Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

something infected my PC

965 Views 6 Replies 4 Participants Last post by  $teve
I was on the Internet one day and suddenly the connection quit. Now, whenever I try to open my Explorer browser, I hear processing but nothing happens...I can't get a browser window (no error messages pop up). Similarly, if someone sends me an e-mail with a picture attached, the system can't find the picture (again, no browser comes up).

A related problem that is now occurring -- if I click on either My Computer or Windows Explorer, the screen goes blank for a second (well, actually blue) and the desktop refreshes. Occasionally the Norton AntiVirus and/or Norton Internet Security icons will not show up in the task bar after this refreshing. I can open other applications (i.e., Excel or Word) without a problem, and I can pick up my e-mail in Outlook.

I went on the Symantec site and followed some of their anti-virus instructions -- booted up in Safe mode, ran Regedit and deleted some spyware -- but this didn't solve the above problems. I just downloaded Hijack This, so I'll attach the log below. My tech knowledge is fairly limited and I'd appreciate any help you can give me.

Logfile of HijackThis v1.97.7
Scan saved at 5:46:00 PM, on 4/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\cpqalert.exe
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\WINNT\system32\CHKADMIN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\download\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.21.56:3128
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hhU.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BE26D3F7-CEEF-CD3F-2867-5AD0D115FB64} - C:\WINNT\system32\melpvqvf.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINNT\3_0_1browserhelper3.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.xxe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [<H] c:\WINNT\System32\
O4 - HKLM\..\Run: [ Error</TI] c:\WINNT\System32\ Error
O4 - HKLM\..\Run: [</H] c:\WINNT\System32\
O4 - HKLM\..\Run: [<B] c:\WINNT\System32\
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINNT\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [GANDI then par] c:\WINNT\System32\GANDI then parked.
O4 - HKLM\..\Run: [</B] c:\WINNT\System32\
O4 - HKCU\..\Run: [<H] c:\WINNT\System32\
O4 - HKCU\..\Run: [ Error</TI] c:\WINNT\System32\ Error
O4 - HKCU\..\Run: [</H] c:\WINNT\System32\
O4 - HKCU\..\Run: [<B] c:\WINNT\System32\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINNT\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\WINNT\System32\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\WINNT\System32\
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Instant Update.lnk = C:\Program Files\3Com\ControlCenter\Instupdt.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ANTIVIRUS (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38056.808900463
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98A4EF32-F250-4F3C-80AC-C413B21E294F}: Domain = corp.com
See less See more
Status
Not open for further replies.
1 - 2 of 7 Posts
Download and run CWshredder from http://www.thespykiller.co.uk/
And remember to click "Fix" (Not "Scan only")
After its done its thing hit the"How do i prevent reinfection" tab....
In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability
which is how you got infected in the 1st place.

When it is finished restart your computer.....

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....Not all of these entries might still be present - but make sure you get the ones that are.
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hhU.dll
O2 - BHO: (no name) - {BE26D3F7-CEEF-CD3F-2867-5AD0D115FB64} - C:\WINNT\system32\melpvqvf.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINNT\3_0_1browserhelper3.dll
O4 - HKLM\..\Run: [<H] c:\WINNT\System32\
O4 - HKLM\..\Run: [ Error</TI] c:\WINNT\System32\ Error
O4 - HKLM\..\Run: [</H] c:\WINNT\System32\
O4 - HKLM\..\Run: [<B] c:\WINNT\System32\
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINNT\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [GANDI then par] c:\WINNT\System32\GANDI then parked.
O4 - HKLM\..\Run: [</B] c:\WINNT\System32\
O4 - HKCU\..\Run: [<H] c:\WINNT\System32\
O4 - HKCU\..\Run: [ Error</TI] c:\WINNT\System32\ Error
O4 - HKCU\..\Run: [</H] c:\WINNT\System32\
O4 - HKCU\..\Run: [<B] c:\WINNT\System32\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINNT\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\WINNT\System32\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\WINNT\System32\

Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Locate and delete these files if they exsist........try a run>search if you dont find them in these locations.

C:\WINNT\system32\melpvqvf.dll
C:\WINNT\3_0_1browserhelper3.dll


Post another log.
;)
See less See more
Wooopeee!!!.......weve been having a torrid time this weekend with new CWS hijackers that just wont go away.......its good to see a clean log....lets hope it stays that way:up:
1 - 2 of 7 Posts
Status
Not open for further replies.
Top