Ad-ware problems (please look at this Hijackthis log) 1

[PowRader]

I got some ad-ware on my computer. Don't know where it came from, but I killed most of it with Ad-Aware, but there is still a problem where sometimes when I try to go to any web page it redirects my browser to a casino site. I can't figure out whats doing it so could someone look at this hijackthis log?

Logfile of HijackThis v1.97.7
Scan saved at 5:00:44 PM, on 3/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\keyword.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EPSON\ESM2\STMS.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\JEM\My Documents\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -

http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) -

http://www.jraun.com/activex/src/KeyActivexTest.ocx

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) -

http://kr.pristontale.com/nprotect/nprotect/npx.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx

Any help would be appreciated.

 

[carrr]

You first need to disable system restore:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Then, remove the following entries:

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) -

http://www.jraun.com/activex/src/KeyActivexTest.ocx

Reboot.


"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[beerhunter2]

You could also run CWShredder to clean this up.

http://www.spywareinfo.com/~merijn/downloads.html

Help! I've fallen and I can't reach my beer.

 

[carrr]

How's that? Is this a CWS variant?

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[beerhunter2]

Not necessarily. Just in my past experience, if your browser is being redirected it's a fairly high percentage bet that CWS has a part in it.

CWShredder is part of my arsenal now. It only takes about 15 seconds to run, and could very well resolve your browser hijacking. Maybe I'm just lazy and don't want to spend the time analyzing the HjackThis log every time I encounter a peculiar browser issue.

Help! I've fallen and I can't reach my beer.

 

[carrr]

I'm well acclimated to CWShredder.
I was just asking as there's nothing in the log above which that particular tool will reconcile.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[PowRader]

Ok, I just removed the things you said to and it seems to be working fine, but I just got one error message when starting up:

RUNDLL

An exception occured while trying to run ""C:\windows\system32\msg121.cpy.dll",UMonitor"

is this a problem or should I just ignore it?

 

[carrr]

Urg...yeah, I'd want to clear that up.
This is fairly common after malware removal...what's weird is that the file msg121.copy.dll is associated with the Look2Me parasite, of which I didn't see a trace in your initial log.
First, go to Start > Run > msconfig > and look at your startup tab. Any entry looking like that you posted above should be terminated.
Second, reboot and come back in in safe mode. Find that file at C:\windows\system32 and delete it. It's not legitimate, so don't give it any second thoughts.
Reboot. Still giving you the message?

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[carrr]

Actaully, while you're in safe mode...if you find anymore msg###.dll files in there, delete them...and post back, because we may have some more cleanup to do.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[PowRader]

Ok, I loaded up my comp in safe mode and went into system32 and found these files with msg in the title:

*msg117.dll
*msg121.dll
*msg121.cpy.dll
msg.exe
msg711.acm
msg723.acm
msgina.dll
msgsm32.acm
msgsvc.dll

I tried to delete the ones with the stars, I deleted 117, but for msg121.dll it said it was in use and msg121.cpy.dll said access denied.

 

[carrr]

Give this a run through...be sure to follow it by the letter:

http://www.kephyr.com/spywarescanner/library/look2me/index.phtml

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[PowRader]

Ok, I went to the website and first tried the uninstaller... that didn't work, the msg121.dll and msg121.cpy.dll were still there and I couldn't delete them. I then tried making a boot disk and restarting. On the DOS prompt it thought c: was an invalid drive (yes c: is my main drive) I also tried my other drive (e but that didn't work either.

So then I tried renaming the dlls, restarting, and then deleting them. I was able to change the name of msg121.cpy.dll and move it to the desktop, but when I restarted it had already created another msg121.cpy.dll.

This is starting to anger me...

 

[carrr]

I feel your pain...the b&^$*rds who write these things make them harder and harder to peel away.

I just came across a removal tool specifically for this PIA, called "Kill2Me," you can get it here:

http://www.spywareinfo.com/~merijn/files/kill2me.zip

Run it, see if it gives you relief.

That failing, you can try the "Msg121" Fix found here:

http://www10.brinkster.com/expl0iter/freeatlast/L2M/Msg121.htm

Good luck.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[PowRader]

Thanks so much! That last one finally worked, no sign of the msg121 left. Thanks again.

 

[carrr]

Glad to hear it.


"'Tis an ill wind that blows no minds." - Malaclypse the Younger

 

[MattNeeley]

Another way to stop these things is to put a blank text document there and rename it to the exact name of the thing you moved (IE msg121.dll) and then make it read only. after you restart most times it'll stop it because they don't try to overwrite read only files. Most times. I use this tactic in fighting recurring virus problems when your virus scanner won't take em out and can't find the packed/hidden file.