Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 16 of 16 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
I ran updated Ad Aware and SpyBot SD and here is my HiJack This log. I would really appreciate someone telling me what to get rid of to make whatever pest that has infected my machine. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 12:19:19 PM, on 3/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\WINNT\WAST.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [WAST] C:\WINNT\WAST
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX
Display) - http://leads400.landstar.com/HFACTX/HFDSP.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Again, thank you very much!
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [WAST] C:\WINNT\WAST

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINNT\WAST

and Delete these folders
C:\WINNT\system32\pcs\

then
Reboot normally & if problems gone OK if not post back for us to look for a few hidden nasties
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
I deleted those files and folders and here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 1:13:21 PM, on 3/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\TEMP\Rem5.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://allaboutsearching.com/searchbar.html
O2 - BHO: (no name) - {83049877-6330-760C-7285-2EBBEB852628} -
C:\PROGRA~1\Binmfcd\Trust Vc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: siteelse - {A50324E1-9175-F588-25DC-D2D395AD3B41} -
C:\PROGRA~1\Binmfcd\Trust Vc.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [for cash] C:\PROGRA~1\HOPELO~1\Great browse.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window
Active\winactive.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX
Display) - http://leads400.landstar.com/HFACTX/HFDSP.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
something must have been hiding these and the reboot has made them appear

so let's get rid of it all this time

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://allaboutsearching.com/searchbar.html
O2 - BHO: (no name) - {83049877-6330-760C-7285-2EBBEB852628} -
C:\PROGRA~1\Binmfcd\Trust Vc.dll
O3 - Toolbar: siteelse - {A50324E1-9175-F588-25DC-D2D395AD3B41} -
C:\PROGRA~1\Binmfcd\Trust Vc.dll
O4 - HKLM\..\Run: [for cash] C:\PROGRA~1\HOPELO~1\Great browse.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window
Active\winactive.exe

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

NONE

and Delete these folders
C:\Program Files\Window Active
C:\PROGRAM FILES\Binmfcd
C:\PROGRA~1\HOPELO~1>>>>>>The folder containing Great browse.exe

then
Reboot normally & post a new log to check please
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I would also suggest uninstalling office find fast, it seems to slow down office rather than speed it up

http://support.microsoft.com/defaul...port/kb/articles/Q199/7/87.ASP&NoWebContent=1

and i've just noticed this
C:\WINNT\TEMP\Rem5.exe

nothing should run from a temp folder so it must be up to no good, make sure you are booted up into safe mode to prevent it running and select everything in the temp folder and delete it all
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #6 ·
Here is the most up-to-date log: (Oh, and I'd get rid of Find Fast, but it's my boss' computer--I doubt he'd notice but I don't want to take chances).

Logfile of HijackThis v1.97.7
Scan saved at 2:21:37 PM, on 3/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Sqwire\uc.exe
C:\Program Files\Sqwire\cc.exe
C:\Program Files\HijackThis.exe

R3 - URLSearchHook: XTSearchHook Class -
{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Sqwire\s.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} -
C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} -
C:\Program Files\Sqwire\u.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {57E69D5A-6539-4d7d-9637-775DE8A385B4} -
C:\Program Files\Sqwire\t.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [for cash] C:\PROGRA~1\HOPELO~1\Great browse.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program
Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX
Display) - http://leads400.landstar.com/HFACTX/HFDSP.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks for your continued help
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Something is still hitting you hard, where these came from I don't know

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Sqwire\s.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Sqwire\u.dll
O3 - Toolbar: &Search Toolbar - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Sqwire\t.dll
O4 - HKLM\..\Run: [for cash] C:\PROGRA~1\HOPELO~1\Great browse.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

NONE

and Delete these folders

C:\PROGRA~1\HOPELO~1>>>>>>The folder containing Great browse.exe
C:\Program Files\Sqwire\
C:\Program Files\SysAI\
C:\Program Files\AutoUpdate

then
Reboot normally & post another log to check please
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #8 ·
To quote Tom Cruise in 'The Color of Money', "It's like a nightmare, it just keeps getting worse and worse", or something like that.

I really appreciate your help on this. Here is the latest log file:

Logfile of HijackThis v1.97.7
Scan saved at 10:04:13 AM, on 3/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Zone Labs Client]
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX
Display) - http://leads400.landstar.com/HFACTX/HFDSP.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe

Reboot into safe mode

and Delete this folder
C:\WINNT\system32\pcs

then
Reboot normally & let's have a nother new log and see what pops up

This is getting weird

something is causing these and the usual culprit is Kazaa or a similar P2P file sharing program, Are you using such a program in between posting logs?
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
and read this to sse if we can cut down on some of this

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

And links to a browser & security test site to test for exploits that might let these baddies in to your computer

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #11 ·
The latest logfile:

Logfile of HijackThis v1.97.7
Scan saved at 10:34:16 AM, on 3/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client]
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX
Display) - http://leads400.landstar.com/HFACTX/HFDSP.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

He has Kazaa lite installed on his computer, but it's not being accessed at all between postings.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
the last log looks clear so if you take some of the advice in the previous post particularly about the active x settings it might cut down the drive by downloads
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #14 ·
FinestRanger,

He only has one log-in account.


Derek,

Everything was fine.

On a whim, I rebooted his computer. Earlier, I installed a firewall from Zone Alarm. When I accessed the internet, I got a message saying that 'run32.dll' wanted access to the internet. That seemed odd as my machine never asks permission for that particular function to access the internet. Being curious, I checked 'yes' and was instantly barraged with pop-ups.

I then rebooted and accessed the internet again, only this time I checked 'no'. I got a message that there was an error with ""C:\WINNT\System32\msg121.copy.dll", Unimonitor"

Could this be the monster?

Thanks
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Please download the KillBox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #16 ·
Log for KillBox ver.2.0.1
--------------------------

---msg{}dll search---
C:\WINNT\system32\MSGSVC.DLL
C:\WINNT\system32\MSGINA.DLL
C:\WINNT\system32\msg121.dll
C:\WINNT\system32\msg120.cpy.dll
C:\WINNT\system32\msg121.cpy.dll
C:\WINNT\system32\dllcache\msgsvc.dll
C:\WINNT\system32\dllcache\MSGINA.DLL
 
1 - 16 of 16 Posts
Status
Not open for further replies.
Top