right window delete the following files and/or folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.
BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
Did what you said on deleting folders. Would not let me delete wintools program folder. "Cannot delete wsup.exe there has been a sharing violation. The source Destination may be in use".
Also in task manager, could not end process for WToolsS.exe and WToolsA.exe. "The operation could not be completed. Access Denied"
Regarding wintools, thr read only was not checked, and in security I opened permission for all. Still would not let me delete. There was no Temp Tab.
pskelley
933 Posts
0
June 28th, 2004 17:00
Hello, please take a look at this thread first.
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=15651
If you would like us to take a look at your issues, we will need you to follow the directions below. Once your log is posted, please be patient. We are all volunteers with families and real jobs, and the logs being posted are many. We do work the logs in the order they come in. One of the experts here will assist you with your log as soon as possible. Thanks...pskelley
We need you to download and install an analysis and repair tool called Hijackthis.
Download the zipped file from here: http://tomcoyote.com/hjt
Or....If you prefer an .exe version (saves a lot of time for novices) download the file from here:
http://209.133.47.12/~merijn/files/HijackThis.exe
Please unzip Hijackthis.zip or move the hijackthis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a temp folder, or in the root level of the C: drive or the My Documents folder. It will create many backup files and they need to be stored in a unique Hijackthis folder. If it is properly placed it will look like this, or close to it: C:\HJT\HijackThis.exe.
Hijackthis FAQ (Frequently Asked Questions) at: http://russelltexas.com/malware/faqhijackthis.htm
After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.
Stay in this thread for continuity. Reply to this message.
Thanks,
Pskelley
In Training at TomCoyote.com and Spywareinfo.com
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
Texruss
3.4K Posts
0
July 1st, 2004 19:00
If you have not received an answer please post a new log. Stay in your original thread please...reply to this message. We are way behind so I am looking for people who are still needing help. If you reposted as a new topic please reply also to this message and if possible paste the URL of your new post. Crossposting (new topics for same problem) is discouraged so don't do this...a simple new reply to your original request will achieve much better responses.
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal
thebighorse
10 Posts
0
July 6th, 2004 14:00
Please be advised that the information and the virus is on another computer. It is running so sluggish I figured I had better respond on my system. Thanks for your assistance.
Logfile of HijackThis v1.97.7
Scan saved at 9:39:30 AM, on 7/6/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\system32\ndawetp.exe
C:\WINNT\system32\LzioMediaUpdater.exe
C:\WINNT\system32\finndmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINNT\system32\fonskrnl.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\anna\Local Settings\Temporary Internet Files\Content.IE5\VN628EB3\HijackThis[1].exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\ndawetp.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\system32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [ps4W35e] finndmgr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [YBv6RRK5W] fonskrnl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://enroll.household.com/vscnfchk.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
Texruss
3.4K Posts
0
July 7th, 2004 01:00
Lots of stuff...but it can be salvaged:
Fix check this hostile ActiveX in Hijackthis:
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
Reboot.
Fix the 010 winsock hijacker... same file as on my webpage: Don't fix it in HIjackthis...use the tool:
http://russelltexas.com/malware/lspfixinstructions.htm
Reboot after fixing.
Download Adaware and Spybot at the link below. For now just work with Adaware.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
http://www.cjwd.demon.co.uk/spybot-adaware.html
Don't run Adaware yet...download the Adaware plugin for your VX2 infection. See the instructions here:
http://www.wilderssecurity.com/showpost.php?p=206749&postcount=6
Follow the directions.
After cleaning download the new 1.98 version of Hijackthis and install it in C:\HJT. Delete or overwrite the older Hijackthis executable.
http://russelltexas.com/malware/downloadHJTzipfile.htm
Run a fresh 1.98 log and post here as a reply. There is more to do.
HTH,
Texruss
Message Edited by Texruss on 07-06-2004 09:22 PM
thebighorse
10 Posts
0
July 7th, 2004 14:00
I am unsure if I took the correct 010 winsock item out. There were 5 items listed but only one had reference to \inetadpt.dll which is the one I deleted.
Logfile of HijackThis v1.98.0
Scan saved at 10:57:17 AM, on 7/7/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\system32\ndawetp.exe
C:\WINNT\system32\LzioMediaUpdater.exe
C:\WINNT\system32\finndmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\fonskrnl.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\ndawetp.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\system32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [ps4W35e] finndmgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [YBv6RRK5W] fonskrnl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://enroll.household.com/vscnfchk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
Texruss
3.4K Posts
0
July 10th, 2004 00:00
Way to go...sorry I am so tardy...tough week at work. You did the right thing on Winsock entry.
We will crush Huntbar! (aka Wintools) and the Trojans!.
Thank you for using HJT 1.98!
Run Hijackthis, scan and check the box left of these numbered line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\ndawetp.exe
O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\system32\LzioMediaUpdater.exe
O4 - HKLM\..\Run: [ps4W35e] finndmgr.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [YBv6RRK5W] fonskrnl.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
With no other windows open click on fix checked button in Hijackthis.
Exit Hijackthis.
Reboot to SAFE MODE
Show HIDDEN FILES and folders
FAQ 8 and 9 on this page:
http://www.russelltexas.com/malware/faqhijackthis.htm
In W2K hit Control-Shift-Escape keys at same time. Click on Applications tab, end any hostile applications and then do the same for the Processes tab.
Look for and End Task for these hostile Applications and/or Processes:
Wintools
WToolsS.exe
ndawetp.exe
LzioMediaUpdater.exe
finndmgr.exe
fonskrnl.exe
Web Offer
wo.exe
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following files and/or folders:
Files:
C:\WINNT\system32\ndawetp.exe
C:\WINNT\system32\LzioMediaUpdater.exe
C:\WINNT\system32\ finndmgr.exe
C:\WINNT\srchupdt.exe
C:\WINNT\system32\fonskrnl.exe
Folders:
C:\Program Files\Web Offer
C:\Program Files\Common Files\WinTools
Special Comments: (If WinTools folder resists deletion)
Navigate to C:\Program Files\Common Files\Wintools
Right button click on Wintools folder icon and uncheck Read-only box. Click on Advanced tab and see if there is a security tab. Go in it and check all boxes to give you permissions over that folder.
Do the same if there is a Temp subfolder under WinTools.
Now right button click on Wintools folder and delete. If it doesn't go away then try some more investigation in those Properties. Report back on how you do for this and if these directions worked. I did this at 2 AM in the morning Thursday and my notes are non-existent. *;-)
Exit Explorer...empty Recycle Bin.
Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
If you have any problems with Disk Cleanup completing...XP users can fix it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
Run Adaware again.
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
thebighorse
10 Posts
0
July 13th, 2004 19:00
Thank you so much. It looks like we may have it licked. Let me know if you find anything on the log that need to be zapped.
Logfile of HijackThis v1.98.0
Scan saved at 3:48:23 PM, on 7/13/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\SysAI\SysAI.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoLoaderpFvq1PbVNJaL] "C:\WINNT\system32\finndmgr.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://enroll.household.com/vscnfchk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DB4AE8E-7914-4BAD-B08F-5175FC943531}: NameServer = 204.127.202.4,216.148.227.68
Texruss
3.4K Posts
0
July 13th, 2004 19:00
Looking better....you've come a long way. Still some baddies.
Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:
WToolsS.exe
WToolsA.exe
WSup.exe
SysAI.exe
Run Hijackthis, scan and check the box left of these numbered line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [AutoLoaderpFvq1PbVNJaL] "C:\WINNT\system32\finndmgr.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
With no other windows open click on fix checked button in Hijackthis.
Exit Hijackthis.
Reboot to SAFE MODE
Show HIDDEN FILES and folders
These necessary options are explained in FAQ's 8 and 9 on this page:
http://www.russelltexas.com/malware/faqhijackthis.htm
Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:
WToolsS.exe
WToolsA.exe
WSup.exe
SysAI.exe
Special Deletion Comments: If Wintools resists:
Navigate to C:\Program Files\Common Files\Wintools
Right button click on Wintools folder icon and uncheck Read-only box. Click on Advanced tab and see if there is a security tab. Go in it and check all boxes to give you permissions over that folder.
Do the same if there is a Temp subfolder under WinTools.
Now right button click on Wintools folder and delete. If it doesn't go away then try some more investigation in those Properties. Report back on how you do for this and if these directions worked. If it deletes, exit Explorer and empty Recycle Bin.
Next....Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Navigate down the folder structure in left hand window and then in the right window delete the following files and/or folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):
C:\Program Files\Toolbar folder
C:\Program Files\Common Files\Wintools folder
C:\Program Files\SysAI folder
C:\WINNT\system32\finndmgr.exe file
Exit Windows Explorer...right button click and empty the Recycle Bin.
Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
If you have any problems with Disk Cleanup completing...XP users can fix it here:
http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
Run Adaware again...get updates if available.
Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: jimw, ddeerrff, and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.
BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
thebighorse
10 Posts
0
July 13th, 2004 20:00
Did what you said on deleting folders. Would not let me delete wintools program folder. "Cannot delete wsup.exe there has been a sharing violation. The source Destination may be in use".
Also in task manager, could not end process for WToolsS.exe and WToolsA.exe. "The operation could not be completed. Access Denied"
Regarding wintools, thr read only was not checked, and in security I opened permission for all. Still would not let me delete. There was no Temp Tab.
Tbh
Texruss
3.4K Posts
0
July 13th, 2004 23:00
OK...you're in the right area...just have to stay with until you get it out of memory:
In Safe Mode:
Hit Control-Shift-Escape keys at same time.
Click on Applications Tab and end task for Wintools.
Click on Processes tab and End Task for the following entries: WToolsS.exe and WToolsA.exe.
Remove Read-only checks for all items, folder and files.
Then delete the folder.
Keep trying...you will get it. Report back.
Texruss
thebighorse
10 Posts
0
July 14th, 2004 10:00
Texruss
In safe mode, there is nothing in applications. In Processes the following:
System Idle Process
smss.exe
WINLOGON.EXE
csrss.exe
services.exe
LSASS.exe
svchost.exe
Winmgmt.exe
Explorer.exe
Taskmgr.exe
I didn't see any of the items you mentioned.
Thanks
tbh
Texruss
3.4K Posts
0
July 14th, 2004 15:00
It will have to be the permissions issue then. Look in Properties and take control of the Wintools folder and the subfiles.
Texruss